Rules not blocking inbound
-
I'm attempting to block incoming traffic from a short list of IP addresses. I created an alias and listed those addresses, then I created a rule that rejected using that alias. Because the internal target address is NATed, I placed this rule in the floating ruleset and specified immediate action. I also placed the rule in both the WAN and LAN rulesets because it wasn't blocking. None of the rules are blocking those IP addresses.
Rule looks like this:
Action: Reject
Quick: Apply immediately on match
Interface: Any
Direction: Any
Address Family: IPV4
Protocol: TCP/UDP
Source: Address or Alias + Alias Name
Destination: Server IP address + portWhat am I doing wrong?
-
@rloeb it would be much easier to help you if you just posted up a screen shot of your wan rules, your floating rules and your port forwards..
Rules are evaluated top down, first rule to trigger wins - no more rules evaluated. So your block rule isn't going to be much good if you have a any any for example above it.
You would almost never want a reject rule on your wan side interface by the way.. This sends a response - why should you spend more resources telling something you can't get here if you don't want them to get there?
Rejects are more used on the local side.
It would be a good idea to set you rule to logging, so you can see if is actually blocking stuff.. You can also look under the states table on your rules does it show 0/0 - if so the rule has never been triggered.
-
@johnpoz !
Floating rules:bdb07fe8-1a53-4c96-9f31-9b789e4c4116-image.png
WAN rules (partial):
LAN rules (partial):
Understood re "reject." I switched to that when "block" didn't work.
Rog
-
Having posted these, I noticed that the rule order for the floating rules is wrong. What I don't understand is why it changes without my intervention. Now logging the floating rule, which has been triggered at least once.
-
Working now. Rule order was wrong. Not sure how the rules got out of order, but that has to be user error.
Rog -
@rloeb do you run pfblocker - and have it do auto rules? That can sometimes mess up the order.
Also a common thing new users run into - is if there is an existing state, creating a block rule will not work until the state is gone, either closed by the devices themselves, time out, or you manually kill it, etc.
existing states are evaluated before rules.
edit:
Also these rules are pretty pointless
That doesn't block those outbound, those just block from talking specifically to your wan address. If you don't want something going to the internet, that would be a any destination.
-
@johnpoz Yup. Been running pfblocker for many years, but forgot that it can sometimes mess with the rule order. My floating "block" rule keeps getting moved lower in the rule order.
-
@johnpoz And thank you for pointing out that the outbound blocking rules don't do what I thought they did! :-)
