Rules ignored when gateway set other than default?



  • wan1 on nic1 static ip (default), wan2 on nic2 static ip
    routing group pool1=wan1+wan2 failover
    vlan1 on nic3, vlan2 on nic3
    captive portal on vlan1
    pfsense 2.01

    rules on vlan1:

    1. allow src:vlan1.net -> dest:vlan2.host1 gw:* port:21
    2. allow src:vlan1.net -> dest:any gw:pool1 port:alias1(=80,443)

    if the last rule (2.) sets an gateway other then default, ANY traffic
    vom vlan1 is passed to anywhere on any port!

    i can for example rdp host_x on any net even if rdp is not allowed anywhere on vlan1.

    The rule that triggered this action is:

    @348 pass in log quick on em0_vlan1 inet proto tcp from vlan1-network/24 to <negate_networks:18>flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"

    I don't understand this, this has nothing to do with deny everything which isn't explicitly allowed.
    Any clarification appreciated.

    Thanks
    Anatol</negate_networks:18>



  • ok, found this:
    http://redmine.pfsense.org/issues/2132

    so is this considered a bug?



  • it should be shown to the user, and probably not as permissive as it is in that particular instance.
    http://redmine.pfsense.org/issues/2367

    2.1 has an option under System>Advanced to disable negate rules entirely. Or you can just comment that line out in /etc/inc/filter.inc to accomplish the same, then when you upgrade to 2.1 when it's out just make sure you check that box.



  • thank's for that.
    But will disabling negate rules in 2.1 mean you can't specify gateways/gw-groups anmore?
    Maybe I just don't really get the route negation thing… I only found
    http://doc.pfsense.org/index.php/Multi-WAN_2.0#Policy_Route_Negation

    Shouldn't specifying a gateway leave rules intact? What exactly gets "negated" when a gateway
    is defined in rule? If its just greayed out on creation, it would mean that someone has to add block
    rules before the (final) gateway rule, right? Maybe someone can help me out with that.

    some draft example, let's say for an wlan-zone:
    1. allow to virus-update in dmz1, default gw
    2. allow to mailservices in dmz2, default gw
    3. allow rdp to some machines in zone_x
    (!)4. disallow everything to all zones (maybe alias for dmz1,dmz2,zone_x)
    5. allow standard web-service ports to anywhere using defined gateway/gw-group
    (greyed out in 2.1?)6. this route negation stuff rule allowing everything ;-)

    has it to look like this when defining gateway in a rule?



  • it negates policy routing, you just have to add your own rules if you remove it to not force traffic out to a wrong gateway.


Log in to reply