OPNsense Forum

Archive => 16.1 Legacy Series => Topic started by: macgvr on May 13, 2016, 10:46:19 pm

Title: [SOLVED] Firewall rules not working
Post by: macgvr on May 13, 2016, 10:46:19 pm

I am having trouble getting the firewall rules to actually work. Trying to block outgoing traffic to a particular ip address but it doesn't seem to work. Attached is a screen shot of the rule I am trying to use. The gateway setting is default. Not sure what is wrong.

Title: Re: Firewall rules not working
Post by: macgvr on May 13, 2016, 10:48:35 pm

I need to add that I am using the latest version, 16.1.13

Title: Re: Firewall rules not working
Post by: fabian on May 14, 2016, 07:23:58 pm

Are your rules in the correct order? Block rules should be before the pass rules.
Because you want to block this host completely, you should block any protocol and not only TCP.

Title: Re: Firewall rules not working
Post by: macgvr on May 16, 2016, 02:59:35 pm

The anti-lockout rule for the lan is first. Should that be moved?

Title: Re: Firewall rules not working
Post by: fabian on May 16, 2016, 10:21:06 pm

no - the anti-lockout rule cannot be moved and it does not affect your issue.

Have you reloaded the filter rules and how do you test if it is working?

Title: Re: Firewall rules not working
Post by: macgvr on May 16, 2016, 10:26:03 pm

At this point I have upgraded to the latest version and did a reboot afterward. I have tested by pinging the ip address. Since the ping still works I assume the rule isn't working. Not sure how to reload the filter rules.

Title: Re: Firewall rules not working
Post by: fabian on May 16, 2016, 11:15:40 pm

A ping is usually an ICMP echo request which is not filtered by your rule because you filter only TCP.

Title: Re: Firewall rules not working
Post by: macgvr on May 17, 2016, 03:57:13 pm

That makes sense. It appears that even choosing upd/tcp makes no difference.

Title: Re: Firewall rules not working
Post by: fabian on May 17, 2016, 06:18:16 pm

Because ICMP is also not UDP traffic.

Title: Re: Firewall rules not working
Post by: macgvr on May 17, 2016, 09:10:54 pm

Feeling a bit dense about now. I had forgotten that icmp is another protocol. Kind of just considered it to be something that used UDP. Not sure where that came from. It seems I am forgetting things I learned a very long time ago, kind of scary.  I now see that I can setup a rule to block icmp but it isn't really necessary in this case.  I have now tested using a web browser since the ip addresses were tied to websites and I figure by blocking both TCP and UDP, which I have now done, I should be covered for any unwanted traffic.  Thanks for your help.

Title: Re: [SOLVED] Firewall rules not working
Post by: macgvr on May 18, 2016, 06:42:48 pm

I looked at the settings for the rules a bit more and found that there is an any option for filtering protocols. I didn't notice it at first because it is way down the list. I actually thought there should be an any option but missed it. It might make sense to have the any at the top of the list instead of buried down where it is. Just a thought.

Title: Re: [SOLVED] Firewall rules not working
Post by: franco on May 18, 2016, 07:34:02 pm

Isn't that option selected by default when creating a new rule?

Title: Re: [SOLVED] Firewall rules not working
Post by: macgvr on May 18, 2016, 07:43:19 pm

It is but if you clone an existing rule then you have to go looking for it and that is where I missed it. It has been awhile since I created a rule from scratch and I forgot that the any option existed. My fault I suppose. Just thought that having that option always at the top of the list might be helpful.

Title: Re: [SOLVED] Firewall rules not working
Post by: franco on May 18, 2016, 07:44:23 pm

Right, ok, I will look into it. :)

Title: Re: [SOLVED] Firewall rules not working
Post by: franco on May 18, 2016, 07:47:44 pm

Done, thanks!

https://github.com/opnsense/core/commit/cc9cede6d8e

Title: Re: [SOLVED] Firewall rules not working
Post by: macgvr on May 18, 2016, 08:52:15 pm

That was really fast. Thanks!