Subnet & Address w/ source and destination of firewall rules
-
What is the difference between using these in the source and destination drop down within firewall rules?
Are there any default Pass and Block rules built into these as well?
<interface subnet>
<interface address>
What are examples of when you'd want to use both, either, or neither?
-
@CatSpecial202 said in Subnet & Address w/ source and destination of firewall rules:
What is the difference between using these in the source and destination drop down within firewall rules?
Are there any default Pass and Block rules built into these as well?
<interface subnet>
<interface address>
What are examples of when you'd want to use both, either, or neither?
<interface subnet>
is the network block or subnet the interface resides in. For example, 192.168.0.0/24 (where /24 denotes how many bits comprise the network portion of the address; the remaining bits define the host). That includes all addresses between 192.168.0.1 and 192.168.0.255 (although 255 is the broadcast address and not used for hosts).<interface_address>
is the explicit single address assigned to the interface in pfSense. For example, 192.168.0.1/32 (where the /32 indicates a specific address in the netblock).You might use
<interface_address>
when prohibiting certain kinds of traffic from reaching the firewall itself.<interface_subnet>
might be used when defining the source of inbound traffic on the interface to exclude any host that does not have an IP within that netblock. -
@bmeeks Thank you for the explanation. For each interface, due to the router's "default deny" property, do we need to explicitly allow access to the <interface address> for any rule permitting communication outside its own subnet?
Additionally, if we want to enable broader access outside our intranet, would we need to allow access to the <WAN address>?
-
@CatSpecial202 said in Subnet & Address w/ source and destination of firewall rules:
would we need to allow access to the <WAN address>?
No - that would be access to the wan address, not the internet.
If you allow access to any, which would be the internet - that would give you access to pfsense IP on that network, because its IP would fall under "any" ;)