> On Dec 24, 2017, at 10:08 AM, Matthew Hall <mh...@mhcomputing.net> wrote: > > >> On Dec 24, 2017, at 9:45 AM, Chris L <c...@viptalk.net> wrote: >> >> Not a bug. That is by design. Create the rules to pass the traffic you need >> to pass on OPTX interfaces after you create them. > > That's inconsistent with the LAN interface which has secret undocumented > default rules that allow self traffic to the firewall from the interface > network segment by default. To me this inconsistency does feel like a bug.
There is nothing secret or undocumented about them. There is a pass any any any rule on LAN created by the installer because that is what most people need to get up and running. If you deleted LAN and recreated it you would have no rules. The rule is right there in Firewall > Rules, LAN. Not a bug. Other automatically-installed rules include passing DHCP traffic when a DHCP server is enabled and passing IKE, ESP, and NAT-T when IPsec is enabled on an interface. There are also rules for required ICMPv6 etc. All rules are visible at all times in /tmp/rules.debug and by running pfctl -sr. > >>> Again, not a bug. > > There's a long open bug for it actually: > > https://redmine.pfsense.org/issues/5826 > > It will break your configuration whenever you configure IPSec between an OPT* > and a remote destination whose CIDR block happens to be a superset of your > interface CIDR block and you have been using any local service like DNS, > HTTPS, SSH, etc. on the firewall. The traffic will be misrouted through the > tunnel due to missing logic for bypassing the firewall self traffic from the > tunnel. > > Matthew. That is a specific edge case that is rarely a factor. There is certainly room for improvement regarding the bypasslan functionality in IPsec. > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
