Need some info about the packet filter
-
Well, please help me a bit with understanding the inner workings of the filter we all use.
I got my Alix board with 3 ports and pfSense 2.0.2 is ruling it - all shiny and new - this is what I came up with for now (don't really know where I am about to go with this but hey, this -kind of- works great so far):
vr0 is connected to my "PC"
vr1 is "WAN" (the devil)
vr2 is connected to an "AP"PC and AP are bridged as "LAN" (DHCPd is running on LAN, and it's network is 192.168.1.0/24, vr0 and vr2 have no IP configured).
now… all these ports (PC, AP, LAN and WAN) support filtering - they don't have to, but they do as it currently stands - that much I have figured. :) BUT: how is data actually traversing the different interface filters? how is the LAN filter connected to the AP and PC filters? is it like two firewalls on top of each other? what about states? does AP know about states created by LAN or vice versa? does webtraffic from an AP client first hit the AP or the LAN filter?
How does the default outbound auto-NAT rule look like (without the IPsec part)? - I have to use a manual setup to reach my modem behind WAN and I am not sure if i have set a correct default outbound NAT rule (WAN any * * * * * NO). Thx!
-
I just had an idea: maybe I should just disable the filter on the bridge… I mean... nothing that extra filter could possibly do for me in terms of filtering I guess (except making stuff complicated)...
edit: that "bricked" me out.
[2.0.2-RELEASE][admin@mrqu.private]/etc(7): sysctl -a | grep net.link.bridge.pfil_bridge
net.link.bridge.pfil_bridge: 0that means that there is no filtering on bridges, right? yet I have to set LAN (bridge0) rules to be able to connect from PC to WAN. just passing traffic in PC has no effect. in fact my PC rules are never even touched (according to the firewall log) for traffic coming in on the PC port.
???
-
That controls filtering on the bridge (bridge0) interface. If that is 0 and the "member" tunable next to it is 1, then filtering still happens in the separate bridge member interfaces.
Odds are you didn't have any rules on the tab for the member interface(s), so disabling the bridge filtering stopped letting you through.
-
I've set and applied some default allow all rules on the edges before I disabled filtering on the bridge. no dice. I dunno what was going on…
Anyway, I am back using a filter on all interfaces, including the bridge.
I'm still wondering why some traffic needs to be passed (inclusive firewalling setup) on the edges and some traffic on the bridge. It seems like the traffic that is about to leave the lan has to be allowed on the bridge and internal traffic has to be filtered on the edges. But I am not sure. Could someone clarify? Thx
