Default Deny Rules Not Working?



  • I run PFSense in a virtual machine. I have two physical interfaces (WAN,LAN) and an internal network for virtualbox I called DMZ (it's a lab). Traditionally pfsense would not allow any traffic between DMZ and LAN, until I created a rule that allowed RDP traffic from LAN to reach DMZ.

    Recently I rebuilt my pfsense installation and now machines in DMZ have full access to LAN machines and services. Even if I create a rule for LAN that blocks DMZ net, or one that specifies the machine IP in DMZ,  and place it at the top of the list; the machines in DMZ have full access to the LAN network. I am completely baffled to this behavior. The real odd thing is LAN can not access DMZ unless I add a rule allowing traffic.

    To summarize:
    1. DMZ default deny is working, as LAN machines can not talk to DMZ machines.
    2. LAN default deny is not working, or being superseded, and allows DMZ machines in.
    3. I do not want DMZ net to have access to LAN net, as DMZ is a lab.

    Attached are screen shots of the rules for both interfaces. Thank you in advance, I really want to get started on these projects.





  • Banned

    Huh? You allow everything IPv4 from DMZ to anywhere. Ditto for LAN. Also cannot see anything RDP related there. The screenshots totally do not match anything you described. Nothing left to deny by default when you actually allow everything. (As for what you assume to be "working DMZ default deny" is probably a result of some whacky gateway (mis)configuration there, what's that SPEED stuff supposed to mean?)


  • LAYER 8 Global Moderator

    Yeah clearly you posted the wrong images..  I would have to believe..  There is nothing there in about rdp.

    Reason you can not get to dmz from lan would be your any any rule has specific gateway specified, which does not have access to dmz would be my guess.  What are you trying to do with the 2 gateways?

    But your dmz doesn't block any access to lan - and that should work yes.

    You mention default deny is letting dmz in??  That is not how the default deny works..  The default deny is traffic INBOUND to that interface..  So if going from dmz to lan.. The rule that triggers is the DMZ tab say hey you can go anywhere you want..  When the traffic goes OUT the lan interface into the actual lan no rules are evaluated at all..  unless you had something setup in the floating tab to do so?

    Think of a door man standing at the entry to each interface – if his list allows you in, then your in and can go out any pfsense enterface you want.  If you don't want devices from your dmz to talk to lan, then you need to create rule that prevents that or does not allow that on your dmz tab

    You could put in block that says

    source dmz net, dst lan net block

    Or you could edit your allow rule to say source dmz net, dest NOT lan net (! lan net) which would do the same thing.


  • LAYER 8 Netgate

    Even if I create a rule for LAN that blocks DMZ net, or one that specifies the machine IP in DMZ,

    You block access from DMZ to LAN by placing a block with a destination of "LAN net" on the DMZ interface, not by placing a block on source "DMZ net" on the LAN interface.

    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting



  • The settings I am using are for a home network and not an enterprise deployment. Though not the most secure I am tackling one thing at a time in my spare time while not pissing off the family blocking something they need. The allow any rule is a place holder for all intents and purposes. Eventually I will remove the LAN Net-ANY rule and only open specific ports.

    There are no RDP entries because I know they work and removed them before taking the screen shots. This way we could focus on why DMZ has access to LAN.

    My understanding of how the rules worked with the interfaces was that first it would deny any access in or out unless otherwise specified. So I was thinking that unless I placed a rule in the LAN interface allowing some sort of traffic in from DMZ then nothing would get in. Using what you guys have provided I created a deny rule in DMZ to LAN and that has fixed the problem.

    The "speed stuff" you are seeing is my gateway group. My WAN is always on and very slow while WAN2 comes and goes but is much faster. So when WAN2 comes online everything switches over with the exception of my online backup. "Speed" was the first name that came to mind for naming.

    So here is my question; If "DMZ Net-ANY" allows DMZ machines to access LAN, then why does "LAN Net-ANY" not let RDP through to DMZ without special rules?

    Thank you guys so much for helping with this, I have been sick with a virus since before Christmas and working two part time jobs. So your patience is appreciated.


  • LAYER 8 Netgate

    It will allow it.  If it's not working then it's something else.

    Your traffic from LAN to DMZ is probably going to SPEED since that's what you told it to do.

    Put a pass rule on LAN for all traffic from LAN net to DMZ net.  Put it above the default rule that sets the SPEED gateway.



  • @Derelict:

    It will allow it.  If it's not working then it's something else.

    Your traffic from LAN to DMZ is probably going to SPEED since that's what you told it to do.

    Put a pass rule on LAN for all traffic from LAN net to DMZ net.  Put it above the default rule that sets the SPEED gateway.

    You are the man! If your ever in Richmond VA I owe you a drink ;-)


  • LAYER 8 Global Moderator

    "My understanding of how the rules worked with the interfaces was that first it would deny any access in or out unless otherwise specified."

    Where did you get that understanding - because its not correct..  Nowhere in the docs does it ever state that..

    I have never seen anything stated anywhere that rules are evaluated both inbound and outbound of an interface.

    But there is documentation that states you have to have rules to allow your traffic if your sending to a gateway, etc..

    https://doc.pfsense.org/index.php/Multi-WAN

    Policy Route Negation

    When a firewall rule directs traffic into the gateway, it bypasses the routing table on the firewall. Policy route negation is just a rule that passes traffic to other local or VPN-connected networks that does not have a gateway set. By not setting a gateway on that rule it will bypass the gateway group and use the routing table on the firewall. These rules should be at the top of the list – or at least above any rules using gateways.



  • @johnpoz:

    Where did you get that understanding - because its not correct..  Nowhere in the docs does it ever state that..

    Valid question. Due to the Aspergers Syndrome I suffer from (or at least I think it is the cause) written explanations do little for me. Actually the reason I have fixated myself on working with PFSense instead of using other products that would work better for my needs, is because of how hard it is for me to understand. It's a way I can gain further practice in overcoming some frustrations in understanding something I have a hard time visualizing.

    Even today I can not get a clear picture of the relationship between interfaces within PFSense even though I have my Net+ certification (without cheating, which people would encourage me to do).
    So far I have the mental picture of two interfaces with two doors separated by a hallway. There are a total of four bouncers, two on either side of the door. The picture will be updated to reflect the new information provided here, and I will live with the pressure on my brain until I can get the thoughts to flow smoothly  ;D

    Don't worry about responding, unless you want to, as I really need someone to sit down and draw some flow charts that represent the rules. Until then I will muddle through.

    Again, thanks for your help.


Log in to reply