Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Which is preferred blocking outgoing or blocking incoming

    Scheduled Pinned Locked Moved Firewalling
    11 Posts 5 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Trel
      last edited by

      If I have two LAN interfaces, which would be the preferred setup?

      Block outgoing traffic to other LAN on each interface
      or
      Block incoming traffic from other LAN on each interface?

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        The pfSense firewall rule tabs for each interface match traffic arriving in at the interface, destined for other places.
        So you:
        block incoming traffic on LAN1 with source LAN1 destination LAN2
        block incoming traffic on LAN2 with source LAN2 destination LAN1

        The "incoming" bit does not appear in the GUI when working with the "by interface" firewall rule tabs. The rules you piut in those tabs are always "in".

        On the Floating tab you can choose "in" or "out" - but that is very rarely needed.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • T
          Trel
          last edited by

          @phil.davis:

          The pfSense firewall rule tabs for each interface match traffic arriving in at the interface, destined for other places.
          So you:
          block incoming traffic on LAN1 with source LAN1 destination LAN2
          block incoming traffic on LAN2 with source LAN2 destination LAN1

          The "incoming" bit does not appear in the GUI when working with the "by interface" firewall rule tabs. The rules you piut in those tabs are always "in".

          On the Floating tab you can choose "in" or "out" - but that is very rarely needed.

          If I'm understanding correctly

          
          block incoming traffic on LAN1 with source LAN1 destination LAN2
          block incoming traffic on LAN2 with source LAN2 destination LAN1
          
          

          should behave the same as

          
          block incoming traffic on LAN1 with source LAN2 destination LAN1
          block incoming traffic on LAN2 with source LAN1 destination LAN2
          
          

          If I'm understanding this, the only difference would be on which interface the actual filtering happens.

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis
            last edited by

            Incoming traffic is incoming from the "outside" to the interface. So:

            block incoming traffic on LAN1 with source LAN2 destination LAN1
            

            will not match anything. All the packets arriving on LAN1 (from the clients on LAN1) have source addresses in LAN1net.
            So the 2 pairs of statements you quoted are very different - the 1st pair matches to real traffic, the 2nd pair will not match to any traffic.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • T
              Trel
              last edited by

              @phil.davis:

              Incoming traffic is incoming from the "outside" to the interface. So:

              block incoming traffic on LAN1 with source LAN2 destination LAN1
              

              will not match anything. All the packets arriving on LAN1 (from the clients on LAN1) have source addresses in LAN1net.
              So the 2 pairs of statements you quoted are very different - the 1st pair matches to real traffic, the 2nd pair will not match to any traffic.

              Wait, now I'm confused.

              Say I have a printer on LAN2, and I try to access it from LAN1.

              Wouldn't LAN2 see an incoming connection from LAN1 on its interface?
              and then wouldn't this apply?

              
              block incoming traffic on LAN2 with source LAN1 destination LAN2
              
              

              EDIT: I added an attachment, so you're saying those rules do nothing?

              firewallrule.jpg
              firewallrule.jpg_thumb

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                No.  LAN 2 will see outbound traffic from the LAN1 network.

                Inbound = Received by the physical (or virtual if VLAN) NIC

                Outbound = Transmitted by the Physical (or virtual) NIC

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • P
                  phil.davis
                  last edited by

                  I added an attachment, so you're saying those rules do nothing?

                  Yes, they do nothing, no traffic will match them.

                  client on LAN1 starts an outgoing connection transmitting on its LAN1 cable.
                  pfSense LAN1 interface receives incoming data - hopefully there is a firewall rule that allows it to pass in.
                  pfSense routing determines it needs to go to LAN2, so passes it to the network stack destined for LAN2.
                  pfSense LAN2 interface transmits outgoing data to the printer.
                  The printer receives incoming data.
                  The printer produces outgoing paper  ;)

                  That's how the English words in(coming) and out(going) are used in the computer networking and pfSense context.

                  As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                  If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                  1 Reply Last reply Reply Quote 0
                  • T
                    Trel
                    last edited by

                    So, if I'm understanding correctly, these are how my rules should look to get the effect I want?

                    firewallrule_01.jpg
                    firewallrule_01.jpg_thumb
                    firewallrule_02.jpg
                    firewallrule_02.jpg_thumb

                    1 Reply Last reply Reply Quote 0
                    • G
                      georgeman
                      last edited by

                      Looks fine, but usually the printer does not initiate a connection towards the client. So I don't think the allow rule on the LAN interface is even needed.

                      Since this is a stateful firewall, when the connection is initiated from GWIFI01 to LAN, the "returning traffic" is automatically passed since it belongs to an already allowed state. But a connection initiated from the printer IP towards the other subnet will be blocked.

                      If it ain't broke, you haven't tampered enough with it

                      1 Reply Last reply Reply Quote 0
                      • T
                        Trel
                        last edited by

                        @georgeman:

                        Since this is a stateful firewall, when the connection is initiated from GWIFI01 to LAN, the "returning traffic" is automatically passed since it belongs to an already allowed state. But a connection initiated from the printer IP towards the other subnet will be blocked.

                        The printer has an option which can be used to scan a document to a network share.

                        1 Reply Last reply Reply Quote 0
                        • M
                          mikeisfly
                          last edited by

                          Just as good practice I always like to apply a rule as close to the device or thing that I'm trying to block as possible, to limit the amount of processing that my firewall/router has to do. For example if I wanted to block a device on lan1 from accessing lan2, I would place the rule on lan1 as oppose to lan2.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.