Egress filtering and logging

Paul47

My first attempt at egress filtering…

I left the default "allow everything from LAN" in the LAN ruleset; however I turned on logging for this rule. Then I added behind it a rule to allow TCP to dest port 80; this did NOT have logging turned on.

The idea was that these accesses should be removed from the log since the rule was after the "allow everything" rule and pf uses the last rule that matches. However I see in the log a bunch of TCP SYN packets anyway.

What am I doing wrong here?

ptt

pf uses the last rule that matches.

No, on FW rules, First Match Wins…

Paul47

The last matching rule "wins". There is an exception to this: The quick option…

http://www.openbsd.org/faq/pf/filter.html#quick

Not according to the pf docs, unless pfsense uses "quick" for all rules. Does it?

ptt

Quoted from the "pfSense: The Definitive Guide" Book

In pfSense, rulesets are evaluated in a first match basis. This means that if you read the ruleset
for an interface from top to bottom, the first rule that matches will be the one used. Processing
stops after reaching this match and then the action specified by that rule is taken. Always keep
this in mind when creating new rules, especially when you are crafting rules to restrict traffic.
The most permissive rules should always be toward the bottom of the list, so that restrictions or
exceptions can be made above them

And from a Forum search: http://forum.pfsense.org/index.php/topic,12710.0.html

Edit: add forum search link

Paul47

Thanks for that link, looks like pfsense applies "quick" to everything. Might be a good thing to note in the rule creation window.  :)

I never did understand why pf defaulted to last rule matching. Hard to think that way…

Paul47

BTW I am now proceeding nicely. I am adding rules to allow egress and at the end of my ruleset is the default allow all egress rule, the only one logged. I am doing it this way so that my users are not bothered by my experiments and any new thing not filtered will show up in the log, which I then can create another rule for. Eventually after nothing shows up in the log any more, I will turn the default egress rule off and have my egress completely filtered. Thanks to all for the help, it is very much appreciated!