Bug #8327
closed
VLAN net, Default Deny and spoofed packets
0%
Description
Scenario:
VLAN interface 172.31.22.251/24
Rules for VLAN interface:
PASS Prot. IPv4 *; source VLAN_net, port *; destination *, port *.
Since the default deny rule is in place, I'm expecting that no spoofed address can reach the Internet.
Unfortunately, using the tool provided by CAIDA (https://www.caida.org/projects/spoofer/), pfSense allows spoofed packets to transit.
The only way I found to block spoofed packets is to apply one more (redundant) rule for VLAN interface just before the previous PASS rule:
BLOCK Prot. IPv4 *; source !VLAN_net, port *; destination *, port *.
This way no spoofed packet can exit the WAN interface, as expected.
I bet this is not the correct behavior for rules with an implicit deny.
--
antonio
Updated by Antonio Prado about 6 years ago
I just want to add that in old version 2.1.2-RELEASE (i386), spoofed packets are correctly blocked on a VLAN interface by just one rule:
PASS Prot. IPv4 *; source VLAN_net, port *; destination *, port *.
--
antonio
Updated by Jim Pingle over 4 years ago
- Status changed from New to Not a Bug
There is not enough information here to classify this as a bug. Interfaces all have an implicit deny. If that is not working, you have some other rule/floating rule/package/etc that is passing traffic you don't expect. If you feel there is still a problem here on 2.5.0 snapshots, post in the forum and include your entire ruleset and more detail about your configuration.