Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Egress filtering and logging

    Firewalling
    2
    6
    2.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Paul47
      last edited by

      My first attempt at egress filtering…

      I left the default "allow everything from LAN" in the LAN ruleset; however I turned on logging for this rule. Then I added behind it a rule to allow TCP to dest port 80; this did NOT have logging turned on.

      The idea was that these accesses should be removed from the log since the rule was after the "allow everything" rule and pf uses the last rule that matches. However I see in the log a bunch of TCP SYN packets anyway.

      What am I doing wrong here?

      1 Reply Last reply Reply Quote 0
      • pttP
        ptt Rebel Alliance
        last edited by

        pf uses the last rule that matches.

        No, on FW rules, First Match Wins…

        1 Reply Last reply Reply Quote 0
        • P
          Paul47
          last edited by

          The last matching rule "wins". There is an exception to this: The quick option…

          http://www.openbsd.org/faq/pf/filter.html#quick

          Not according to the pf docs, unless pfsense uses "quick" for all rules. Does it?

          1 Reply Last reply Reply Quote 0
          • pttP
            ptt Rebel Alliance
            last edited by

            Quoted from the "pfSense: The Definitive Guide" Book

            In pfSense, rulesets are evaluated in a first match basis. This means that if you read the ruleset
            for an interface from top to bottom, the first rule that matches will be the one used. Processing
            stops after reaching this match and then the action specified by that rule is taken. Always keep
            this in mind when creating new rules, especially when you are crafting rules to restrict traffic.
            The most permissive rules should always be toward the bottom of the list, so that restrictions or
            exceptions can be made above them

            And from a Forum search: http://forum.pfsense.org/index.php/topic,12710.0.html

            Edit: add forum search link

            1 Reply Last reply Reply Quote 0
            • P
              Paul47
              last edited by

              Thanks for that link, looks like pfsense applies "quick" to everything. Might be a good thing to note in the rule creation window.  :)

              I never did understand why pf defaulted to last rule matching. Hard to think that way…

              1 Reply Last reply Reply Quote 0
              • P
                Paul47
                last edited by

                BTW I am now proceeding nicely. I am adding rules to allow egress and at the end of my ruleset is the default allow all egress rule, the only one logged. I am doing it this way so that my users are not bothered by my experiments and any new thing not filtered will show up in the log, which I then can create another rule for. Eventually after nothing shows up in the log any more, I will turn the default egress rule off and have my egress completely filtered. Thanks to all for the help, it is very much appreciated!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.