WAN access blocking

mjorud

I'm trying to block a set of IPs on LAN from accessing WAN. I have never had any problems with that but now, for some reason, it does not work.
On the same computer (192.168.0.3) I'm running SABnzdb and even if i block it still downloads.

When I ping the outside world (from 192.168.0.3) when the rule is disabled it resolves the hostname. When I enable the rule the hostname is removed. See a copy of the the ping session below

64 bytes from www.vg.no (195.88.55.16): icmp_req=285 ttl=246 time=200 ms <- rule disabled
64 bytes from www.vg.no (195.88.55.16): icmp_req=286 ttl=247 time=196 ms <- rule disabled
64 bytes from 195.88.55.16: icmp_req=287 ttl=246 time=69.1 ms <- rule enabled
64 bytes from 195.88.55.16: icmp_req=288 ttl=246 time=32.2 ms <- rule enabled
64 bytes from 195.88.55.16: icmp_req=289 ttl=246 time=15.2 ms <- rule enabled
64 bytes from 195.88.55.16: icmp_req=290 ttl=247 time=87.1 ms <- rule enabled
64 bytes from 195.88.55.16: icmp_req=291 ttl=246 time=15.4 ms <- rule enabled
64 bytes from 195.88.55.16: icmp_req=292 ttl=247 time=14.0 ms <- rule enabled
64 bytes from 195.88.55.16: icmp_req=293 ttl=246 time=12.7 ms <- rule enabled
64 bytes from 195.88.55.16: icmp_req=294 ttl=247 time=12.9 ms <- rule enabled
64 bytes from 195.88.55.16: icmp_req=295 ttl=246 time=12.2 ms <- rule enabled
64 bytes from www.vg.no (195.88.55.16): icmp_req=296 ttl=247 time=14.1 ms <- rule disabled
64 bytes from www.vg.no (195.88.55.16): icmp_req=297 ttl=246 time=14.3 ms <- rule disabled
64 bytes from www.vg.no (195.88.55.16): icmp_req=298 ttl=247 time=118 ms <- rule disabled

I'm running pfSense on ESXI 4.1 with dedicated NICs but that should not interfere. I'm about to reinstall pfSense as I'm pretty sure I enabled/disabled something that I should not have but that's a lot of work.

Any help would be much a preciated. :)

podilarius

In the advanced options of the block rule, change the state type to None. The problem you are most likely having is that the state is still open while you are testing. If there is an open state, the data will continue to flow.

cmb

Putting state type to none won't do anything for that. You have to kill the state, firewall rule changes on every firewall only impact new connections, not already-passed ones.

mjorud

Thanks for the reply.
So there is no way to automatically kill already-passed connection when the block rule kicks in?

cmb

@mjorud:

So there is no way to automatically kill already-passed connection when the block rule kicks in?

No. That's true of pretty much every commercial and open source firewall (I'm not aware of any that do that and I've worked with pretty much all of them, there may be some though).