First match wins. Rules are always applied top down. So if you allow something with your top rule you can't restrict it anymore with a further down rule.
Holger -----Ursprüngliche Nachricht----- Von: Jeremy Bennett [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 1. März 2007 07:37 An: [email protected] Betreff: Re: AW: [pfSense Support] new user... need help with Rules AHA! Holger, Espen, Thank you. Holger, apologies - I had that first rule that passed LAN2 Traffic to WAN and everything else... I didn't realize it was working against me. Now I realize that I only need two rules on the LAN2 net to do what I was aiming for. Success. Mahalo, Jeremy On Feb 28, 2007, at 11:51 AM, Espen Johansen wrote: > This is how I deal with wireless to internet acess but not lan. > > add a rule that says: > Pass WLAN-subnet to destination NOT (!) LAN > (meaning if it's not rying to acess lan then it's all good) > You can also add rules to drop connections from WLAN clients to > destination firewall when port is 80/22 (GUI/ssh) etc. > Then VPN into the firewall from WLAN zone to acess LAN. > > -lsf > > On 2/28/07, Jeremy Bennett <[EMAIL PROTECTED]> wrote: >> In review, I'd like to grant full access to the internet for all >> computers on LAN (private, wired, my machines) and LAN2 (wireless >> segment - friends, families, neighbors). I'd like to make LAN >> invisible as far as LAN2 is concerned, yet allow my laptop to access >> LAN when it is attached to LAN2 wirelessly. >> >> I may not have been totally clear... I still need my LAN2 to see the >> internet, so the first rule WAS: >> PASS | Proto: * | Source: LAN2 net | Port: * | Destination: * | Port: >> * | Gateway: * >> >> So I changed it as such >> >> PASS | Proto: * | Source: * | Port: * | Destination: WAN address | >> Port: * | Gateway: * (Pass LAN2 to wan) >> PASS | Proto: * | Source: 192.168.12.99 | Port: * | Destination: * | >> Port: * | Gateway: * (Pass Powerbook to LAN) >> PASS | Proto: * | Source: LAN2 net | Port: * | Destination: ! LAN net >> | Port: * | Gateway: * (Block LAN2 from LAN) >> >> It seems to work... >> >> Have I introduced any sort of horrible security issue by doing this? >> >> Thanks for the help. >> >> >> > >> > >> > On Feb 26, 2007, at 1:13 AM, Holger Bauer wrote: >> > >> >> First create a DHCP-server fort he LAN2 segment at services| >> >> dhcpserver|lan2-tab and add a static mapping for the mac of your >> >> notebook. >> >> >> >> Then go to firewall|rules|lan2tab >> >> Add a rule: pass, protocol any, source (IP of notebook), >> >> destination any, gateway default >> >> >> >> Below this add a rule: pass protocol any, source lan2 net, >> >> destination NOT LAN, gateway default >> >> >> >> That's all that is needed. >> >> >> >> Holger >> >> >> >> -----Ursprüngliche Nachricht----- >> >> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] >> >> Gesendet: Montag, 26. Februar 2007 10:39 >> >> An: [email protected] >> >> Betreff: [pfSense Support] new user... need help with Rules >> >> >> >> I have pFsense 1.0.1, with a WAN, LAN and LAN2. The WAN gets an >> >> address >> >> via DHCP from local cable provider. LAN (192.168.12.1) is my (soon >> >> to be) >> >> private network, and LAN2 (192.168.12.1) has a couple of wireless >> >> bridges|APs at 192.168.12.253 & 254. What I need to do is create a >> >> rule >> >> that blocks traffic between LAN2 and LAN, yet still allows my >> laptop >> >> (192.168.12.99, assigned via MAC|static) to access LAN while >> >> wirelessly >> >> connected to LAN2. Any help or guidance on this is much >> appreciated. >> >> >> >> Mahalo, >> >> Jeremy >> >> >> >> >> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> >> >> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> > >> > >> > >> --------------------------------------------------------------------- >> > To unsubscribe, e-mail: [EMAIL PROTECTED] >> > For additional commands, e-mail: [EMAIL PROTECTED] >> > >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
