No need for LAN to WAN enable rule?



  • I am doing a really simple router setup for an organization.

    I do not understand how it is that the internal webserver is able to reply to requests from the WAN, if there is no rule explicitly permitting traffic from the LAN to the WAN.

    The website firewall config generally looks like this:

    WAN section:
    Block RFC 1918
    Block Bogon
    Allow TCP Any port/address to HTTP / 10.0.0.10
    Allow ICMP Any port/address to Any port / 10.0.0.10
    (Default policy is to deny anything not explicitly permitted)

    LAN section:
    Anti lockout enabled
    Default allow any LAN to any is Disabled (everyone forced to use a proxy for web)
    (Default policy is to deny anything not explicitly permitted)

    NAT 1:1
    External 205.x.x.x to Internal IP 10.0.0.10, Destination IP *

    Access to the website from the WAN works fine, no problems. But as I understand it, it actually should not be working.

    I really only have the firewall half-configured, allowing only incoming traffic to the webserver from WAN to LAN. There is no corresponding rule allowing a reply from LAN to WAN.

    I am concerned there is an error somewhere here.

    Or does pfSense statefully and automatically create a response path for the WAN rule?

    Version:
    2.0.2-RELEASE (amd64)
    built on Fri Dec 7 22:39:16 EST 2012
    FreeBSD 8.1-RELEASE-p13



  • Any solicited packet on an interface can be answered by the device on the destination interface without any kind of rule.

    Turn it around for a minute-  How does your web browser on the LAN receive the pages back even though there are no WAN rules?

    In your case- a client on the WAN solicited the response from the server. The firewall understands this and passes it.

    But try and web browse with that server…



  • Okay, well I come from a Novell 6.5 background, and they were really tight if stateful filtering was not explicitly enabled for incoming WAN packets.

    So basically pfSense does stateful WAN to LAN packet filtering without requiring that to be selected anywhere… and actually you can't not choose it, I see..  :)



  • On your firewall rule page, go down to advanced options and look around.  There is an option there to choose state type. One is none.  Unless someone corrects me this is what you speak?..

    Ill have to give it a try later.



  • Ok, yes, that looks like it.

    I guess there's no reason to select "none" and then go through the bother of a LAN to WAN explicit rule, but good to know.



  • This is how every stateful firewall works. You never add rules to allow return traffic on any stateful firewall. You do not want no state in any circumstance like this, and virtually never in any circumstance at all unless you don't want a firewall. If you don't keep state, you need gaping firewall holes to permit reply traffic that will allow far more than is necessary.


Locked