Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Why won't my firewall rules apply?!

    Scheduled Pinned Locked Moved General pfSense Questions
    10 Posts 6 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      pfRoss
      last edited by

      Hi guys,

      Having an absolute nightmare with this one.

      I can't seem to get my firewall rules to actually apply to a host.

      No matter what rules I create, they don't seem to apply, here is an example rule I created.

      These should work, right?

      1 Reply Last reply Reply Quote 0
      • C Offline
        cmb
        last edited by

        Work to do what?

        Nothing on the LAN interface is going to match a destination of "LAN net" except traffic destined to the firewall itself, so that's probably not what you're wanting to do.

        1 Reply Last reply Reply Quote 0
        • pttP Offline
          ptt Rebel Alliance
          last edited by

          https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

          https://doc.pfsense.org/index.php/Firewall_Rule_Basics

          https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

          1 Reply Last reply Reply Quote 0
          • P Offline
            pfRoss
            last edited by

            @cmb:

            Work to do what?

            Nothing on the LAN interface is going to match a destination of "LAN net" except traffic destined to the firewall itself, so that's probably not what you're wanting to do.

            It's to block SSH on port 22.

            So I need to enter what into the destination field?

            And the IP in the 'single host or alias' field right?

            1 Reply Last reply Reply Quote 0
            • pttP Offline
              ptt Rebel Alliance
              last edited by

              Block port 22, From: ? To ?

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                Did you even look at those links?

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • P Offline
                  pfRoss
                  last edited by

                  @ptt:

                  Block port 22, From: ? To ?

                  From literally everywhere. Inside and outside of the network.

                  @Derelict:

                  Did you even look at those links?

                  Yes, I did. However I'm a visual learner. Once I have a couple that are working, I'll be able to understand more. I just need the first couple to grasp it.

                  1 Reply Last reply Reply Quote 0
                  • C Offline
                    cmb
                    last edited by

                    Change the destination of the rule shown to any rather than LAN net, put it above any pass rules, and you'll be blocking all TCP 22 initiated from LAN.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ Online
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Going to ask as simple question what are you trying to block – 22 (ssh) from where to where?

                      You can NOT keep clients on lan from talking to other clients on lan with pfsense firewall, because clients don't talk to pfsense to talk to other clients on lan.

                      Not sure where you put a rule with dest lan net, but that going to stop clients on lan.. Now if you put such a rule say on opt1 network then sure you could stop opt1 clients from talking to lan clients on 22.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • H Offline
                        Harvy66
                        last edited by

                        What johnpoz is trying to say, is PFSense can block traffic going through PFSense, but not traffic that only goes through the switch.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.