Qustions about writing rules?



  • I am trying to switch my firewall from linux-iptables to pfsense.

    So many things is same but I am stuck in details. Here is the questions…

    1- Do I need to write a rule twice? (one on inoming interface , one on outgoing interface)
    2- For a 1:1 NAT which ip should I use in rulesets. Internal or external?
    3- For 1:1 NAT which type shold I use for Virtual IPs?



  • @cybervolkan:

    I am trying to switch my firewall from linux-iptables to pfsense.

    So many things is same but I am stuck in details. Here is the questions…

    1- Do I need to write a rule twice? (one on inoming interface , one on outgoing interface)

    Packets are only checked when they come into the firewall. So its only the incoming interface.  You can decide whether or not to block it. If you have multiple ISPs you can also decide which gateway to send it out on.



  • @cybervolkan:

    2- For a 1:1 NAT which ip should I use in rulesets. Internal or external?
    3- For 1:1 NAT which type shold I use for Virtual IPs?

    2: Nat is applied first. After that firewallrules are matched. This means you have to use the internal target IP/port for forwards and 1:1 NAT firewallrules. When working with portforwards the easiest thing to do is just check the autocreate firewallrule (checked by default) when creating a portforward.

    3: This depends how your connection is set up. ProxyARP and CARP will generate Layer2 traffic for the virtual IPs as well. Other will just accept the IP (if it is routed to you anyway for example).



  • It is clear for now.
    Thanks for replies…

    One more question...

    Do I need to write a special rule for established connections?
    ( In iptables I have to write a rule like :" -A FORWARD -d 10.0.0.0/255.0.0.0 -m state --state ESTABLISHED,RELATED -j ACCEPT ")



  • All firewallrules are stateful in pfSense, so once the one direction is allowed it automatically creates a state to permit the reverse connection as well.



  • :)
    Thanks a lot!


Log in to reply