[SOLVED] Firewall rules not working

[macgvr]

I am having trouble getting the firewall rules to actually work. Trying to block outgoing traffic to a particular ip address but it doesn't seem to work. Attached is a screen shot of the rule I am trying to use. The gateway setting is default. Not sure what is wrong.

[macgvr]

I need to add that I am using the latest version, 16.1.13

[fabian]

Are your rules in the correct order? Block rules should be before the pass rules.
Because you want to block this host completely, you should block any protocol and not only TCP.

[macgvr]

The anti-lockout rule for the lan is first. Should that be moved?

[fabian]

no - the anti-lockout rule cannot be moved and it does not affect your issue.

Have you reloaded the filter rules and how do you test if it is working?

[macgvr]

At this point I have upgraded to the latest version and did a reboot afterward. I have tested by pinging the ip address. Since the ping still works I assume the rule isn't working. Not sure how to reload the filter rules.

[fabian]

A ping is usually an ICMP echo request which is not filtered by your rule because you filter only TCP.

[macgvr]

That makes sense. It appears that even choosing upd/tcp makes no difference.

[fabian]

Because ICMP is also not UDP traffic.

[macgvr]

Feeling a bit dense about now. I had forgotten that icmp is another protocol. Kind of just considered it to be something that used UDP. Not sure where that came from. It seems I am forgetting things I learned a very long time ago, kind of scary.  I now see that I can setup a rule to block icmp but it isn't really necessary in this case.  I have now tested using a web browser since the ip addresses were tied to websites and I figure by blocking both TCP and UDP, which I have now done, I should be covered for any unwanted traffic.  Thanks for your help.

[macgvr]

I looked at the settings for the rules a bit more and found that there is an any option for filtering protocols. I didn't notice it at first because it is way down the list. I actually thought there should be an any option but missed it. It might make sense to have the any at the top of the list instead of buried down where it is. Just a thought.

[franco]

Isn't that option selected by default when creating a new rule?

[macgvr]

It is but if you clone an existing rule then you have to go looking for it and that is where I missed it. It has been awhile since I created a rule from scratch and I forgot that the any option existed. My fault I suppose. Just thought that having that option always at the top of the list might be helpful.

[franco]

Right, ok, I will look into it.

[franco]

Done, thanks!

https://github.com/opnsense/core/commit/cc9cede6d8e