Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is this behavior normal:

    2.0-RC Snapshot Feedback and Problems - RETIRED
    4
    6
    1.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      masterblaster
      last edited by

      First of all hello everybody! I am new in the forum and this is my first post. Po please excuse my english but i think it is understandable ;)
      Im experiencing with pfsense for a few days. I have 2 Servers with 3 Interfaces, WAN, LAN, OPT1 for CARP. Synchronization is working without problems, firewalling between the internal and external Networks is also working as expected. The only strange behavior for me is that i am not able to block any Traffik from pfSense servers local IP addresses to anywhere. My last rule on every interface is a "block any Protocol from every source to every destination" exept i have no rules under "Firewall: Rules Floating.
      This is big security risk for me, but i am wondering about it, so you may have an idea or the explanation for me! Thanks!

      1 Reply Last reply Reply Quote 0
      • W
        wallabybob
        last edited by

        Firewall rules apply on the input side of an interface. Traffic sourced from the pfSense box (as distinct from traffic passing through) is not received on any interface, hence firewall rules don't apply.

        @masterblaster:

        The only strange behavior for me is that i am not able to block any Traffik from pfSense servers local IP addresses to anywhere.

        Please give more details about the traffic you are trying to block. For example, are you trying to prevent internet access from the pfSense console?

        1 Reply Last reply Reply Quote 0
        • M
          masterblaster
          last edited by

          Hello, as i said, i do not think it is a security risk for me, but up to now i used iptables with Linux and there you have INPUT and OUTPUT chains for filtering local traffik. My normal procedure when working with firewalls and security relevant systems is to first block everything to everywhere vor everyone, containing also local traffik, i think this will answer your question. But for curiosity, is it possible to block local connections for http for example?

          1 Reply Last reply Reply Quote 0
          • E
            eri--
            last edited by

            You cannot with firewall rules in interfaces block that traffic.
            You have to use floating rules for that.

            1 Reply Last reply Reply Quote 0
            • M
              masterblaster
              last edited by

              Thanks for your reply, can you explain me what are floating rules and what is the difference to the other rules? Are they only for local traffik?

              1 Reply Last reply Reply Quote 0
              • E
                Efonnes
                last edited by

                They are basically just a type of rule that exposed some of the more advanced options.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.