Source Address in NAT or Rule



  • When making a firewall NAT/Rule to permit SSH(22) from a single source address to the local pfSense machine should the source address be specified in the NAT rule or the firewall rule?  What are pros/cons of each?

    Thanks



  • Do it on nat rule to create an associated firewall rule for that source IP and destination port traffic.



  • Editing an existing NAT/Link Rule doesn't seem to update it in the Rule.

    Should the source address be in both the NAT and Rule?  What are pros & cons of it being in one or the other or both?

    Thanks



  • Are you using associated rules on nat?



  • @marcelloc:

    Are you using associated rules on nat?

    I think so.  When I create a NAT rule it also creates the corresponding firewall rule.  Is that what you mean?



  • @NOYB:

    I think so.  When I create a NAT rule it also creates the corresponding firewall rule.  Is that what you mean?

    Yes. If after you edit the firewall rule keeps uncheanged, then I suggest you to edit both as it's easier to check nat and firewall rules by just accessing it's configuration tab.



  • @marcelloc:

    @NOYB:

    I think so.  When I create a NAT rule it also creates the corresponding firewall rule.  Is that what you mean?

    Yes. If after you edit the firewall rule keeps uncheanged, then I suggest you to edit both as it's easier to check nat and firewall rules by just accessing it's configuration tab.

    Okay thanks.

    Now that we've gotten past that I'd like to understand the implications of specifying the source address in only one or the other (NAT/Rule) vs. in both?

    Thanks



  • @NOYB:

    I'd like to understand the implications of specifying the source address in only one or the other (NAT/Rule) vs. in both?

    No implications. Maybe only specified on nat will consume more resource, as firewall will allow and nat will reject but not that significant.



  • @marcelloc:

    @NOYB:

    I'd like to understand the implications of specifying the source address in only one or the other (NAT/Rule) vs. in both?

    No implications. Maybe only specified on nat will consume more resource, as firewall will allow and nat will reject but not that significant.

    I'm not an authority on this but it's my understanding that pfSense does NAT first, then the firewall.

    But either way the processing would not be significant.  The main area of interest is with regard to security.



  • Hopefully I can help if I understand your question correctly.

    It depends on the scenario on when you want to specify the source. NAT/Rules are only applicable when the firewall is used, and in a majority of cases you're dealing with internet traffic.

    That said, if you want to restrict a specific type of traffic to initiate from 1 IP on the internet, then you need to specify the source IP. IE: I only want to be able to access the web portal on pfsense from work. (Similar to you want SSH access)

    Since no NAT is needed since the destination is the firewall itself, I would only make a firewall rule… source: work | port: * | destination: wan-address | port: 443.
    However if I wanted something to access my SQL behind the firewall..

    NAT: Source: Work | port: * | Dest: WAN-Address | port: 3306 | NAT IP: 192.168.0.14 | Nat Ports: 3306
    FW: Source: Work | port: * | Dest: 192.168.0.14 | port: 3306



  • Well that's a decent "how to".  But security differences & ramifications, if any, between restricting the source with NAT vs. Rule vs. both is the interests.

    Nonetheless thanks for your input.



  • NAT is processed first.

    Just theorycrafting here - A packet comes in from a rogue IP, so it doesn't match the NAT so now it's going to send the packet to the firewall - ok good, but now it checks against a rule that doesn't have a source or destination specified but matches the open port, now it is allowed to pass.

    If you have a destination specified and it doesn't go through NAT, then the rule would block it. No destination OR source specified in the firewall rule, it's allowed even though you specified a source port in NAT.


Locked