ICMP does not block directly when I apply a deny rule



  • Hi everyone

    I just have a general question about the behavior of the pfsense FW rules.

    I'm running the latest release (2.1-RELEASE (amd64) built on Wed Sep 11 18:17:48 EDT 2013 FreeBSD 8.3-RELEASE-p11).

    Everything work just fine but I have question about how rules are applied.

    1 .Let say that I have no rules on my wan interface.
    2 .I start pinging with -t on the wan interface from a pc that is located on the great Internet and there is no rely.
    3. Add a rule that accept ICMP from the wan.
    4. Instantly after the rule is applied the ping  starts getting rely back.
    5. Now I delete the same rule that I just applied on my wan interface (and install the deletion).
    6. The funny part here is that ping still gets an answer from the wan.
    7. So it I stop the ping and wait for at least 10 sec and the start the ping again there is no rely.

    So my question is why is my rule not applied directly.

    Regards Johan


  • Banned

    Because there's already a state created for that (Diagnostics - States).



  • @doktornotor:

    Because there's already a state created for that (Diagnostics - States).

    This.

    I've been butting heads with this all school year for getting blocking internet access for the students… Basically, when a connection is open and you change the firewall rules to block something, it unfortunately does not affect existing connections (or states). If you go to Diagnostics>States>Reset States>Reset, it should cut it off mid-pinging.


Log in to reply