Global Firewall Rules

  • Hi

    I've the following setup

    INTERNET–----------------PFSENSE-------------DMZ1 (Customer A)
                                              |________________DMZ2 (Customer B)

    Now lets assume that each of these customers have a webbserver runing which should be reachble from the internet.
    Both DMZ are complete blocked from each other.
    So setup a rule on the WAN interfac that the whole internet can reach the website of customer A, so everyone can reache customers A website, except customer B can't reach website from customer A (and vice versa).

    I know I can define a Rule on their respective interface, but with more customers and more rules this get very cumbersome.
    Does any body knows a smarter way to do that?

  • use aliases in your rules.

    everytime you have to change something you just change the alias.

  • Using aliases can certainly lower the burden of such a setup.
    But if you have 10 customer(Interfaces) with 10 rules each this ends in defining 100 Rules on the WAN interface and on each customer interface defining 90 rules.
    And when implementing an new rule for a customer it has to be defined on the WAN interface and on each interface off the other 9 customers. if you get a new customer…
    I'm just curious if there is some kind of generic support in the pfsense handle configs like these.
    Something like a 'define this rule as a global rule' flag and then for example on a per interface basis the posibility to set the 'implicit prepended global rules before the explicit defined rules' flag.
    For instance supports global rules in their metamodell and then generates the needed rules on each interface.

  • you can do exactly this with the alias-system:
    create an alias in which you want all global-entries.

    create on each user interface a rule that uses this alias.
    and below the user specific rules.

  • I can't see how I could do this exactly with alias. aliases are just bunches of Host/Network/Ports which can be used in rules.
    I agree that it helps to lower the burden.
    But if a completly new rule (new dest ip/port) must be setup I have to define (in fact you can copy) this rule on each other interface (using aliases to lower the burden for changes to the rule).
    Or if a new customer/interface will be setup, I have to copy all rules over to this new interface.
    I was just wondering if there is a smarter way for such a setup. I can live with the 'alias workaround'

    Or am I missing something?

Log in to reply