Blocks any traffic in the FORWARD chain



  • Hi every body

    I want to blocks any traffic from  the forward chain
    like this 'iptables -P FORWARD DROP'

    but I don't how to do this in pfsense
    thanks



  • By default PFS drops all traffic from the WAN side and allows all traffic from the LAN side. You don't say from where or how you want to drop packets, so I assume this is how you need it to be. Otherwise, you can remove the Default LAN -> any rule and put your own custom rules in place if that's what you mean.



  • thanks dear

    it's mean traffic that comes from my (V)LANs and is not destined for the router (pfsense) itself will NOT be forwarded

    • traffic that comes from outside networks and is destined for machines on your (V)LANs will NOT be forwarded (even when NATting)
    • to 'get through' the router now, users have to enable the proxy settings in their OS / browsers (default port 3128)


  • There are no concepts of chains in pf. Just configure your firewall rules accordingly to allow traffic to the proxy and block everything else.



  • thanks

    how can I do this to allow traffic to the proxy and block everything else.

    can you please give me a tutorial



  • Just add a rule above your Allow All rule on your LAN and VLANs that blocks access to ports 80/443.  You can either use two rules (one for each port), or create a port alias for 80 & 443 then create one rule that blocks access to that alias as the destination port.



  • thanks dear

    Can you send me  a screenshot or a complete tutorial because I am not familiar very well with pfsese

    thanks


  • Netgate

    SMH dear



  • 'iptables -P FORWARD DROP'

    I want to disable FORWARD Chain in Pfsense

    thanks





  • Everyone: The use of terms of endearment are common with speakers from the Middle East.  While they may appears out of place to us in a technical discussion, please don't mock them for it.

    N.Vakili: See the diagram where I have created an alias called Web_Ports that holds 80 & 443.  The rule is placed above the Default allow LAN to any rule.  The effect of this rule is to block all access to the standard web ports.




  • @KOM:

    Everyone: The use of terms of endearment are common with speakers from the Middle East.  While they may appears out of place to us in a technical discussion, please don't mock them for it.

    Noted. Though in truth I thought this was more a Google-translate error and was really gently mocking what I thought was a technical mishap on their part.