Can't reset firewall state table



  • I'm trying to test firewall rules, and in order to do so I need to reset the state table, but when I try to do so pfsense hangs, and the state table remains unchanged. Is there any way to address this short of rebooting pfsense? Frustrating…



  • I understand that the reset states page may hang as a result of resetting the state table, but refreshing and viewing the states tab should show the changes, no?

    What I am trying to do is understand how to make firewall rules. When I enter a rule with a source IP of a computer on the LAN, set to block anything, the rules prevents the computer from displaying a web page, but when I change the destination to type: WAN address, the LAN computer is no longer blocked. I don't understand.



  • That rule will block it from accessing the WAN address of your pfSense box. I'm guessing that's not really what you had in mind.



  • No, that's not what I am trying to do. I'd like to prevent the one computer from accessing everything else on the LAN. How do I do that?



  • pfSense can't prevent computers on the same subnet from communicating with each other, as it is not involved in that communication at all. You'll have to put the one machine on a separate subnet.



  • Thanks for the help. I'm just trying to get my head around what a stateful firewall is and what's possible with pfsense. So if I want to restrict access between devices on the LAN side of the firewall, I really need to use separate subnets, e.g. 192.168.0.0/24 and 192.168.1.0/24, for example? And I would need to use a separate interface to achieve this? Another question I have is whether it's possible to restrict access from or to a specific WAN IP address or range of addresses- do I need a proxy filter like squidguard with a customized blacklist to do this?

    Thanks. I probably should have entitled this "Dumb newb questions"  :P



  • You will have to create a scenario where the traffic that you want to filter flows through your pfSense box; putting the machines on separate subnets is probably the easiest way to do this. I believe pfSense can now deal with multiple subnets on the same broadcast domain, but it's probably easiest if you just use separate (logical) interfaces (multiple VLANs on a single physical interface will work, if your switch can handle VLAN tags). You can filter traffic from or to a specific public address or range of addresses with a simple firewall rule that does exactly that (block from LAN subnet to [whatever you want]).



  • OK, so let me see if I've got this straight:

    Blocking devices on the same LAN is not possible with pfsense, because the traffic doesn't go through the firewall/router, unless there are two bridged interfaces for the same subnet, in which case the bridge is effectively a single interface, and thus doesn't filter packets.

    Selecting "WAN address" as destination of a firewall rule with a LAN address source doesn't make sense because the "WAN address" doesn't mean "any WAN address" but refers to the WAN address assigned by the ISP, the destination address of incoming packets.

    However, a firewall rule for a source LAN address that selects a specific internet IP address is possible and will deny packets addressed to that address. It is also possible to block a range of addresses by creating an alias for the range of addresses and making that the destination. Squid + squidguard is the most efficient way to block a large number of sites, but even then it's not possible to block https traffic.

    ? Is that about right? Thanks!



  • I don't know much about squid, but you can easily block https traffic on the standard port (443) with a simple firewall rule.



  • @denask:

    OK, so let me see if I've got this straight:

    Blocking devices on the same LAN is not possible with pfsense, because the traffic doesn't go through the firewall/router, unless there are two bridged interfaces for the same subnet, in which case the bridge is effectively a single interface, and thus doesn't filter packets.

    Selecting "WAN address" as destination of a firewall rule with a LAN address source doesn't make sense because the "WAN address" doesn't mean "any WAN address" but refers to the WAN address assigned by the ISP, the destination address of incoming packets.

    However, a firewall rule for a source LAN address that selects a specific internet IP address is possible and will deny packets addressed to that address. It is also possible to block a range of addresses by creating an alias for the range of addresses and making that the destination. Squid + squidguard is the most efficient way to block a large number of sites, but even then it's not possible to block https traffic.

    ? Is that about right? Thanks!

    Yes, that is about right.
    For starters, it is best not to even think about bridged interfaces - put each LAN subnet on its own interface. With bridging you can filter on the individual interfaces as well as the overall bridge interface. But it is much easier to simply have multiple subnets.
    I believe the latest Squid3 will look at https also - but there are some things to do related to certificates so that Squid can get in the middle of the https traffic.
    If you just want to block particular sites that have nicely known names/IPs then go with razzfazz advice.



  • Thanks, razzfazz, phil.davis. It's a big help for beginners like me to get some pointers on what might seem really obvious to you. The pfsense adventure continues!


Log in to reply