Understanding rules



  • I am new to pfsense. Just migrating from IPCOP. I had one question regarding rules on interfaces.

    I have 3 interfaces

    1- 208.x.x.x(Red) Public
    1- 172.16.0.0/16(Yellow) DMZ
    1- 10.0.0.0/24(Green) Private Lan

    I want to setup a rule so a computer in the DMZ can connected to a SQL server in the Private Lan.

    What interface do I make the rule on since it passes through both the DMZ and LAN Interfaces. Do I make the rule on the first
    interface DMZ or the LAST interface the LAN or both

    Would it be on the DMZ interface tab

    Allow all DMZ-Net
    Allow Port 1433 on the LAN interface to host sql-host

    Or would it be on the LAN Interface tab

    Allow all DMZ-Net
    Allow Port 1433 on the LAN interface to host sql-host

    I don't have it front of me but hopefully you get what I mean.

    Basically do you put the rule on both interfaces tabs (dmz and Private Lan) or do you put it on the first interface the traffic passes through or the last interface before the destination private lan.

    NAT should not be required as they are not internet routed ipaddresses in the lan or dmz.



  • rules are applied on the interface on which the traffic comes in.

    if you want your clients in DMZ allow access to server in LAN you need on you DMZ-Interface something like:

    Source: DMZ-subnet, Source-port: any, Destination: IP of Server in LAN, Destination-port: 1433

    the default rule on lan
    source: LAN-subnet, any port, destination: any
    should be ok to allow traffic in reverse direction.



  • Thanks, I had figured it out by trial and error.



  • Sorry to revive an old thread, but I have a follow-up question….

    I've got a pretty vanilla setup:
    wan - public ip (and several virtual ip's mapped with 1:1 nat)
    lan - 192.168.10.1 (no dhcp)
    dmz - 192.168.11.1

    Like the original thread I've got a webserver in the dmz and a sql server in the lan.  That communication is working correctly, however I still am having a little trouble with the rules behaving differently than I expect.

    Based on the previous response, it sounds like if traffic is coming 'into' an interface, then in order for it to pass you need a rule.  The reason I'm confused, is because I have a pretty standard ruleset currently:
                source            port          dest        port
    lan      lan subnet          *              *            *
    wan    (multiple rules setup allowing http/https/icmp traffic from a single public ip to my natted webserver)
    dmz    webserver ip        *          sql ip          *  (I intend to lock this down to port 1433, but left it more open while testing)

    Here are my questions:
    1. Should traffic coming from the outside (outside -> wan -> dmz -> webserver) require a rule on the dmz interface?  Or is it not considered traffic coming 'into' that interface since it didn't come through the cable???  I had been under the impression that any traffic that passed through an interface (regardless) of direction, required and was subject to its rules?

    2. Currently I can ping my dmz webserver from a lan box.  I can see how my outbound icmp traffic is being allowed to pass by my lan rule, but how is it being allowed into the dmz (similar to question 1)?  I would have expected that my ping would fail with the current rules.

    3. I assume that the firewall must have some kind of state, so that when the 'response'  traffic is returned to the lan interface (or the dmz interface), that it is recognized and allowed to pass without a rule?

    Sorry for the basic questions, and if there are any other resouces which would be helpful, please let me know.

    Thanks



  • Think of pfSense as a shoe box with interfaces on the sides.
    Every packet that enters from the outside into the box needs a rule for this. Within the box the traffic flows freely and can exit on each interface without a rule. (not quite sure where an IPsec interface should be drawn here, though).

    According to this, the pfSense itself can go everywhere. (e.g. you can ping out to any interface without a rule.)



  • If a flash expert has a free moment, it could be nice with a flow of traffic flash….....  ;)



  • Thanks for the info.

    I'm getting some behavior that doesn't seem to be fitting that description, but fortunately this is just a test box so I'm going to start disabling rules to make sure none of them are blocking the traffic.

    If I'm still having problems I'll post a more detailed breakdown of my rules and the traffic that isn't working.

    Thanks


Log in to reply