Good morning to all. I am slightly confused about an aspect. Here is the scenerio.
relevant details Version 2.4.2-RELEASE (amd64) built on Mon Nov 20 08:12:56 CST 2017 FreeBSD 11.1-RELEASE-p4 hardware: Vendor: Dell Inc. Version: A15 Release Date: Mon Aug 12 2013 I am trying to create a floating rule that would allow ssh incoming connections from a bunch of IPs (table: safeSources) to the various public IP/interface attached to the pfsense box itself. I am looking at two interfaces here, em0 and em5 If I create a floating rule, select more than one interface with public IP on it, the generated rules are like (taken from pfctl -sa) anchor "userrules/*" all pass in log quick on em0 inet proto tcp from <safeSources> to (self) port = ssh flags S/SA keep state label "USER_RULE: allow portsMGMT from safeSources" pass in log quick on em0 inet proto tcp from <safeSources> to (self) port = https flags S/SA keep state label "USER_RULE: allow portsMGMT from safeSources" pass in log quick on em5 inet proto tcp from <safeSources> to (self) port = ssh flags S/SA keep state label "USER_RULE: allow portsMGMT from safeSources" pass in log quick on em5 inet proto tcp from <safeSources> to (self) port = https flags S/SA keep state label "USER_RULE: allow portsMGMT from safeSources" pass in quick on lagg0 inet from 192.168.0.0/23 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule" anchor "tftp-proxy/*" all No queue in use If I do the same, but select only one interface, then the rules are like (again, from pfctl -sa) anchor "userrules/*" all pass in log quick on em5 reply-to (em5 1.2.3.4) inet proto tcp from <safeSources> to (self) port = ssh flags S/SA keep state label "USER_RULE: allow portsMGMT from safeSources" pass in log quick on em5 reply-to (em5 1.2.3.4) inet proto tcp from <safeSources> to (self) port = https flags S/SA keep state label "USER_RULE: allow portsMGMT from safeSources" pass in quick on lagg0 inet from 192.168.0.0/23 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule" anchor "tftp-proxy/*" all No queue in use and anchor "userrules/*" all pass in log quick on em0 reply-to (em0 5.6.7.8) inet proto tcp from <safeSources> to (self) port = ssh flags S/SA keep state label "USER_RULE: allow portsMGMT from safeSources" pass in log quick on em0 reply-to (em0 5.6.7.8) inet proto tcp from <safeSources> to (self) port = https flags S/SA keep state label "USER_RULE: allow portsMGMT from safeSources" pass in quick on lagg0 inet from 192.168.0.0/23 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule" anchor "tftp-proxy/*" all No queue in use respectively. Now, if I select multiple interfaces, since there is no reply-to on the rule, I am unable to communicate with the pfsense box from outside. Which makes me wonder, am I misunderstanding the purpose/functionality of floating rules entirely? I know one good thing about them is to be able to add "quick" so the rules are checked before other interface bound ones, but is this also not a feature (i.e., put same rule for multiple interfaces in one go)? Would appreciate if someone could please shed some light on this. Thanks and regards _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
