Firewalling for dummies (WAN and solicited/unsolicited traffic issues)



  • Actually I have been using PFSense for awhile, but I saw something in my firewall logs that has triggered me to review what I thought I knew about firewalling with PFSense. Because if I am interpreting this correctly It is possible to get through the WAN rules even if you think it is blocked. So forgive me for my ignorance, I couldn't find a definitive answer about this in my searches either.

    My basic assumption is the WAN rules default to blocked. And the only time you even really need to even to put any pass rules in there is in the cases of NAT'ing or you specifically want to leave a port open to allow for unsolicited traffic.

    My other assumption is the LAN rules specifically require you to "pass" the traffic you want. With the usual gauntlet of blocking rules eventually falling through to a pass rule for what's left. And when the LAN successfully pass's traffic out. It creates a hidden rule in the WAN (maybe as a floating rule?) to allow future traffic from this outgoing IP initiated by the LAN from that point.

    This is all fine and good, except: Suppose I am using a proxy or vpn. which is initiated from the LAN on a certain port. And normal communications occurs. But then your proxy server switches gears and taking advantage that the firewall is open on the WAN for it. Starts using a different port that has nothing to do with proxy operations. Of which this port would usually would have been blocked, but now makes it through because of the initial LAN traffic. Which is what I am seeing.

    My question is, are my assumptions correct?

    And if so, when PFSense allows WAN for solicited traffic for a certain IP, shouldn't this allow rule be limited to only the port the LAN initiated with? Or am I mis-interpreting what I see in the firewall log as I see it is able to talk to other ports.

    It also seems there's no point in even trying to block the port on the WAN because the WAN is "already" set to block  all unsolicited WAN traffic.

    And I can understand how PFSense can follow states through TCP so it could know when the connection can be terminated. But how can it do this with UDP? Does it just timeout the wan rule?

    And if this is true and I do want to prevent a certain semi-trusted ip from talking on any other port, how can I prevent it once the WAN has been opened up for it?



  • "Blocking" happens on ingress of an interface and only when a new state is being created. If PFSense is running squid, then squid has no ingress interface to block the traffic, so the state is created with no issues. Once a state is created, it is no longer checked against fire all rules. There are a few limit exceptions to this, like scheduled rules.



  • So your saying once a new state is created on ingres, it forever allows the IP through, unless it's on a schedule? Even if it switches ports?



  • @kevin067:

    So your saying once a new state is created on ingres, it forever allows the IP through, unless it's on a schedule? Even if it switches ports?

    I know that PFSense only checks a state once, and that's at the time it's created. I'm not sure if it allows a state to come in on other interfaces. I do see in the state table that the interface is part of the state information displayed.