> My question to all would be that since the DHCP address range and the > Lan interface are on the same subnet, would using rules to deny SSH do > us any good? Would the layer 2 access allow connection to the interface > and basically bypass the firewall rules or do rules get checked prior to > allowing access?
If you check the "Disable webGUI anti-lockout rule" checkbox I outlined earlier, your LAN will be treated as another default-deny interface (like OPT interfaces) and will require rules to allow clients connectivity*. Unless configured to bridge (and act as a filtering bridge) pfSense generally operates at layer 3. This means that although clients may be able to ARP your LAN interface or pass it various bits of L2 traffic, they cannot bypass the layer-3 restrictions set up by the firewall. The "Bypass firewall rules for traffic on the same interface" bit was a red herring and should be disregarded at this point. > If in fact the Lan Rule does not apply, is there a way that I can stop > users from being able to ssh to the Lan or Wan interface? See above. Since the interface will be default-deny you'd actually have to set up a rule to allow clients to SSH. Even further, you're also probably going to have to set up rules to allow clients to reach DNS on the pfSense box and any other services (like captive portal) it may be providing. Including getting out to the internet. See the following (rather paranoid) set of rules: http://imagebin.ca/view/jI-5sz.html * - There is one caveat: pfSense always has a rule to allow DHCP traffic on the LAN interface, regardless of disabling the anti-lockout rule. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
