Also curious on the 5000 traffic, it comes from that specific source port?  That box is sending to directed broadcast to what looks like a Automatic Private IP Address (APIPA) 169.254.x.x, but then its got a /24 on it?? 169.254.1.255 ? Wouldn't that source port change? This is the same box that is sending out what I would assume is DHCPOFFER or DHCPACK, with dest port 68 and broadcast dest.  If that is the traffic your looking to block, could you just block traffic from any IP that has source 67 and destination 68? And has mentioned normally lan traffic pfsense sees to broadcast would be going to all lan boxes anything - so why does it need to be blocked from pfsense seeing it? I think some more details of source of this traffic and why you want to block it and to where extactly your wanting to block it from getting to would help us figure out best way to do it.

Take a look at the StrongVPN/OpenVPN guide last page. Seems a few people are having issues as of 2.0 Final. Everything is correct. But for whatever reason the Gateway for the OpenVPN interface shows online, then goes offline after 5 seconds or so.

Lines starting with a # are ignored but that's all it considers a comment.

Just create an alias and add all the PCs you want to that one. Then you have one rule with all clients in it and assign what traffic you want to allow…

I tossed a page on the wiki for it just now: http://doc.pfsense.org/index.php/Adding_Rules_With_easyrule

If the traffic is using Bonjour you can install the avahi package. That will forward this kind of traffic…I am using this for my Apple Remote iTunes connection for example...works like a charm...

@Nachtfalke: No. If there is no rule on LAN interface, there is an invisible rule "block any to any". This means that no traffic INITIATED FROM LAN TO PFSENSE/anywhere else is allowed. But this does not mean that someone from another interface could connect to this LAN (if on the other interfaces is the rule which allows this). Example: If you have LAN1 and there is no rule (all is blocked from this LAN1) and if you have LAN2 and there is a rule allowing everything. Than it is NOT possible for clients in LAN1 to connect to LAN2 or everywhere else BUT it is possible for clients on LAN2 to connect to LAN1 and everywhere else. So if you want to block access TO LAN1 FROM LAN2 than you have to put a block rule on LAN2 with destination LAN1. And always remember. Rules on the firewall will be applied from TOP to DOWN. Have fun :-) Great explanation and example! Got it! Thank You!

So your firewall is VM without only 1 actual physical interface?  And I will ask again, are your behind an actual real router as well??  I assume that if your internet interface is seeing private IPs? And I think your a little fuzzy on the proper use of the term DMZ as well, where is your LAN?  Kind of hard to have a DMZ to isolate your services your exposing to the internet from your local network, without the actual local network ;) So this VM host, how many interfaces does it have?  Can you draw out your network for me, and exactly what are you trying to do with pfsense on a VM that is not really exposed to the public internet, and has not LAN?

Hi, if you are using squid and squidguard you it should be enough to allow the following DOMAINS in SquidGuard: microsoft.com windowsupdate.com If you are running squid in transparent mode than only port 80 (http) can get filterted. But windows uüdates are using https, too. I allowed the follwoing subnets for only port 443 (https) which all seems to be MS (update) servers. 65.55.0.0/16 207.46.0.0/16 65.52.0.0/16 65.53.0.0/16 65.54.0.0/16 This is working for me. I am using squid in transparent mode and using squidguard to filter http (80) traffic and deny everything else except DNS (53) and https (443) with the IPs above as destination. everything else gets blocked.

Floating rules come before the interface rules. It's otherwise all the same as covered in the book.

Thanks, since the email is a few weeks apart, I'm not sure if the malware is running constantly or not, I assume not.  My VPN is running SSL/TLS + User Authentication.  I've got the ports for IRC blocked now and logged, so, I'm hoping I'll get a little more info that way.  I may just disable VPN for a bit too since I don't really need it running all the time.

Wait, you found your answer by searching? Weird… http://forum.pfsense.org/index.php/topic,70.0.html

@kmanango: If I understand correctly, you already have everything working except you don't want OPT1 to be able to access the other networks and only want the traffic to exit the WAN? If so, you should setup a negation rule for the destination.  Do the following (note that this is based on the 2.0 interface): 1/ Create a new alias for internal network by going to Firewall->Aliases and create a new alias called "NotOPT1" an include the subnets for the other networks which is not the WAN.   2/ Create a new rule for OPT1 outbound access by going to Filrewall->Rules->OP1 and create a new rule with the following: Action: Pass Interface: OPT1 Source: any Destination: Make sure "not" is checked, select the type "single host or alias" and enter the alias "NotOPT1" Destination port range: any/any This rule will basically allow everyone connected on OPT1 network to access only through the WAN and no other interfaces connected. Interesting.  I'll take a look.

"Squid proxy" Still not understanding if you using a proxy why your directly letting machines out?  Who are you having use the proxy?

Are you blocking the auto-assigned IP range from passing through?

@Cry: Yes. Block all outbound traffic and install the Squid and SquidGuard packages. Then whitelist all the domains required for access to those services. For instance, for GMail you'll need both mail.google.com and gstatic.com. You'll have to ensure you configure the firewall to allow access to Squid and other key services on pfSense (eg DNS). You'll want to ensure that you also allow access to allow software and anti-virus updates. If you don't block all outbound traffic then it will be simple enough for people to bypass the proxy. thank you very much  ;).

in that rule put in destination port section: you have to select other and in the red box start to type that alias name, then select correct alias.

If there is NAT involved anywhere, you must use port forwards or 1:1, that is the only way to "open" them. The only way around that is if every internal client has a routable IP address and there is no NAT being done. Then it's just a matter of passing the traffic in with firewall rules. If you only have one external IP, you can only map one port on that external IP to one port on one internal machine. You can't just open it up to everything in the way you are describing, nothing can. There is no way to tell which internal machine a request should be forwarded to in that way. (With the possible exception of reverse proxies directing to multiple http servers based on the host header of the inbound request, and/or port forwards that are conditional based on the source address of a connecting client)

There aren't any existing scripts to do that, but you could write one. It's just PHP. Have a look at the "easy rule" code for some examples of manipulating rules like that. Though the code adds rules, not disables, but it does other operations that would be similar.