1
24.1 Production Series / Re: Question regarding rdr pass rule on WAN and filter rule on LAN
« on: May 02, 2024, 02:57:13 pm »
Thanks for the response but I still find the man pf.conf description not clear. Let me put it another way.
I see two interpretations - assuming always that the incoming connection from the WAN is redirected to the LAN interface.
(interpretation 1) With an rdr pass rule on my WAN interface:
incoming filter rule defined on my WAN interface will NOT be evaluated and
outgoing filter rule defined on my LAN interface will NOT be evaluated
(interpretation2) With an rdr pass rule on my WAN interface:
incoming filter rule defined on my WAN interface will NOT be evaluated and
outgoing filter rule defined on my LAN interface WILL BE evaluated
Which is it?
I am asking the question because the plugin os-upnp creates rdr pass quick rules on WAN. If intepretation 1 is correct then I would be unable to filter in any way incoming traffic to the machine exposing its port to the internet. Unfortunately the plugin has no option to remove the "pass" keyword. The sort of filtering I am thinking is blacklists/geographic restrictions which I prefer to have in my firewall and not implemented on each machine.
I see two interpretations - assuming always that the incoming connection from the WAN is redirected to the LAN interface.
(interpretation 1) With an rdr pass rule on my WAN interface:
incoming filter rule defined on my WAN interface will NOT be evaluated and
outgoing filter rule defined on my LAN interface will NOT be evaluated
(interpretation2) With an rdr pass rule on my WAN interface:
incoming filter rule defined on my WAN interface will NOT be evaluated and
outgoing filter rule defined on my LAN interface WILL BE evaluated
Which is it?
I am asking the question because the plugin os-upnp creates rdr pass quick rules on WAN. If intepretation 1 is correct then I would be unable to filter in any way incoming traffic to the machine exposing its port to the internet. Unfortunately the plugin has no option to remove the "pass" keyword. The sort of filtering I am thinking is blacklists/geographic restrictions which I prefer to have in my firewall and not implemented on each machine.