Firewall rules based on interface

fwadmin · Jun 21, 2011, 10:06 PM

Is there a FAQ or 'how to' about this? I have been unable to figure this out through the interface, forums, and documentation.

XIII · Jun 21, 2011, 10:35 PM

Like this?

http://doc.pfsense.org/index.php/Category:Firewall_Rules

To add rules go to Firewall>Rules and select the interface you want to add rules to. To add a rule you click the plus sign.

See attached image, change LAN Net to the interface you are applying this rule to, additionally you could copy that rule to another interface by clicking the plus sign to the right of the rule, just edit LAN Net to apply to the appropriate network (ie: Opt1 Net)

fwadmin · Jun 22, 2011, 9:55 PM

I don't think i have been very clear about the problem. I want to create a firewall rule similar to what I can do with IPTABLES in a chain rule i.e.

-A FORWARD -i PUBLIC1 -j OUTBOUND_ALL
-A OUTBOUND_ALL -o OUTSIDE -m state –state NEW -j ACCEPT

There are no references to subnets or IP's. Simply allowing traffic in one interface and out another. One side of the rule depends on the other. That might be the caveat that is creating confusion. The first rule doesn't allow anything by itself. Though it defines what is allowed inbound on the PUBLIC1 interface, nothing is allowed without the second line.

With the -i switch and possibly utilizing the anchor feature of pfctl, I hoping to do the same with pfsense.

Metu69salemi · Jun 23, 2011, 5:33 AM

if you want to allow everything why to have osi layer 4 device, why don't simply use osi layer 3 three device(router) and there allow routing between everything

fwadmin · Jun 23, 2011, 4:10 PM

Most of our firewalls have 10 interfaces. We typically allow everything going out the Outside interface:

Source=any Destination=any Protocol=any In Interface=any Out Interface=Outside

This takes care of Internet access without giving access to any internal services. Then i have intra containment zone rules such as:

Source=any Destination=any Protocol=CIFS,DNS, etc In Interface=InterfaceY Out Interface=InterfaceZ

The later rule is not the challenge here. It is how do I give the nine containment zones full internet access without giving them access to internal services. Better stated, without a series of deny rules, how would i do this. This is a simple rule set:

All through the Outside interface for all
Containment Zone One to Containment Zone Two for X procotols
Containment Zone One to Containment Zone Three for X procotols
Containment Zone Four to Containment Zone Five for X procotols
Deny All

Otherwise the rule set would double:

Deny Containment Zone One to Containment Zone Two for X procotols
Deny Containment Zone One to Containment Zone Three for X procotols
Deny Containment Zone Four to Containment Zone Five for X procotols
Containment Zone One to all for all
Containment Zone Two to all for all
Containment Zone Four to all for all
Deny all

Not to mention we allow fewer protocols than we deny making the firewall configuration more complicated.

Metu69salemi · Jun 23, 2011, 6:26 PM

You could simplify rulesets by using aliases. but remember you can't mix alias types in one alias(example: IP's and Port numbers). Then configuration might be easier to read and more comfortable to use

XIII · Jun 23, 2011, 10:38 PM

You might be able to do what you want but pfSense is designed to be administered through the gui. To do it the way you want I believe you would have to do it via CLI.

cmb · Jun 24, 2011, 12:32 AM

You cannot just specify interfaces in rules (in the GUI or the underlying system), using subnets, aliases or interface groups (likely a combination) can do what you want by using IP subnets rather than interfaces.

jimp · Jun 28, 2011, 1:16 PM

On 2.0 you can use floating rules and/or interface groups to get closer to what you want, but with traditional rules you do need to block inbound on the interfaces going to every other network you don't want them to access. By using aliases, you don't really need X number of individual rules, you could do it with only a couple of them.

MikeN · Jul 4, 2011, 9:57 AM

fwadmin: Did you ever manage to find a good solution to this?

It's really a problem I can't reliably filter traffic based on source/destination interfaces. If I allow traffic to 'the internet' (which I can't specify with an IP range), I immediately allow traffic to all other interfaces and not just the gateway interface…..

cmb · Jul 4, 2011, 10:12 PM

@MikeN:

It's really a problem I can't reliably filter traffic based on source/destination interfaces. If I allow traffic to 'the internet' (which I can't specify with an IP range), I immediately allow traffic to all other interfaces and not just the gateway interface…..

Easy, just block or reject what you don't want to permit (most commonly with an alias of local and VPN-attached networks, if not all of RFC1918) above allowing destination "any" for required Internet traffic.

MikeN · Jul 4, 2011, 11:14 PM

@cmb:

@MikeN:

It's really a problem I can't reliably filter traffic based on source/destination interfaces. If I allow traffic to 'the internet' (which I can't specify with an IP range), I immediately allow traffic to all other interfaces and not just the gateway interface…..

Easy, just block or reject what you don't want to permit (most commonly with an alias of local and VPN-attached networks, if not all of RFC1918) above allowing destination "any" for required Internet traffic.

That is an option, but:

It's error prone. If in the future new IP ranges get added to interfaces, I will have to make sure that these get blocked too. I rather have something closed/secure by default, instead of the other way around.
It's quite some work if you got multiple interfaces. I still have to look into the floating rules (running 2.0-rc3 here), and where they're added in the pf ruleset, so maybe floating rules can resolve this issue…