Help with understanding firewall log



  • Hello,

    I have been running PfSense for the past 6 months. It does a great job, and I have come a long way with my understanding of how to implement the system. I am still learning and have a couple (firewall for dummies) questions regard my firewall logs. For example,let say in my log: ACT=a red X, does this mean that on that interface the "Source IP" tries to connect to the "Destination IP", but was Blocked from connecting? Next the same question only this time ACT = Green arrow, does this mean that on that interface, the "Source IP" tries to connect to the "Destination IP", and was allowed to connect? I assume, this is how it reads, am I correct?

    Thanks for your help



  • You are right.

    The ACT shows you what happens with this connection. RED means this connection was blocked and GREEN that it was allowed.



  • @Nachtfalke:

    You are right.

    The ACT shows you what happens with this connection. RED means this connection was blocked and GREEN that it was allowed.

    Thats what I thought!

    Is it safe to say that an interface with "NO" rules, means everything incoming asnd outgoing is blocked? If that is the case, then only rules, that are set to "PASS", will allow an incoming or outgoing connection! I hope I'm understanding this correctly.

    Thanks for your reply



  • No.

    If there is no rule on LAN interface, there is an invisible rule "block any to any". This means that no traffic INITIATED FROM LAN TO PFSENSE/anywhere else is allowed. But this does not mean that someone from another interface could connect to this LAN (if on the other interfaces is the rule which allows this).

    Example:
    If you have LAN1 and there is no rule (all is blocked from this LAN1) and
    if you have LAN2 and there is a rule allowing everything.

    Than it is NOT possible for clients in LAN1 to connect to LAN2 or everywhere else BUT
    it is possible for clients on LAN2 to connect to LAN1 and everywhere else.

    So if you want to block access TO LAN1 FROM LAN2 than you have to put a block rule on LAN2 with destination LAN1.

    And always remember. Rules on the firewall will be applied from TOP to DOWN.

    Have fun :-)



  • @Nachtfalke:

    No.

    If there is no rule on LAN interface, there is an invisible rule "block any to any". This means that no traffic INITIATED FROM LAN TO PFSENSE/anywhere else is allowed. But this does not mean that someone from another interface could connect to this LAN (if on the other interfaces is the rule which allows this).

    Example:
    If you have LAN1 and there is no rule (all is blocked from this LAN1) and
    if you have LAN2 and there is a rule allowing everything.

    Than it is NOT possible for clients in LAN1 to connect to LAN2 or everywhere else BUT
    it is possible for clients on LAN2 to connect to LAN1 and everywhere else.

    So if you want to block access TO LAN1 FROM LAN2 than you have to put a block rule on LAN2 with destination LAN1.

    And always remember. Rules on the firewall will be applied from TOP to DOWN.

    Have fun :-)

    Great explanation and example! Got it!

    Thank You!


Locked