Inverse Block Rule
-
Hello,
I am working on rules for my firewall and am still struggling with some rules I feel I shouldn't have issues with.
One is blocking all traffic from a VLAN (in this case, my WWW VLAN, where I have my webpages) to my LAN network.
This rule is in the LAN container and is set to block everything except DNS. Is this rule correct?
Thanks for the help!
-
Don’t know what you mean by lan container.
But rules act on the inbound traffic to an interface. So I believe your rule should go on the www vlan, blocking all traffic with the lean as a destination. If I understand your objective correctly.
-
I don't know how to describe the interfaces, VLANS, whatever they are called. Unless mine is named differently, pfSense has WAN, LAN, OPT1, OPT2, etc. I renamed my OPT Interfaces WWW, WIFI, MAN (Manage), etc I want to block the WWW VLAN from all access to the LAN interface (container), except to the DNS servers located in the LAN. So the rule is placed in the LAN interface, or I believe it should be.
So, I am trying to confirm that it should be in the LAN and that the rule is correct in what I am trying to do, which is to block the WWW Interface from gaining access to resources in the LAN interface, except for DNS queries (port 53).
I hope that makes it a little clearer!
-
@Overcon said in Inverse Block Rule:
I want to block the WWW VLAN from all access to the LAN interface (container), except to the DNS servers located in the LAN. So the rule is placed in the LAN interface, or I believe it should be.
No. The rule has to be defined ever on the incoming interface.
So if you want to block access from WWW to LAN, define the rule on the WWW.
Remember that a block rule (even with invert mach) doesn't pass any traffic. So you need to add a pass rule below of it to allow DNS.The only kind of rules, which you can define on the outgoing interface, are floating rules.