Stateful Firewall Rules Obeyed by Switch?

Question

I have a stateful firewall (pfsense) with a WAN and LAN port, with the LAN port connected to an unmanaged switch (DLink Gbit) and several computers connected to the switch.

I was wondering if the switch obeyed firewall rules, i.e. if I blocked all traffic between two computers with a rule on the firewall, would the switch still pass traffic because it is all local and doesn't go through the firewall?

PFSense is certainly a SF trchnology, and the belongs-on-* tag is depreciated (http://meta.stackexchange.com/questions/10216/) — Mark Henderson, Jan 10 '10 at 22:17
Not sure who is voting to send to SU, but firewall and switching questions definitely belong here. — Sam Cogan, Jan 11 '10 at 13:42

score 6 · Accepted Answer · answered Jan 10 '10 at 16:44

6

The switch doesn't know anything about the rules on your firewall and the firewall can only act on traffic that flows through it. So for your local traffic through the switch, it shouldn't be affected by the firewall rules at all.

answered Jan 10 '10 at 16:44

joeqwerty

109,901
6
81
172

score 2 · Answer 2 · answered Jan 10 '10 at 19:28

joeqwerty is correct an unmanaged switch knows nothing. It works a lower layer in the network stack which knows nothing about the firewall rules or even the ip address, port, data payload, etc of a packet. It just sends packets to their destination or next hop based on the MAC address and ARP tables.

What you need is a managed switch that supports ACLs. VLANs may also be an option depending on your goals.

Stateful Firewall Rules Obeyed by Switch?

2 Answers2