I have an external varnish server which is passing requests to a backend server which sits behind a pfsense 2.0.3 firewall. Does pfSense do any kind of packet inspection that could block traffic from a specific ip going through that proxy? Of course this is in the case where the Forwarded-For headers are set by varnish.
Is this even possible with any firewall?
You can write an l7 pattern to match the offending Forwarded-For header (syntax details here), upload that from the firewall->traffic shaper->layer 7 tab, create a new l7 rules group using that pattern (from the same tab), and then apply it to traffic from the varnish cache with a regular pf rule (probably matching HTTP traffic from the Varnish IP).
Since you're talking about matching a specific header generated by Varnish the pattern should be pretty simple.
