Pfsense Firewall for Dummies



  • I wanted to write a document clarifying the firewall in Pfsense, because I believe it is one of the most important aspects of pfsense to understand; everything relies on the proper rules. Unfortunately, it has come to my attention I do not know how to use them myself. I am trying to clarify this once and for all so I (and others) must no longer be ambiguous on what rule to create, I can just think of a scenario and know the proper rule.


    Note: In the first screenshots, "Accesspoint Net" is OPT2

    1) I am under the impression that firewall rules apply inbound on an interface. So logically these rules make sense to me:

    LAN:

    OPT

    Yet they do not work.


    2) Another way I have looked at this: packets enter pfsense's LAN from client machines (source: any), and asks the firewall, can I go to OPT? Logically, to me this says yes:

    LAN

    The packets are allowed in to the OPT interface. So traffic enters pfsense's OPT interface from the LAN client machines, destined for clients on it (destination: any) and asks the firewall, is my traffic accepted? Logically, to me this says yes:

    OPT

    The packets arrive at their destination and a reply is sent. The packets go out of OPT and back in to the LAN, where they once again ask, is my traffic accepted? Logically, to me, this says yes:

    LAN

    Yet these do not work either.


    1. I have created a set of rules that would logically allow TCP/UDP and ICMP from OPT1. These work. I have created an absolutely identical set of rules for OPT2 and these fail:
      http://i427.photobucket.com/albums/pp360/xtropx/LAN_RULES1.png
      http://i427.photobucket.com/albums/pp360/xtropx/OPT1RULES1.png
      http://i427.photobucket.com/albums/pp360/xtropx/OPT2RULES1.png

    Any assistance anyone can offer in helping clarify this huge part of pfsense would be invaluable both to me and those who come to the forums searching for answers on how to understand the pfsense firewall. Thanks in advance.




  • @xtropx:

    **1) I am under the impression that firewall rules apply inbound on an interface.

    They do, you have the source and destination backwards though. Traffic hitting the LAN rules will only be sourced from the LAN subnet. Read the firewall chapter in the book for detailed explanation. http://pfsense.org/book

    The basics are covered here.
    http://doc.pfsense.org/index.php/Firewall_Rule_Basics**


Locked