Source Ingress & Destination Egress Block Rule

  • In creating a firewall rule (particularly floating) is the source and destination a logical AND or logical OR?  My guess is it's a logical AND.  Asking because I don't know.

    Say I want to create a rule that blocks a list of IPv4 addresses for both source ingress and destination egress on the WAN interface.  Like Spamhaus DROP for instance.  Would that take two rules?  Or am I missing it?

  • The source and destination in a rule is a logical AND - the source IP in the packet has to match the rule AND the destination IP in the packet has to match the rule.
    So if you made a rule "block source SpamHaus-blocklist, destination SpanHaus-blocklist" then it will never match anything. You will (should) never see a packet with source and destination both in the block list - not on your WAN and not on your LAN.

    In pfSense the normal default way rules work is that they apply to traffic arriving at the interface concerned. So you want to:

    Block on LAN source any destination SpamHaus-blocklist. (Stop local traffic on LAN going to anywhere on the block list)

    Block on WAN source SpamHaus-blocklist destination any. (Stop traffic from the block-list arriving on WAN)

  • That's how I figured it worked.  Thanks for the confirmation.  Would be nice if there was ability to create a rule to block list of addresses on an interface irrespective of source, destination, ingress or egress.

    So I guess it takes two rules then since in one case the list is source addresses and in the other it's the destination addresses.

  • Yes, if you really want to block any chance of such a packet that comes from/to in both directions then you need 2 rules.
    That would be an issue if you are an internet backbone router. In that case link failures around the world and the resulting routing table changes could see packets from those IP addresses arrive and leave on different interfaces from moment to moment.
    But for mere mortals on end-networks, those block-list addresses can't be the source IP when received on the LAN side. And they can't be the destination when received on the WAN side. So the rule/s that cover those cases never actually match any traffic.

Log in to reply