PfBlockerNG DNSBL Virtual IP breaks the firewall rules (! Lan net)
-
Hi, BBCan77
I had an firewall rule to block OPT interface traffic to LAN interface by using "! Lan net",
but your Virtual IP rule breaks any ! rule:
pass in quick on igb2 (OPT) inet from any to ! 192.168.1.0/24 flags S/SA keep state label "USER_RULE: 10/100Mbps LAN" pass in quick on igb2 (OPT) inet from any to ! 10.10.10.1 flags S/SA keep state label "USER_RULE: 10/100Mbps LAN"
which turns out that all my OPT traffic can go through LAN.
-
These are auto rules… You can customize those as you wish.. The pfBlockerNG package doesn't manage these "Auto Defined Rules"...
LAN Net will pickup all interfaces in the LAN Net automatically (That is the purpose of that Alias Name)…
Edit the "USER RULE: 10/100Mbps LAN"
and change the "Destination - LAN Net" to "Network - 192.168.1.0/24" and it will not add these auto rule settings for the DNSBL VIP…
You will have to add another Auto rule as required for the LAN networks to access the DNSBL VIP.
-
Well, What I don't get is that even adding more interfaces into the LAN net, !LAN net rule SHOULD BE OBEYED no matter what, but its NOT. like my rule, its simple:
Allow OPT to access all non-LAN interfaces.
By adding one interface to LAN net, breaks that simple rule, and allow to access LAN?!?! totally makes no sense at all.
-
LAN Net is an alias for any interface in the "LAN"… So when you use this alias it will create the same rule for each interface in that network... When you run the pfctl command, you can see the rules that it creates..
Goto "Firewall: Virtual IPs" and you will see which Virtual Interfaces are in which Network... DNSBL VIP is associated to the LAN network... So when you use "LAN NET" it will create the same rule for both the LAN interface (192.168.1.0/24) and the DNSBL VIP (10.10.10.1/32).
If you don't want to add the DNSBL VIP to this rule, do not use "LAN NET" instead use the particular Network address as stated above...
If you don't want the DNSBL VIP to listen on the LAN interface, you can change it to a different Listening Interface in the DNSBL Tab...
Just ensure that you have firewall rules to allow the appropriate Interfaces which should access the DNSBL VIP, or you will experience slowness in browsing due to browser timeouts...
-
LAN Net is an alias for any interface in the "LAN"… So when you use this alias it will create the same rule for each interface in that network... When you run the pfctl command, you can see the rules that it creates..
Goto "Firewall: Virtual IPs" and you will see which Virtual Interfaces are in which Network... DNSBL VIP is associated to the LAN network... So when you use "LAN NET" it will create the same rule for both the LAN interface (192.168.1.0/24) and the DNSBL VIP (10.10.10.1/32).
If you don't want to add the DNSBL VIP to this rule, do not use "LAN NET" instead use the particular Network address as stated above...
If you don't want the DNSBL VIP to listen on the LAN interface, you can change it to a different Listening Interface in the DNSBL Tab...
Just ensure that you have firewall rules to allow the appropriate Interfaces which should access the DNSBL VIP, or you will experience slowness in browsing due to browser timeouts...
What I meant is that the rule (!LAN net) should be implemented in the way: !192.168.1.0/24 and !10.10.10.1, but now the way its implemented is: !192.168.1.0/24 or !10.10.10.1. The former logic is right, the latter logic is wrong, which is where the issue is.
When OPT access 192.168.1.100, because of the or logic, so it returns PASS (true), rather than BLOCK/REJECT (false), Defeat the purpose that allowing OPT access all interfaces except LAN
-
This is not an issue for the pfBlockerNG package.
The design of "LAN net" rules is a base pfSense design, you already have another post about this. Not much more I can add to this for you.
-
This is not an issue for the pfBlockerNG package.
The design of "LAN net" rules is a base pfSense design, you already have another post about this. Not much more I can add to this for you.
so its a loophole of pfSense?, the way/logic it implement to !XXX net is wrong?
But I still can't believe that a simple working firewall rule would be broken by just installing a package?!
-
This is not an issue for the pfBlockerNG package.
The design of "LAN net" rules is a base pfSense design, you already have another post about this. Not much more I can add to this for you.
so its a loophole of pfSense?, the way/logic it implement to !XXX net is wrong?
But I still can't believe that a simple working firewall rule would be broken by just installing a package?!
You keep inferring that there is some issue with the package. There is not…
The issue is that you want a function in pfSense to work the way you think it should work, when in fact its working opposite...
So stop trying to put a square peg into a round hole. "Insanity is doing the same thing over and over, and expecting a different result"....
-
I'm sorry to make you not happy. I'm here just want a fix, not a workaround:
- Is 192.168.1.100 a part of LAN net? YES
- Is my firewall rule defined wrong: Allowing OPT access all interfaces except LAN? NO
- Should 192.168.1.100 be blocked by the rule: YES, BUT its not blocking anymore.
Again, I'm sorry made you feel so angry. but thats the issue I'm having. The rule was working perfectly until I installed your package, so of course, I need to ask you about this first, if you think its not your package issue, then I will ask pfSense teams.