Firewalling

• T

  Can somebody tell me how to build Transparent Firewall on the router up
  • themoeran  

  1
  0
  Votes
  1
  Posts
  10
  Views

  No one has replied

• C

  Port Aliases
  • chris-1028  

  6
  0
  Votes
  6
  Posts
  77
  Views

  

  @chris-1028 said in Port Aliases: a domestic network or a MegaCorp network are both exposed to essentially the same risks. No not even close sorry!!! And are managed completely different.. Out of the gate.. And comes down to as well who controls the devices that connect to a corp network. For starters in a corp - none of those ports you list would even be allowed out in the first place. And more than likely all or 99.9 of all access other than 1 one offs with tons of paper work to allow would be forced out a proxy anyway. I would be more than happy to debate corp or domestic with you - but if you think it makes sense to spend time on such nonsense in a home setup.. Have fun! Your wasting your time! Your time should be directed at what exe the devices can execute before you worry about what ports they can talk outbound on.. And where they can get such exe in the first place. Isolation of iot sure - agree, trying to limit it what it can do.. kind of pointless.. Pretty much anything it does is going to be over 80/443 that is a given anyway. Where it does that is the going to be more of concern as to what port it needs. Name some IOT devices that needs anything other than say icmp or 80/443? I have plenty of iot devices in my home - none of them talk on anything other than those ports. Well then need dns - but that is only required local. I isolate all my iot devices, and log everything they do outbound - they never try and talk outbound on anything other than icmp/80/443..
• D

  Can someone please explain the difference between interface vs source when it comes to the firewall rules?
  • drwoodcomb  

  4
  0
  Votes
  4
  Posts
  57
  Views

  D

  @Derelict Thank you for taking the time to explain the difference to me. It was really helpful and I finally understand the difference! I really appreciate it!
• W

  Suggestion on snort please. (SOLVED)
  • whitekalu  

  3
  0
  Votes
  3
  Posts
  21
  Views

  W

  Hi bmeeks Thank you for the response. Indeed pfSense is doing it's job great. I'm clear about the scenario now.
• T

  Rebuilding my firewall -- question on geoip allow or block.
  • tross9  

  4
  0
  Votes
  4
  Posts
  42
  Views

  

  @tross9 That is correct. Keep these rules on the top of your Wan rules.
• T

  blocking private networks to check or not to check
  • tross9  

  3
  0
  Votes
  3
  Posts
  54
  Views

  T

  Thanks for the info. I look at this and see if I can get Teamspeak3 to work, not sure how to test it, I use to be able to do this: connect to 192.188.1.20 (lan ip) to see if it was up then connect to 200.200.5.23 ( public ip,, of course this fake and is just for the ex) this would allow me to see if TS3 was accessible from the internet. as I've been read, it does not look like that will work any more.
• T

  all DMZ traffic being blocked
  • thrashcardiom  

  6
  0
  Votes
  6
  Posts
  55
  Views

  T

  Working now. Helps if you don't set the DMZ IP to be /32 instead of /24
• U

  pfsense blocking TCP:S when port forwarding for Plex
  • Username_1  

  9
  0
  Votes
  9
  Posts
  25
  Views

  

  Port forwarding 101, man. https://www.netgate.com/docs/pfsense/nat/forwarding-ports-with-pfsense.html
• H

  Firewall Rule Numbers
  • hulleyrob  

  25
  0
  Votes
  25
  Posts
  4097
  Views

  

  rules.debug is the best place to get the configured rule set all in one place. It is usually one of the first places I go when evaluating a status output, depending on what the trouble is. I never look at the rules in the config.xml. rules.debug lays them all out for you in a readable format.
• B

  Disable LAN interface?
  • bhjitsense  

  6
  0
  Votes
  6
  Posts
  152
  Views

  C

  @johnpoz I said "sparsely ", not "un-" I found your first url, I did (+/-) as it said, it worked perfectly: so yes "documented" ...but you have to look hard to find that page. Your second url: old folk like me don't take our "documentation" from youtube: printable words are good, they allow calm reflection and filing in our internal documentation. 802.1Q mode for 3100 mvneta1 is excellent! Wish I had found the "documentation" months ago. Chris
• D

  Understanding basic firewalling rules
  • derian00  

  2
  0
  Votes
  2
  Posts
  53
  Views

  

  Hi, The principals of a firewall are always the same, using pfSense, or some other system, OS, etc. In the past, and I'm not talking centuries here, the very basic concept of a firewall would take a year or so for a student to learn. And this wasn't on high school or something like that. These days, we are obliterated by the cheer number of books, Internet discussions, and videos about the subject. I advise you to start with reading general wiki pages - and have a look at this : https://www.youtube.com/channel/UC3Cq2kjCWM8odzoIzftS04A/videos - there is a video called Firewall and NAT Fundamentals on pfSense that should see. When you test for yourself, always start as simple as possible. Always check your works. You can see pfSense as a car. The car builder won't learn you how to drive ^^ Btw : Your first paragraph : you are correct.
• S

  Is there an email spam filter?
  • Susan341  

  13
  0
  Votes
  13
  Posts
  133
  Views

  

  I take the security of everyone's firewalls seriously, and I don't like when people recommend things that will compromise that severely. I know you feel justified in what you've done, but it's not something that should be done, and should not be recommended to anyone. The instructions for that repo have changed recently but even before then, they included an install script that still pulled the binaries from his personal repo, not FreeBSD. If you want to do it, you do you, but don't spread the infection.
• J

  Snort Package automatically stop?!
  • jason001  

  15
  0
  Votes
  15
  Posts
  92
  Views

  J

  iv solved the installation error.. just logout, Login again, delete package and reinstall.. i see also now with this version of snort the custom Ip also loaded without problems!.. Green Icon.. Thanks iv seen alot of Ip addresses trying to access the server behind pfsense.... wonder if there is a packet fail2ban option? Thanks...
• M

  Syncthing on pfsense
  • mare  

  1
  0
  Votes
  1
  Posts
  17
  Views

  No one has replied

• A

  Firewall rule name in logs
  rules logs firewalls filtering naming • • alsii  

  2
  0
  Votes
  2
  Posts
  28
  Views

  A

  Technically, these are NOT called rule names, but descriptions instead. The description of my firewall rules (on LAN is where I'm logging) are in my firewall logs. If you've got no rules created, you'll have to make some that actually log the data. After that, if you look in Status -> System Logs -> Firewall in the Rule column it lists the rule description(s). There's also the 10 digit unique (I think) tracking ID code to make them quick to find or index. The only restriction listed for rule descriptions is max of 52 characters. Don't know anything about special characters, however. Here's some talk about some description stuff. https://forum.netgate.com/topic/92254/firewall-rule-description-length-limitation Jeff
• T

  PFsense as proxy cache + filter + OpenVPN "behind" firewall DELL NSA 2600 Sonicwall
  • thiagosales_sp  

  1
  0
  Votes
  1
  Posts
  25
  Views

  No one has replied

• R

  Requiring Firewall Help to Communicate between Different Networks
  • Ryan M  

  12
  0
  Votes
  12
  Posts
  98
  Views

  

  Glad you have it working now. -Rico
• D

  Please help... WAN & Dual LAN - Trouble routing LAN2 to tinterweb
  • DazzaBear  

  9
  0
  Votes
  9
  Posts
  67
  Views

  D

  I've not got the VPN to pull routes; I'm able to ping pfsense from guestvlan, (As my NAS drive 192.168.1.16 which on my LAN side. This is right at the minute as I've not put a block rule in yet, but ill do that once the guest and vlan get internet) Thanks for all your help so far
• 

  package not able to load
  • vallum  

  8
  0
  Votes
  8
  Posts
  46
  Views

  

  @vallum This is fixed , followed below steps. for package upgrade from shell https://docs.netgate.com/pfsense/en/latest/install/upgrade-troubleshooting.html#cli-troubleshooting
• B

  External Proxy server
  • bormar81  

  2
  0
  Votes
  2
  Posts
  28
  Views

  K

  @bormar81 Hey As an option to use the tunnel to connect PF and UBUNTU (for example,GRE over IPSEC,OPENVPN,VTI) And using PBR to redirect all traffic of ports 80,443 to this tunnel
• R

  Migrating BSD packet filter to pfsense
  • rae  

  3
  0
  Votes
  3
  Posts
  30
  Views

  R

  thanks! so, instead of a file name an rely on the OS to read the file, use a url that points to the abusive hosts text file. well, I suppose a piece of network equipment would want to use the network to access stuff. :) that'll work. I can deal... got any suggestions for the 2nd part? how to express exceptions to blocks of host ip addresses?
• M

  On Speed Test Ookla Show my Client IP
  • mhammadqadir  

  2
  0
  Votes
  2
  Posts
  56
  Views

  K

  Do you do NAT ? If yes you can answer by yourself :) But if you do not do NAT and give public IP to your clients they will be seen only if they go trough ISP who gave them to you... If you have AS and BGP to your 4-5 ISP's and you announce these IP's then the can be routed trough all of your ISP...
• F

  Would like to see Internal LAN IP addresses in Firewall logs
  • flightofthebumble  

  6
  0
  Votes
  6
  Posts
  117
  Views

  

  Let pfSense do the adblocking or get a pihole running. Turn your OpenWRT into an AP by disabling WAN and DHCP server and then plug the LAN port into a switch.
• W

  Am I infected with malware or virus ?
  • whitekalu  

  6
  0
  Votes
  6
  Posts
  215
  Views

  R

  If by any reason you are running kaspersky or malwarebytes [link-removed] can sometimes cause conflicts in firewall rules.
• D

  Timestamp in firewall logs is wrong
  • DoctorDan  

  7
  0
  Votes
  7
  Posts
  67
  Views

  

  Have you rebooted since you set the time zone? The time zone for some processes only gets set at boot time. You shouldn't have to change to another zone to correct that.
• S

  Wifi calling being blocked?
  • s0m3f00l  

  9
  0
  Votes
  9
  Posts
  120
  Views

  S

  FYI For what its worth, it was definitely the pfsense box. I make a backup every month and restored to February, without Hybrid NAT and the android phone works now. It seems there is an issue with the automatic rules when using hybrid NAT. After making a few NAT UDP rules for the ps4 the issue occurred. So I reverted back to before I made the rules and left pfblocker / suricata on... Bingo it came back up. Not sure why that is but it was definitely the sg3100 pfsense box that was causing the issue. And it was definitely to to with NAT since in the NAT table I was getting SINGLE:NO_TRAFFIC AND NO_TRAFFIC:SINGLE for the android device when it was having the issue. Broke dick hybrid nat implementation I suppose....
• A

  Port forwarding ports 70-75 for UDP
  • axiomcs  

  17
  0
  Votes
  17
  Posts
  55
  Views

  

  We already went through this and established that everything was working an hour ago. You're just going around in circles now.
• M

  How to alllow DMZ to lan.???
  dmz • • marksantos  

  6
  0
  Votes
  6
  Posts
  102
  Views

  

  It is not the firewall. It must be the elastix server. Its default gateway must be 192.168.11.1. Connections from LAN hosts to DMZ hosts are governed by rules on the LAN interface. You could make those connections with no rules at all on DMZ.
• S

  Ping in diagnostics pass through firewall rules
  • situate  

  4
  0
  Votes
  4
  Posts
  39
  Views

  

  @situate said in Ping in diagnostics pass through firewall rules: Are you try to telling me that in pfsense i can not test the rule as like a router cisco? On cisco we can specify the source lan and if exists a block rule the ping is blocked. That is correct. Traffic initiated from the firewall cannot enter an interface on the firewall, only exit. That kind of test can only be performed from an external system.
• J

  Dual adsl into single Pfs wan interface
  • jockanese81  

  4
  0
  Votes
  4
  Posts
  66
  Views

  M

  One way to use only one NIC for multiple internet connections is to use vlans but you have to use a manage switch and configure pfsense's wan interface as vlan trunk port then add internet connections as vlan interface over it. Michael.
• L

  Accessing Sophos magic IP via pfSense...
  • LB-Munich  

  3
  0
  Votes
  3
  Posts
  44
  Views

  L

  @LB-Munich Hi all, for heavens sake ... i found it finally. As soon as the MAC is listed in the MAC-Address-Whitelist everything works ... i´m such a moron .... Kind regards,
• D

  Allowing Telegram IM traffic through firewall
  • dinth  

  1
  0
  Votes
  1
  Posts
  43
  Views

  No one has replied

• M

  Configure filewall rules to allow traffic initiated from Lan to OPT1 but not visaversa
  • munson  

  8
  0
  Votes
  8
  Posts
  156
  Views

  M

  Hi Thanks for your quick response @Derelict said in Configure filewall rules to allow traffic initiated from Lan to OPT1 but not visaversa: On OPT1IOT you want to: Pass source OPT1IOT net dest any pfSense-served connections they need like DNS Do you mean this: Reject source OPT1IOT net dest LAN net Reject source OPT1IOT net dest LAN net Do you mean this: Reject source OPT1IOT net dest This firewall (self) Do you mean this: Pass source OPT1IOT net dest any Do you mean this: Thanks
• F

  block hosts lan for internet access
  • federicop  

  5
  0
  Votes
  5
  Posts
  69
  Views

  F

  I discovered that this anomaly derives from the fact that the IP that worked (block) was inserted in squid proxy server - Bypass Proxy for These Source IPs! if I put the other ip also it works. but this operation is correct !?
• W

  logs shows 224.0.0.1 being dropped ALOT.
  • whitekalu  

  7
  0
  Votes
  7
  Posts
  100
  Views

  W

  Thanks jimpp, Now Everything is clear with 224.0.0.1. The firewall is now noiseless as it's dropping without logging.
• A

  Issues with accessing certain subnets when remotely connected through OpenVPN server
  • Agent666  

  2
  0
  Votes
  2
  Posts
  55
  Views

  A

  For anyone else that follows, the issue/solution was actually nothing to do with firewall rules, instead you need to specify the local networks that are accessible in the OpenVPN server configuration!
• 

  The firewall appears to be blocking outgoing text messages from my phone ...
  • gweempose  

  43
  0
  Votes
  43
  Posts
  447
  Views

  

  @chpalmer You are right
• L

  Forward traffic on same interface / VEPA bridging
  • lars.lindstrom  

  4
  0
  Votes
  4
  Posts
  70
  Views

  L

  Any idea?
• F

  Reset States from GUI fails with error
  • farrina  

  7
  0
  Votes
  7
  Posts
  46
  Views

  F

  Steve, Thanks for confirming that this is expected behaviour. The background to my query was that I was configuring various rules/aliases and hit a problem whereby the firewall was still blocking traffic, notwithstanding what I considered to be the relevant rule had been deleted. As part of my troubleshooting I had already reset the state with apparent no effect, although strangely a reboot did clear the issue. I then spotted the log error and in rushing to put 2+2 together came up with 5 Cheers
• B

  Filter Reload
  • bokikay  

  5
  0
  Votes
  5
  Posts
  60
  Views

  

  @KOM said in Filter Reload: Small typo. I put 2,000,000 when I meant 200,000. With pfBlockerNG a setting of 2,000,000 is OK. Do not set it as low as 200,000 this will cause problems even without pfBlockerNG, see here: https://redmine.pfsense.org/issues/8417 this is why the default has already been increased to 400,000.