Actions
Bug #8327
closed
VLAN net, Default Deny and spoofed packets
Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
02/12/2018
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.2
Affected Architecture:
amd64
Description
Scenario:
VLAN interface 172.31.22.251/24
Rules for VLAN interface:
PASS Prot. IPv4 *; source VLAN_net, port *; destination *, port *.
Since the default deny rule is in place, I'm expecting that no spoofed address can reach the Internet.
Unfortunately, using the tool provided by CAIDA (https://www.caida.org/projects/spoofer/), pfSense allows spoofed packets to transit.
The only way I found to block spoofed packets is to apply one more (redundant) rule for VLAN interface just before the previous PASS rule:
BLOCK Prot. IPv4 *; source !VLAN_net, port *; destination *, port *.
This way no spoofed packet can exit the WAN interface, as expected.
I bet this is not the correct behavior for rules with an implicit deny.
--
antonio
Updated by 
Updated by
Actions