Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Set up questions

    Scheduled Pinned Locked Moved General pfSense Questions
    22 Posts 3 Posters 6.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      broncoBrad
      last edited by

      The server configuration allows ping responses? Does a packet capture on the interface connected to the server show outgoing pings?

      By this are you asking if my server responds to pings? I'm pretty sure it does because at one point I had it set up with a shared connection on my personal computer while I was setting it up and the pinging work. I guess my other definition of "see" is that the server doesn't have internet access, but I don't think it's a firewall rule since I have the any rule and a diagnostics–>ping didn't work.

      Does a packet capture on the interface connected to the server show outgoing pings?

      Haven't tried yet. Will try to set up packet capture and see what I can see.

      Have you checked the pfSense firewall log (Status -> System Logs, click on Firewall tab) to see if your ping attempt has been blocked by the firewall?

      Again, haven't tried yet, although this is difficult when I have to be in a completely different part of my house to access the server than to access my system logs and the system logs only hold the last 50 entries.

      You response helped me get a better understanding of firewall rules. I understand that I wasn't very precise and I also understand looking at rules within context of all interfaces, but here's my question to clarify my understanding:

      His computer is on LAN which has the standard allow LAN to any rule. As first rule on the interface I add a BLOCK rule to LAN to block access FROM his computer TO game servers in peak times. Any access from other computers doesn't match that rule and falls into the LAN default rule allowing access.

      Why is it "FROM" (i.e. Source) and "TO" (i.e. Destination) on the LAN interface? I guess what I'm saying is if you're looking at when it arrives at the firewall I thought it was only coming into the LAN thus the rule doesn't make any sense, but if it's both going in and out then the rule makes sense. So instead of just doing a Destination rule to your son's computer (which would allow his attempts out to the internet, WAN), but be blocked on the way back in, you stop it from even going out the LAN, correct?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • W Offline
        wallabybob
        last edited by

        A TCP connection (say to send an email) has a special sequence to establish a connection and a special sequence to teardown a connection.

        A flow is a data structure describing data transfer within a connection. It will normally have at least source IP, source port, destination IP and destination port. Thus a connection has two associated flows (because data can travel in both directions).

        Simplified firewall processing - packet arrival at firewall Is there a flow for this packet?
        Yes - forward the packet.
        No - Is this a connection setup?
            No - discard packet
            Yes - Does this connection setup match an ALLOW rule for this interface?
                No - discard packet
                Yes - create flow for this direction of data transfer,
                    create flow for reverse direction of data transfer,
                    forward connection setup

        @broncoBrad:

        His computer is on LAN which has the standard allow LAN to any rule. As first rule on the interface I add a BLOCK rule to LAN to block access FROM his computer TO game servers in peak times. Any access from other computers doesn't match that rule and falls into the LAN default rule allowing access.

        Why is it "FROM" (i.e. Source) and "TO" (i.e. Destination) on the LAN interface? I guess what I'm saying is if you're looking at when it arrives at the firewall I thought it was only coming into the LAN thus the rule doesn't make any sense, but if it's both going in and out then the rule makes sense. So instead of just doing a Destination rule to your son's computer (which would allow his attempts out to the internet, WAN), but be blocked on the way back in, you stop it from even going out the LAN, correct?

        The simplified firewall processing description says the firewall rules are consulted only on an attempt to setup a connection and if that attempt is allowed then the "back traffic" to the initiator of the connection is also allowed. The firewall rules apply to connection setup attempts. If my son wants to have a conversation with his games servers the firewall will see on the LAN interface a connection setup attempt FROM his computer TO a games server. If the firewall allows that connection attempt (and the target accepts it) then all traffic (both directions) on that connection is allowed.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.