Q about the RFC1918 block rule



  • As I understand it, pfSense blocks all traffic by default.  So what's the purpose of the  RFC1918 block rule?  Does it just serve as a safety stop in case you have an allow-from-all type rule?  Or to put it another way, if all my rules have specific IP addresses attached does that make the RFC1918 block rule redundant?

    TIA,
    eric

    PS  Anything new on that training session that was mentioned in the blog back in Sept?



  • Once you start permitting traffic, it's relevant. Until then, it does nothing.

    I've been working on the training session, hope to have an update on that within the next month including dates and other details.



  • Once you start permitting traffic, it's relevant. Until then, it does nothing.

    Could you elaborate a bit?  In my set up, all of my wan rules pass only a well defined, relatively small chunk of source ip addresses (either /32 or /24 addresses).  How is the RFC1918 rule relevant here?



  • @anothereric:

    Could you elaborate a bit?  In my set up, all of my wan rules pass only a well defined, relatively small chunk of source ip addresses (either /32 or /24 addresses).  How is the RFC1918 rule relevant here?

    It's not relevant in that case either. In many cases people have to open things to any source IP (web servers, mail servers, etc.), which is where it's relevant.



  • Good.  I had to allow a small piece of the 172 block through so I ginned up a modified block-RFC1918 rule.  I guess I needn't have bothered but I feel better about it anyway.  Thanks.


Log in to reply