When we create a rule on Floating tab, should we always check the quick option?



  • I create firewall rules on Floating Tab when i want to apply the rule on multiple interfaces…
    the interesting thing is:
    On Floating Tab, if a rule is created without quick option, even if a packet matches that rule,
    all of the rules below that rule are considered...
    for example
    my 3rd rule is : 
    source: 10.10.1.250
    destination : any
    ports: any
    action : pass
    quick option : not selected

    my 5th rule is:
    source : any
    destination : 195.x.x.x
    ports : any
    action : block

    even if a packet matches 3rd rule, the rules below the 3rd rule (4,5,6...) are considered
    and for that reason when i try to connect to 195.x.x.x, firewall considers the 5th rule and doesn't permit me to connect 195.x.x.x

    but if i check the quick option for 3rd rule, than if a packet matches 3rd rule, firewall omits the 5th rule...

    when we create a rule on Floating tab, should we always check the quick option?



  • if you want the rule to immediately apply, yes.



  • thanks a lot.

    Source Book: pfSense: The Definitive Guide
    Author(s) : Christopher M. Buechler, Jim Pingle

    Chapter 6. Firewall
    6.1. Firewalling Fundamentals
    6.1.1. Basic terminology

    In pfSense, rulesets are evaluated in a first match basis. This means that if you read the ruleset
    for an interface from top to bottom, the first rule that matches will be the one used. Processing
    stops after reaching this match
    and then the action specified by that rule is taken

    the important point is that the rules on Floating tab must be checked as quick, if we want the basic terminology above to be true..
    (if we want the processing to stop after a packet matches a rule)

    @cmb:

    if you want the rule to immediately apply, yes.



  • Floating rules didn't exist at the time that was written. New book is coming soon.



  • @cmb:

    Floating rules didn't exist at the time that was written. New book is coming soon.

    Please, insert in the book some examples of rules we can apply to OpenVPN connections with VPN providers (like: block all Internet traffic when VPN is down; forward only provider's DNS and/or prevent DNS leaks, etc.)  ::)

    A step-by-step guide to all the configuration parameters needed to establish a reliable connection to a VPN provider would also be MUCH appreciated!


Log in to reply