pfSense Rules

Hi All,

Question about pfSense rules. I know the processing rules goes as follows.

  1. Floating Rules
  2. Interface Group Rules
  3. Interface Rules

Im wondering if its possible to have a general rule that blocks traffic from two interfaces but another rule (I guess interface rule) that allows specific traffic from say one IP to another from one of those interfaces to another.

I tried experimenting a few months ago but was unsuccessful. I tried both floating rules and interface groups with some brief testing but didnt get the results I was looking for.

I was hoping to do this to avoid multiple blocking rules from one interface to another to make things cleaner.

Let me know if I need to provide any other info and thanks in advance.

Ghaz

I don’t think floating rules are applied first, maybe match and quick floating rules are but I know that in my firewall I have a reject everything rule at the top of the floating rules to change the default action of the firewall from block to reject. So that rule has to be processed last.

Alternatively, because the default action of the firewall is to block most block rules are redundant. So you can configure the rules to only have allow rules as everything not covered by those rules will be blocked.

I pulled this from pFsense’s site. From the sounds of it, what Im trying to do isnt feasible.

If you have allow any to any rules at the bottom of your interface rules then having multiple blocking rules is probably the only way to do it as a floating rule will either be processed before or after the allow any rule which will break what you’re trying to do.

But you can change your rules so that you don’t need the allow any to any rules and instead only allow the traffic you wish to allow, then all other traffic is blocked by default.

As an example these are (most of) my DMZ interface rules:

You’ll notice that there is only one block rule which is for pfblocker, yet all traffic from this interface to others is blocked except for specific hosts on specific ports.