Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    When we create a rule on Floating tab, should we always check the quick option?

    Firewalling
    3
    5
    2095
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      abdurrahman
      last edited by

      I create firewall rules on Floating Tab when i want to apply the rule on multiple interfaces…
      the interesting thing is:
      On Floating Tab, if a rule is created without quick option, even if a packet matches that rule,
      all of the rules below that rule are considered...
      for example
      my 3rd rule is : 
      source: 10.10.1.250
      destination : any
      ports: any
      action : pass
      quick option : not selected

      my 5th rule is:
      source : any
      destination : 195.x.x.x
      ports : any
      action : block

      even if a packet matches 3rd rule, the rules below the 3rd rule (4,5,6...) are considered
      and for that reason when i try to connect to 195.x.x.x, firewall considers the 5th rule and doesn't permit me to connect 195.x.x.x

      but if i check the quick option for 3rd rule, than if a packet matches 3rd rule, firewall omits the 5th rule...

      when we create a rule on Floating tab, should we always check the quick option?

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        if you want the rule to immediately apply, yes.

        1 Reply Last reply Reply Quote 0
        • A
          abdurrahman
          last edited by

          thanks a lot.

          Source Book: pfSense: The Definitive Guide
          Author(s) : Christopher M. Buechler, Jim Pingle

          Chapter 6. Firewall
          6.1. Firewalling Fundamentals
          6.1.1. Basic terminology

          In pfSense, rulesets are evaluated in a first match basis. This means that if you read the ruleset
          for an interface from top to bottom, the first rule that matches will be the one used. Processing
          stops after reaching this match           and then the action specified by that rule is taken

          the important point is that the rules on Floating tab must be checked as quick, if we want the basic terminology above to be true..
          (if we want the processing to stop after a packet matches a rule)

          @cmb:

          if you want the rule to immediately apply, yes.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Floating rules didn't exist at the time that was written. New book is coming soon.

            1 Reply Last reply Reply Quote 0
            • panzP
              panz
              last edited by

              @cmb:

              Floating rules didn't exist at the time that was written. New book is coming soon.

              Please, insert in the book some examples of rules we can apply to OpenVPN connections with VPN providers (like: block all Internet traffic when VPN is down; forward only provider's DNS and/or prevent DNS leaks, etc.)  ::)

              A step-by-step guide to all the configuration parameters needed to establish a reliable connection to a VPN provider would also be MUCH appreciated!

              pfSense 2.3.2-RELEASE-p1 (amd64)
              motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post