Internet Lockdown



  • Greetings!

    At times, I would like to BLOCK ALL Internet Activity from ALL LAN interfaces AND also from ALL INCOMING WAN CONNECTIONS.  In other words, I would like to implement a firewall rules that BLOCKS ALL INCOMING & OUTGOING Internet Traffic on ALL interfaces. Please note that I only want to disable Internet connectivity.  All LAN segments should still be able to communicate with each other as normal.

    For this, I thought if created a BLOCK ALL FROM ANY TO ANY ON THE WAN INTERFACE, that would essentially do the job (please see the attached snapshot).  However, it seems like the "Block All" rule has no affect on the Internet connection.



  • Rules on the WAN interface affect traffic from the outside world destined for a client behind the pfSense box (on the LAN) or the pfSense box itself.

    If you have only one LAN port and all your LAN clients are connected to a switch/router that then feeds the pfSense LAN port you could physically unplug the pfSense box and your LAN segments would still talk to each other.

    pfSense rules are matched from top down, first match wins, so your disable rules would need to be at the top of your list.
    pfSense keeps state, so any existing connections would need to be flushed.

    The rule you show should block any new connections from anywhere that are destined for your WAN/LAN if it was at the top, enabled and you flushed existing states (under diagnostics).

    A similar rule on the LAN (and OPT) interface should prevent traffic from LAN going out;  I would put it under the "anti lockout rule" so you can get from LAN to the pfSense box itself.

    If you are using multiple LAN interfaces on your pfSense box, put the block everything rule under any rules that allow traffic between the LAN and OPT interfaces.


  • LAYER 8 Netgate

    A floating rule to reject quick protocol any source any dest any on wan direction any.

    Or for people who think "stealth" is something worthwhile:

    A floating rule to block quick protocol any source any dest any on wan direction in
    A floating rule to reject quick protocol any source any dest any on wan direction out

    Enable/disable at will or put them on schedules.


  • Banned

    …and kill states to end all existing internet connects?


  • LAYER 8 Netgate

    If you care that much…


  • Banned

    Yep, I do, cause otherwise there is party all night long :-)



  • Thanks all for taking time to respond!

    Ideally, I would like to have a "set-it-&-forget-it" type of configuration.  In other words, nightly from 1am-6am, I would like all Internet activities halted without user intervention (ie: w/o manual states cleared from diag. menu).  My setup includes 3 LAN/OPT interfaces + WAN.

    Questions:

    • Would the above requirement need a custom script that is executed nightly via a cron job OR can pfSense GUI handle the "lockdown" scenario by itself via the firewall rules && Schedules?
    • Would it be best to define the firewall rules in the floating tab once instead of all the WAN + LAN interfaces?

    Cheers!


  • LAYER 8 Netgate

    Use scheduled pass rules to pass traffic when you want it passed. When the schedule terminates the states created by the rule will be killed.


  • Banned

    …or stay with the BLOCK rule and have a cron job for user ROOT one minute after the block becomes active

    /sbin/pfctl -F state

    works fine here...

    I never got it reliably running to kill states for some IPs only, since 2.2.x



  • Should the block rules be implemented using floating rules with WAN + All LAN interfaces OR should the rules be defined seperately on each interfaces (ie: WAN + 3 LANs)?


  • Banned

    I have it on top of the respective LAN interface, one rule for every group of users/IPs with their respective schedule. Plus the cron job for sweeping states. One for each schedule.

    Why WAN? I don't accept anything on WAN…


Log in to reply