OPT1<>OPT2 Block All Incoming Traffic



  • Hi and sorry for the newbie question. I would like to use PFSENSE in a lab to separate 2 LAN segments (OPT1 10.10.1.0/24), (OPT2 10.10.2.0/24).
    I would like to allow all outbound traffic and have all the incoming traffic blocked, except for the required ports - for example DNS 53, etc.

    PFSENSE seems to work the oposite way - all incoming traffic OPT1<>OPT2 is allowed per default and the outgoing is blocked. As soon as I enable the outbound traffic,
    there is no filter on the incoming one.

    Many thanks


  • Rebel Alliance Global Moderator

    So is there a wan in this setup or just your 2 lan segments?

    When you setup pfsense its going to see 1 interface as wan, and normally the rest as lan segments.

    So from the wan to any lan segments by default all traffic is blocked, from the first lan all outbound would be allowed.  Then if you created another lan segment you would have to create the rules you want by default all traffic into that interface is blocked.



  • John, let us take the WAN traffic out of scope.
    I have a simple setup where the 2 private networks assigned each to 10.10.1.0 OPT1/ 10.10.2.0 OPT2 interface, need to have all the incoming traffic between them blocked (except for some ports 53, etc.).
    All outgoing traffic between them should be allowed.

    As soon as I enable the outgoing traffic on let us say subnet 10.10.2.0 > 10.10.1.0, even if put a rule on the OPT1 to block all from * > 10.10.1.0 the traffic flows through.

    Other firewalls work absolutely following this approach of blocking the internal traffic - checkpoint, cisco.
    Thus my question, how do I block the INTERNAL inbound traffic from OPT2 subnet to OPT1 on the interface OPT1 rules.

    Thanks



  • Thus my question, how do I block the INTERNAL inbound traffic from OPT2 subnet to OPT1 on the interface OPT1 rules.

    The rules you put on an interface tab in pfSense are "in" rules. So you don't block trafic from OPT2 to OPT1 on the OPT1 tab. You block it where it first arrives; on the OPT2 tab put a rule:
    Block IPvn protocol all source OPT2net destination OPT1net

    and on OPT1 tab you put:
    Block IPvn protocol all source OPT1net destination OPT2net

    and the traffic is blocked at the interface on which it first arrives.


  • Rebel Alliance Global Moderator

    I mention the wan - because want to understand if one of your interfaces is the wan as seen by pfsense, and it would by default do nat on, etc.  Did you put a gateway on either of these interfaces?

    And as per phil's excellent explanation – firewall rules are IN rules, to be honest what firewall is not like this?  The junipers at work are like this, same with the checkpoints and ASAs.  Rules are based upon input to an interface.

    Think about it -- why would you process a packet into your firewall and move it through the system only not to send it outbound a different interface.  The firewall makes the decision on what to do with the traffic as it first sees it INTO an interface.

    If you really wanted an OUT rule, I believe you could do that on the floating tab.. But really have never found a need for any rules there in basic configurations.



  • John, Phil, appreciate your help. It is now all clear.
    Thanks