Which is preferred blocking outgoing or blocking incoming



  • If I have two LAN interfaces, which would be the preferred setup?

    Block outgoing traffic to other LAN on each interface
    or
    Block incoming traffic from other LAN on each interface?



  • The pfSense firewall rule tabs for each interface match traffic arriving in at the interface, destined for other places.
    So you:
    block incoming traffic on LAN1 with source LAN1 destination LAN2
    block incoming traffic on LAN2 with source LAN2 destination LAN1

    The "incoming" bit does not appear in the GUI when working with the "by interface" firewall rule tabs. The rules you piut in those tabs are always "in".

    On the Floating tab you can choose "in" or "out" - but that is very rarely needed.



  • @phil.davis:

    The pfSense firewall rule tabs for each interface match traffic arriving in at the interface, destined for other places.
    So you:
    block incoming traffic on LAN1 with source LAN1 destination LAN2
    block incoming traffic on LAN2 with source LAN2 destination LAN1

    The "incoming" bit does not appear in the GUI when working with the "by interface" firewall rule tabs. The rules you piut in those tabs are always "in".

    On the Floating tab you can choose "in" or "out" - but that is very rarely needed.

    If I'm understanding correctly

    
    block incoming traffic on LAN1 with source LAN1 destination LAN2
    block incoming traffic on LAN2 with source LAN2 destination LAN1
    
    

    should behave the same as

    
    block incoming traffic on LAN1 with source LAN2 destination LAN1
    block incoming traffic on LAN2 with source LAN1 destination LAN2
    
    

    If I'm understanding this, the only difference would be on which interface the actual filtering happens.



  • Incoming traffic is incoming from the "outside" to the interface. So:

    block incoming traffic on LAN1 with source LAN2 destination LAN1
    

    will not match anything. All the packets arriving on LAN1 (from the clients on LAN1) have source addresses in LAN1net.
    So the 2 pairs of statements you quoted are very different - the 1st pair matches to real traffic, the 2nd pair will not match to any traffic.



  • @phil.davis:

    Incoming traffic is incoming from the "outside" to the interface. So:

    block incoming traffic on LAN1 with source LAN2 destination LAN1
    

    will not match anything. All the packets arriving on LAN1 (from the clients on LAN1) have source addresses in LAN1net.
    So the 2 pairs of statements you quoted are very different - the 1st pair matches to real traffic, the 2nd pair will not match to any traffic.

    Wait, now I'm confused.

    Say I have a printer on LAN2, and I try to access it from LAN1.

    Wouldn't LAN2 see an incoming connection from LAN1 on its interface?
    and then wouldn't this apply?

    
    block incoming traffic on LAN2 with source LAN1 destination LAN2
    
    

    EDIT: I added an attachment, so you're saying those rules do nothing?



  • Netgate

    No.  LAN 2 will see outbound traffic from the LAN1 network.

    Inbound = Received by the physical (or virtual if VLAN) NIC

    Outbound = Transmitted by the Physical (or virtual) NIC



  • I added an attachment, so you're saying those rules do nothing?

    Yes, they do nothing, no traffic will match them.

    client on LAN1 starts an outgoing connection transmitting on its LAN1 cable.
    pfSense LAN1 interface receives incoming data - hopefully there is a firewall rule that allows it to pass in.
    pfSense routing determines it needs to go to LAN2, so passes it to the network stack destined for LAN2.
    pfSense LAN2 interface transmits outgoing data to the printer.
    The printer receives incoming data.
    The printer produces outgoing paper  ;)

    That's how the English words in(coming) and out(going) are used in the computer networking and pfSense context.



  • So, if I'm understanding correctly, these are how my rules should look to get the effect I want?






  • Looks fine, but usually the printer does not initiate a connection towards the client. So I don't think the allow rule on the LAN interface is even needed.

    Since this is a stateful firewall, when the connection is initiated from GWIFI01 to LAN, the "returning traffic" is automatically passed since it belongs to an already allowed state. But a connection initiated from the printer IP towards the other subnet will be blocked.



  • @georgeman:

    Since this is a stateful firewall, when the connection is initiated from GWIFI01 to LAN, the "returning traffic" is automatically passed since it belongs to an already allowed state. But a connection initiated from the printer IP towards the other subnet will be blocked.

    The printer has an option which can be used to scan a document to a network share.



  • Just as good practice I always like to apply a rule as close to the device or thing that I'm trying to block as possible, to limit the amount of processing that my firewall/router has to do. For example if I wanted to block a device on lan1 from accessing lan2, I would place the rule on lan1 as oppose to lan2.