Firewall Rules Behavior Between Interfaces Question

Started by joebb, May 03, 2025, 03:06:05 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 03, 2025, 03:06:05 PM Last Edit: May 03, 2025, 03:09:05 PM by joebb
Hi there,

I did my best to find an answer to this question, so apologies if it's been asked before. I also read the guide on Rules on the docs page.

Let's say I have two interfaces, A and B, on distinct non-overlapping subnets, each with their own Interface rules (no rule groups or anything like that).

And let's say all of A's interface rules start with Source = A net. And let's say B's interface rules also say Source = A net

If I send traffic from A to B, and none of A's rules match, yet one of B's rules matches, does B's matching rule get run at all? What about if B's rule says Source = *

Thanks in advance!
May 03, 2025, 03:32:16 PM #1
Quote from: joebb on May 03, 2025, 03:06:05 PMIf I send traffic from A to B, and none of A's rules match, yet one of B's rules matches, does B's matching rule get run at all? What about if B's rule says Source = *

Rules assigned to an interface direction "in" are only applied to packets arriving on that interface regardless of the addresses used in the rules.

So a rule on interface B will never be applied to a packet arriving at interface A.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 03, 2025, 06:21:34 PM #2
Hi Patrick,

Thanks for the answer.

Ok, I think I understand.

So for interface rules when using Source Address = * it is basically the same as Source Address = Interface net? I'm curious if a client can fake its source address and bypass the Source Address = * rule. They obviously wouldn't be able to see replies but some DDoS attacks are based on setting a source ip address to a different machine's IP so that they get spammed.
May 03, 2025, 09:26:02 PM #3
Quote from: joebb on May 03, 2025, 06:21:34 PMSo for interface rules when using Source Address = * it is basically the same as Source Address = Interface net?
Not quite, because there could be a router downstream. * is any, Interface_net is the interface's subnet.

Quote from: joebb on May 03, 2025, 06:21:34 PMI'm curious if a client can fake its source address and bypass the Source Address = * rule. They obviously wouldn't be able to see replies but some DDoS attacks are based on setting a source ip address to a different machine's IP so that they get spammed.
I'm not sure what you have in mind. * is any, hard to bypass.
May 03, 2025, 10:59:31 PM #4
If you use source = any in an interface in rule, any client can use any source address it wants even one not on the interface in question.

If you use source = IF net that's not possible.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 04, 2025, 03:56:33 AM #5
Got it, that all makes sense. Thanks for the answers!
Print
Go Up Pages1
User actions