Filter rules not applied on optional interfaces

  • Hi,

    i'm getting real mad trying to figure out what's going on on my production firewalls.
    What is happening is out of any explanation to me: any rule set for all optional interfaces is not followed!

    The exactly same rules have ALWAYS worked in the past. The only real change i did is 2 weeks ago, when i installed a couple new firewalls, with new 4 ports nics, with the same pfsense version and restore the production configuration on these new machines. I had just to change the NIC names, as they were different between the old and new machines. Once i did this everything started to work again like a charm.

    I have a lot of rules set, 2 vlan interfaces and multi interface traffic shaper.
    Version is "1.2-RELEASE, built on Wed Apr 23 21:04:50 EDT 2008, FreeBSD 6.3-RELEASE-p1 i386", which is a custom build from Ermal released for the multi interface shaper bounty contributors.

    I will provide the rules.debug and anything that might help to anyone willing to help out.



  • A little more details after the Mayday…

    The conf is the following:
    . 2 FW with 4 ports Intel NICs.
    . CARP gateway IPs for LAN, WAN, DMZ (opt1), WAN2 (opt2), DMZ2 (opt3), DMZServiceVLAN(opt4). The latter 2 are VLANs on the DMZ (opt1) interface.
    . Traffic shaper is configured on all interfaces.
    . Gateway load balancer between the 2 WAN, as by wiki (1 load balance, 2 fail overs).
    . 5 active IPSEC tunnels.
    . PPTP VPN server.
    . 5 port NAT rules, 2 with 30 ports ranges.
    . No static routes.
    . Floating rules are not configured.

    I don't know why, the rules applied on all OPT interfaces (VLAN based or not) are not applied for outbound connections, as i can communicate with "any", all protocols, even if no such rule is configured. I think this is the default behavior for unconfigured interfaces (in terms of FW rules).

    Any help is REALLY appreciated.


  • some more investigation found the culprit lines in /tmp/debug.rules.

    pass quick on [opt interface] proto icmp keep state label "let out anything from firewall host itself"
    pass quick on [opt interface] all keep state label "let out anything from firewall host itself"

    these obviously overrule any other rule i've defined for the interfaces.
    the culprit lines are in /etc/inc/
    since i have a 1.2.3 installation in another location, i've compared both the rules produced and the files. focusing on the issue, the new produce a slightly different version:

    pass out quick on {$oc['if']} proto icmp keep state ( tcp.closed 5 ) label "let out anything from firewall host itself"
    pass out quick on \${$friendly_on} all keep state ( tcp.closed 5 ) label "let out anything from firewall host itself"

    which partially fixes the issue. the "quick" argument defeat the purpose of having outgoing rules for the interface… can someboedy clarify why it's been defined like that? and why just for the opt interfaces?


  • PfSense filters only incoming connections, not outgoing on a given interface. This means that, for example if you want to filter traffic originating on the LAN network that is destined for OPT1 network the rules have to placed in LAN rules.

    Hope this helps.

  • ok thanks a lot.

    i've made the needed modifications to the file on both firewalls and so far everything is working as expected.

    btw, i'm using this old old version (2008) since it's the only one, that i'm aware of, supporting multi interface traffic shaping besides 2.0 still in beta…. is anyone aware of any more recent version of 1.2 supporting it?

Log in to reply