Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Source Ingress & Destination Egress Block Rule

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NOYB
      last edited by

      In creating a firewall rule (particularly floating) is the source and destination a logical AND or logical OR?  My guess is it's a logical AND.  Asking because I don't know.

      Say I want to create a rule that blocks a list of IPv4 addresses for both source ingress and destination egress on the WAN interface.  Like Spamhaus DROP for instance.  Would that take two rules?  Or am I missing it?

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        The source and destination in a rule is a logical AND - the source IP in the packet has to match the rule AND the destination IP in the packet has to match the rule.
        So if you made a rule "block source SpamHaus-blocklist, destination SpanHaus-blocklist" then it will never match anything. You will (should) never see a packet with source and destination both in the block list - not on your WAN and not on your LAN.

        In pfSense the normal default way rules work is that they apply to traffic arriving at the interface concerned. So you want to:

        Block on LAN source any destination SpamHaus-blocklist. (Stop local traffic on LAN going to anywhere on the block list)

        Block on WAN source SpamHaus-blocklist destination any. (Stop traffic from the block-list arriving on WAN)

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • N
          NOYB
          last edited by

          That's how I figured it worked.  Thanks for the confirmation.  Would be nice if there was ability to create a rule to block list of addresses on an interface irrespective of source, destination, ingress or egress.

          So I guess it takes two rules then since in one case the list is source addresses and in the other it's the destination addresses.

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis
            last edited by

            Yes, if you really want to block any chance of such a packet that comes from/to in both directions then you need 2 rules.
            That would be an issue if you are an internet backbone router. In that case link failures around the world and the resulting routing table changes could see packets from those IP addresses arrive and leave on different interfaces from moment to moment.
            But for mere mortals on end-networks, those block-list addresses can't be the source IP when received on the LAN side. And they can't be the destination when received on the WAN side. So the rule/s that cover those cases never actually match any traffic.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.