Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Understanding differing rule concepts between pfsense (pf) and iptables

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 4.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      packet_herder
      last edited by

      I currently have some experience with iptables, and so I started working with pfsense with that mindset.

      Current understanding:

      Where are rules applied: pfsense applies rules to packets on the first interface they enter. I.e. even though, to get to the internet in a standard openvpn situation, packets go ->LAN->OPT1->WAN->, only LAN rules matter. This is completely different from iptables, where packets flow through different chains (INPUT, OUPUT, FORWARD) and can be matched in any and more than once.

      There doesnt appear to be a way to mangle packets in pfsense via the GUI that is equivalent to 'match this packet, change it but dont accept or reject, that comes in a later rule'. Here is an example in iptables that sets the TOS:

      iptables -t mangle -A OUTPUT --out-interface eth0 --protocol tcp -m multiport --source-ports 40000:49999 -j TOS --set-tos "Maximize-Throughput"
      

      Currently this is the only non-nat mangling thing I do with iptables, but thats probably because I dont have the experience to know what other useful stuff is possible.

      I had originally expected to apply traffic shaping queues via such a mangling rule, then I realised what pass/reject/drop actually meant. Any ideas if such passive rules will be implemented at some point, and if there is somewhere to mangle packets like the TOS example?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • marcellocM
        marcelloc
        last edited by

        Take a look at queues for traffic shaping and at advanced options on rules.

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • P
          packet_herder
          last edited by

          Hi marcelloc,

          Yes, already done that - am currently working on getting my head around the standard PRIQ shaping.

          Right, Ive found that floating rules partially satisfies 'rules that do not pass/reject/block' - it has an extra option, 'Queue'.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.