Re: [pfSense] Limiter on LAN side not applying to NATted connection

2017-04-20 Thread Patrick Müller 
Because of problems like this i prefer use freebsd or openbsd, this
scenario is easy to configure.

2017-04-19 16:43 GMT-03:00 Steve Yates :

> https://doc.pfsense.org/index.php/Limiters#Known_limitations
>
> "On pfSense 2.2 and 2.3, limiters cannot be used on firewall rules
> residing on interfaces where NAT applies. This limits their use to LAN-type
> interfaces only, and not WANs, in most circumstances. This has been fixed
> on pfSense 2.4. Bug #4326"
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of WebDawg
> Sent: Wednesday, April 19, 2017 2:33 PM
> To: pfSense Support and Discussion Mailing List 
> Subject: Re: [pfSense] Limiter on LAN side not applying to NATted
> connection
>
> On Wed, Apr 19, 2017 at 2:46 PM, Steve Yates  wrote:
>
> > I suppose.  From the states/traffic recorded next to each rule,
> It
> > looks like the WAN firewall rule applies and the LAN firewall rule does
> > not.  Per the docs WAN side limiters will work (again?) in pfSense 2.4
> but
> > not 2.2-2.3.
> >
> > --
> >
> > Steve Yates
> > ITS, Inc.
> >
> >
> > Steve,
> >
> > Is this an ingress vs egress question?
> >
> > http://pfsensesetup.com/egress-filtering-with-pfsense/
> >
> > That is if you are trying to limit something 'in' you would need to put
> the
> > rule on the WAN side?
> >
> >
> > ___
> >
>
> I do not know about the docs but since it is a single TCP stream in will
> not just the WAN rule apply?
>
> What docs are you talking about?  I would figure limiters would work on any
> interface.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Limiter on LAN side not applying to NATted connection

2017-04-19 Thread Steve Yates 
https://doc.pfsense.org/index.php/Limiters#Known_limitations

"On pfSense 2.2 and 2.3, limiters cannot be used on firewall rules residing on 
interfaces where NAT applies. This limits their use to LAN-type interfaces 
only, and not WANs, in most circumstances. This has been fixed on pfSense 2.4. 
Bug #4326"

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of WebDawg
Sent: Wednesday, April 19, 2017 2:33 PM
To: pfSense Support and Discussion Mailing List 
Subject: Re: [pfSense] Limiter on LAN side not applying to NATted connection

On Wed, Apr 19, 2017 at 2:46 PM, Steve Yates  wrote:

> I suppose.  From the states/traffic recorded next to each rule, It
> looks like the WAN firewall rule applies and the LAN firewall rule does
> not.  Per the docs WAN side limiters will work (again?) in pfSense 2.4 but
> not 2.2-2.3.
>
> --
>
> Steve Yates
> ITS, Inc.
>
>
> Steve,
>
> Is this an ingress vs egress question?
>
> http://pfsensesetup.com/egress-filtering-with-pfsense/
>
> That is if you are trying to limit something 'in' you would need to put the
> rule on the WAN side?
>
>
> ___
>

I do not know about the docs but since it is a single TCP stream in will
not just the WAN rule apply?

What docs are you talking about?  I would figure limiters would work on any
interface.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Limiter on LAN side not applying to NATted connection

2017-04-19 Thread WebDawg 
On Wed, Apr 19, 2017 at 2:46 PM, Steve Yates  wrote:

> I suppose.  From the states/traffic recorded next to each rule, It
> looks like the WAN firewall rule applies and the LAN firewall rule does
> not.  Per the docs WAN side limiters will work (again?) in pfSense 2.4 but
> not 2.2-2.3.
>
> --
>
> Steve Yates
> ITS, Inc.
>
>
> Steve,
>
> Is this an ingress vs egress question?
>
> http://pfsensesetup.com/egress-filtering-with-pfsense/
>
> That is if you are trying to limit something 'in' you would need to put the
> rule on the WAN side?
>
>
> ___
>

I do not know about the docs but since it is a single TCP stream in will
not just the WAN rule apply?

What docs are you talking about?  I would figure limiters would work on any
interface.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Limiter on LAN side not applying to NATted connection

2017-04-19 Thread Steve Yates 
I suppose.  From the states/traffic recorded next to each rule, It 
looks like the WAN firewall rule applies and the LAN firewall rule does not.  
Per the docs WAN side limiters will work (again?) in pfSense 2.4 but not 
2.2-2.3.

--

Steve Yates
ITS, Inc.


Steve,

Is this an ingress vs egress question?

http://pfsensesetup.com/egress-filtering-with-pfsense/

That is if you are trying to limit something 'in' you would need to put the
rule on the WAN side?


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Limiter on LAN side not applying to NATted connection

2017-04-19 Thread WebDawg 
On Tue, Apr 18, 2017 at 8:02 PM, Steve Yates  wrote:

> I understand it's ideal to have limiters on the sending end.  It's a long
> story but I'm trying to set them on the receiving end of an rsync copy.
>
> I understand in 2.2-2.3 one should have them on the LAN interface.  This
> is on 2.3.3_1.
>
> In this scenario the remote server is x.x.x.x and the LAN computer is
> 10.1.2.12:22, and we have a NAT rule forwarding port  to 22.
>
> Firewall rule:
> IPv4 TCP/UDPx.x.x.x *   10.1.2.12   22 (SSH)
> Two limiters are set on in/out.
> This firewall rule shows zero traffic in or out.  No other firewall rules
> show traffic from * to LAN.
>
> Diagnostics/States shows:
> LAN tcp x.x.x.x:46098 -> 10.1.2.12:22 (and shows traffic)
>
> Is the rule+limiter not being applied because the port  is NATted to
> 22?  Or because the NAT happens on the WAN side and the LAN rule isn't even
> used?
>
> Thanks,
>
> Steve Yates
> ITS, Inc.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>


Steve,

Is this an ingress vs egress question?

http://pfsensesetup.com/egress-filtering-with-pfsense/

That is if you are trying to limit something 'in' you would need to put the
rule on the WAN side?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Limiter on LAN side not applying to NATted connection

2017-04-18 Thread Steve Yates 
I understand it's ideal to have limiters on the sending end.  It's a long story 
but I'm trying to set them on the receiving end of an rsync copy.

I understand in 2.2-2.3 one should have them on the LAN interface.  This is on 
2.3.3_1.

In this scenario the remote server is x.x.x.x and the LAN computer is 
10.1.2.12:22, and we have a NAT rule forwarding port  to 22.

Firewall rule:
IPv4 TCP/UDPx.x.x.x *   10.1.2.12   22 (SSH)
Two limiters are set on in/out.
This firewall rule shows zero traffic in or out.  No other firewall rules show 
traffic from * to LAN.

Diagnostics/States shows:
LAN tcp x.x.x.x:46098 -> 10.1.2.12:22 (and shows traffic)

Is the rule+limiter not being applied because the port  is NATted to 22?  
Or because the NAT happens on the WAN side and the LAN rule isn't even used?

Thanks,

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold