Ok it just did it again and I see "config_aqm Unable to configure flow set, flow set busy!" which seems to be not good?

So if you enable the icmp to your lan.. And then ping your lan IP of pfsense does that work?

Adding default route and resetting states did the trick! Thank you very much!

Check out https://www.netgate.com/resources/videos/creating-a-dmz-on-pfsense.html -Rico

@johnpoz said in Port 0 seems to sneak by firewall logging.: What doesn't really make a lot of sense is blocking the time - unless you think we could look into their logs at that exact time and see who they were scanning ;) hehehe The power of The Moderator and Inquiring Minds shall not be underestimated

"WAN net" is the local subnet of the WAN interface, not the entire Internet. Thank you all for your replies but this is the one that really answered my question. I had wrongly assumed that packets passed to the WAN interface would be routed out to the internet. See https://forum.netgate.com/topic/70611/permit-traffic-from-opt1-net-to-wan-net-wan-net-in-rule-not-working

Solved !! Today I have studied a lot ! The solution was very simple.... It was a problem of rules order.. I put rule B before A...so in this way the rule B set the gateway as "WANGW" ,the default gateway, used to access to internet and in this way the following rules used always as gateway "wangw" whatever kind of rules you create. So I put first A and then B and everything solved. No need to static routes or gateway, nothing . In the A rules is important to put as "destination" LAN NET not "ANY" in this way the traffic goes by 192.168.30.1 the gateway for the Acces Point . Thats all. Hope that this information could be useful for others people. [image: 1586200527042-ap-rules.png]

thanks for the hint with the URLs in Aliases totally missed that one ! great. pfB is runnin on the box and doin a nice job. so i put the IPs in a list and put it on the box for starters :) after sortin and deletin and checkin (gogle shodan censys ....) 400 unique remained next step is to put it on a server for easy maintenance and deployment thanks

@MarkTX said in Oops... Risks Of Passing Any WAN?: I watched a YouTube setup tutorial and followed along. The instructions said to make a WAN firewall rule to pass any to any. That must be some really fucked up tutorial when telling people to put any-any on WAN. You have a Public IP on pfSense WAN or RFC1918? -Rico

hosts [image: 1585990823442-immagine.jpg]

Just as I thought...

@Gertjan said in Harden security for outbound ports: you'll be spending most of your time looking at ... the logs. And keep on eye on used system resources like RAM and CPU usage this is a true statement ! to keep in mind RAM is the issue when you start to play around with pfB [image: 1585796801690-845d280a-62b3-447b-8d4f-04b17bcf4e53-grafik.png]

Thanks Rico, I’d like to get it working on the Ras Pi because I don’t want to torpedo my pfsense install for something I’ve done incorrectly plus I’m sort of half way there with the Pi even though it’s not there yet. That said I do have a test pc with pfsense and a 4 port intel nic so I probably try to that unofficial WG install on it, that way if I do something wrong I don’t lose everything.