Re: [pfSense] Limiter on LAN side not applying to NATted connection
Because of problems like this i prefer use freebsd or openbsd, this scenario is easy to configure. 2017-04-19 16:43 GMT-03:00 Steve Yates: > https://doc.pfsense.org/index.php/Limiters#Known_limitations > > "On pfSense 2.2 and 2.3, limiters cannot be used on firewall rules > residing on interfaces where NAT applies. This limits their use to LAN-type > interfaces only, and not WANs, in most circumstances. This has been fixed > on pfSense 2.4. Bug #4326" > > -- > > Steve Yates > ITS, Inc. > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of WebDawg > Sent: Wednesday, April 19, 2017 2:33 PM > To: pfSense Support and Discussion Mailing List > Subject: Re: [pfSense] Limiter on LAN side not applying to NATted > connection > > On Wed, Apr 19, 2017 at 2:46 PM, Steve Yates
wrote: > > > I suppose. From the states/traffic recorded next to each rule, > It > > looks like the WAN firewall rule applies and the LAN firewall rule does > > not. Per the docs WAN side limiters will work (again?) in pfSense 2.4 > but > > not 2.2-2.3. > > > > -- > > > > Steve Yates > > ITS, Inc. > > > > > > Steve, > > > > Is this an ingress vs egress question? > > > > http://pfsensesetup.com/egress-filtering-with-pfsense/ > > > > That is if you are trying to limit something 'in' you would need to put > the > > rule on the WAN side? > > > > > > ___ > > > > I do not know about the docs but since it is a single TCP stream in will > not just the WAN rule apply? > > What docs are you talking about? I would figure limiters would work on any > interface. > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Limiter on LAN side not applying to NATted connection
https://doc.pfsense.org/index.php/Limiters#Known_limitations "On pfSense 2.2 and 2.3, limiters cannot be used on firewall rules residing on interfaces where NAT applies. This limits their use to LAN-type interfaces only, and not WANs, in most circumstances. This has been fixed on pfSense 2.4. Bug #4326" -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of WebDawg Sent: Wednesday, April 19, 2017 2:33 PM To: pfSense Support and Discussion Mailing ListSubject: Re: [pfSense] Limiter on LAN side not applying to NATted connection On Wed, Apr 19, 2017 at 2:46 PM, Steve Yates
wrote: > I suppose. From the states/traffic recorded next to each rule, It > looks like the WAN firewall rule applies and the LAN firewall rule does > not. Per the docs WAN side limiters will work (again?) in pfSense 2.4 but > not 2.2-2.3. > > -- > > Steve Yates > ITS, Inc. > > > Steve, > > Is this an ingress vs egress question? > > http://pfsensesetup.com/egress-filtering-with-pfsense/ > > That is if you are trying to limit something 'in' you would need to put the > rule on the WAN side? > > > ___ > I do not know about the docs but since it is a single TCP stream in will not just the WAN rule apply? What docs are you talking about? I would figure limiters would work on any interface. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Limiter on LAN side not applying to NATted connection
On Wed, Apr 19, 2017 at 2:46 PM, Steve Yateswrote: > I suppose. From the states/traffic recorded next to each rule, It > looks like the WAN firewall rule applies and the LAN firewall rule does > not. Per the docs WAN side limiters will work (again?) in pfSense 2.4 but > not 2.2-2.3. > > -- > > Steve Yates > ITS, Inc. > > > Steve, > > Is this an ingress vs egress question? > > http://pfsensesetup.com/egress-filtering-with-pfsense/ > > That is if you are trying to limit something 'in' you would need to put the > rule on the WAN side? > > > ___ > I do not know about the docs but since it is a single TCP stream in will not just the WAN rule apply? What docs are you talking about? I would figure limiters would work on any interface. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Limiter on LAN side not applying to NATted connection
I suppose. From the states/traffic recorded next to each rule, It looks like the WAN firewall rule applies and the LAN firewall rule does not. Per the docs WAN side limiters will work (again?) in pfSense 2.4 but not 2.2-2.3. -- Steve Yates ITS, Inc. Steve, Is this an ingress vs egress question? http://pfsensesetup.com/egress-filtering-with-pfsense/ That is if you are trying to limit something 'in' you would need to put the rule on the WAN side? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Limiter on LAN side not applying to NATted connection
On Tue, Apr 18, 2017 at 8:02 PM, Steve Yateswrote: > I understand it's ideal to have limiters on the sending end. It's a long > story but I'm trying to set them on the receiving end of an rsync copy. > > I understand in 2.2-2.3 one should have them on the LAN interface. This > is on 2.3.3_1. > > In this scenario the remote server is x.x.x.x and the LAN computer is > 10.1.2.12:22, and we have a NAT rule forwarding port to 22. > > Firewall rule: > IPv4 TCP/UDPx.x.x.x * 10.1.2.12 22 (SSH) > Two limiters are set on in/out. > This firewall rule shows zero traffic in or out. No other firewall rules > show traffic from * to LAN. > > Diagnostics/States shows: > LAN tcp x.x.x.x:46098 -> 10.1.2.12:22 (and shows traffic) > > Is the rule+limiter not being applied because the port is NATted to > 22? Or because the NAT happens on the WAN side and the LAN rule isn't even > used? > > Thanks, > > Steve Yates > ITS, Inc. > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > Steve, Is this an ingress vs egress question? http://pfsensesetup.com/egress-filtering-with-pfsense/ That is if you are trying to limit something 'in' you would need to put the rule on the WAN side? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Limiter on LAN side not applying to NATted connection
I understand it's ideal to have limiters on the sending end. It's a long story but I'm trying to set them on the receiving end of an rsync copy. I understand in 2.2-2.3 one should have them on the LAN interface. This is on 2.3.3_1. In this scenario the remote server is x.x.x.x and the LAN computer is 10.1.2.12:22, and we have a NAT rule forwarding port to 22. Firewall rule: IPv4 TCP/UDPx.x.x.x * 10.1.2.12 22 (SSH) Two limiters are set on in/out. This firewall rule shows zero traffic in or out. No other firewall rules show traffic from * to LAN. Diagnostics/States shows: LAN tcp x.x.x.x:46098 -> 10.1.2.12:22 (and shows traffic) Is the rule+limiter not being applied because the port is NATted to 22? Or because the NAT happens on the WAN side and the LAN rule isn't even used? Thanks, Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold