Block to or block from?



  • Hey guys I have 3 networks.  LAN, DMZ, and Isolated.

    I am trying to understand how the rules are processed - do we block to or from interfaces?  Ie., if I am in the DMZ rules, will allowed Source:  LAN to Destination:  DMZ Network override or interfere at all with the LAN rules of Block Source:  LAN to Destination:  DMZ??

    I am just confused on a few things here.


  • LAYER 8 Netgate

    Please read this:

    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

    Be sure that the rules are on the proper interface. Imagine sitting inside of the pfSense box. Sure, it's a little crowded in there, but this can help. Imagine packets flying in from the different networks that the pfSense box ties together. The rules will be placed on the interface they entered from. If a packet is going from the LAN to the pfSense box, then out to the Internet, the rules still enter on the LAN. If a packet is coming from the Internet to the pfSense box, the rule goes on the WAN interface.

    And my explanation…

    Firewall rules are processed when a session is started coming INTO an interface.  This means connections from your LAN computers to web pages, DNS servers, mail servers, etc., are handled by rules on your LAN interface.  If you have port forwards permitting connections from the internet inbound to local servers these go on your WAN interface.  This is the single concept that you need to grasp when designing your network.

    The general goal is to block traffic before or pass traffic as it enters the firewall.

    Once the packet is allowed INTO pfSense, it has permission to exit the required interface. (unless you take specific measures to create a floating rule on an interface direction OUT, which is an advanced configuration used to meet specific circumstances)

    And:

    pfSense is stateful

    You do not need to worry about traffic getting back to the host that initiated the connection.  pfSense is a stateful firewall.  It all happens as if by magic.



  • Thanks!

    So, by that, if I want to RDP from "LAN" to "DMZ" I would set an allow on LAN for RDP to DMZ, correct?  So another way to think about it is to modify rules on the interface to keep traffic within or let traffic out, but not to prevent traffic from coming in?



  • So, by that, if I want to RDP from "LAN" to "DMZ" I would set an allow on LAN for RDP to DMZ, correct?

    Yes.

    So another way to think about it is to modify rules on the interface to keep traffic within or let traffic out, but not to prevent traffic from coming in?

    You can't prevent traffic from "coming in" to the interface.  A packet on the wire hits your NIC and sits in the NIC's buffer.  From there, the firewall rules dictate what to do with that packet.  You can control whether or not the interface passes that traffic along to another interface, or if it drops the packet.


  • LAYER 8 Netgate

    So another way to think about it is to modify rules on the interface to keep traffic within or let traffic out, but not to prevent traffic from coming in?

    This sounds like the exact opposite of how things are.

    You let traffic into your firewall on the interface it arrives on.  From there, it has a free path to its destination unless you specifically block it on an outbound interface with a floating rule (which is rare in a basic config.)  If you want it blocked, block it where it arrives.



  • So, by that, if I want to RDP from "LAN" to "DMZ" I would set an allow on LAN for RDP to DMZ, correct?

    Just to clarify, a default install will have an Allow All from LAN to Any rule, so you wouldn't actually need to add a rule to RDP from LAN to DMZ.  Your DMZ, on the other hand, comes with NO rules whatsoever.  You must add a rule to even allow something in the DMZ to initiate a connection to anywhere.


Log in to reply