[pfSense] pfSense help with creating rules
Ugo Bellavance
ugob at lubik.ca
Thu Feb 9 07:54:38 EST 2012
On 2012-02-08 22:32, Jason T. Slack-Moehrle wrote:
> Hi Nathan,
>
>> am I missing something obvious? Would I need to possible restart the
>>> server itself or any switches?
>>
>> You're hitting the default deny rule on the DMZ interface. Rules on all interfaces are processed as 'inbound' to that interface - so return traffic from an HTTP request would be sourced from :80 with a destination of * (random source port the client OS picked). You have a rule which allows traffic from any port TO :80, so you're blocking your server's replies.
>>
>> The easiest thing would be to create a rule which allows all traffic sourced from your DMZ subnet on the DMZ interface, since that's your outbound. That gives you a typical "default deny in, default allow out" behavior.
>
> I restarted the pfSense box and noticed that when it rebooted it had:
>
> WAN (wan) --> em1 --> 75.xx.xx.28
> LAN (lan) --> em3 --> 172.16.254.1
> DMZ (opt1) --> em2 --> NONE
>
> That is correct, right, since my servers in 75.xx.xx.xx are on the
> DMZ? Do I have to do anything to tell pfSense it should answer for my
> IP's? I recall when I ran untangle I had to sell it what IP's to
> "answer" for.
If you don't have an IP address for opt1 (DMZ), that would mean that
you're bridging with WAN? I think you should be routing instead, but I
don't know exactly your goals.
More information about the List
mailing list