The rules apply top down - if your top rule is a pass all rule then all the rules below are ignored. Create an alias for all the general PCs and then create a pass all rule for those as the source. Then create another set of rules to allow the ports you want servers to be allowed to use. With no default pass rule anything else will be blocked.

That's why I wrote this doc a long, long time ago: http://doc.pfsense.org/index.php/I_locked_myself_out_of_the_WebGUI,_help!

Thank you jimp! I noticed my problem. I was test blocking my DNS ip 8.8.8.8. that for some reason did not work. I guess pfsense puts a hidden rule to allow access to the DNS server ip address even though you try blocking it in the rules. So that would be the problem i was having while testing firewall. Thanks for your help! PJ

Hi, Someone could give me some tips how unlock hamachi in the pfsense to stablish direct connection between the hosts? Thanks very much!

Finally, the new scheduling in pfSense 2.0 worked as expected.  I don't know why, it wasn't resetting states when schedule time was starting.  I saw an option in setting Settings / Advanced / Miscellaneous: "Schedule States" which was set as the default "clear the states of existing connections when expiry time has come".  The setting was right for my application but didn't seem to work when we did our tests.  We didn't change settings but installed the latest patch and it works.

Bingo, updating to the latest snapshot made it show up!  Thanks!

Looks like the phone issued a disconnect command, deassociating from the AP. Probably when the phone went into power save mode and turned off its wifi radio.

Thanks ohnel…. It worked fine.

@torontob: So, any way I can block specific domains rather than simply port 443 which will block all access as you suggested? Domains and not IPs as Domains can occasionally map out to different IPs. Please use the search feature, this question has been asked many times

Hello igor I am very sorry for my late reply. Somehow i didn't get a notification about your Post . And as I had other projects to finish I wasn't in the forum for some days now. Perhaps you have already solved your problems in the meantime. Because of these other projects I have purged the ospf/gre over ipsec setup. At the moment we have just one ipsec tunnel to each of our remote sites and we do manual failover in the case of an outate of one line. But I would be very happy to get this issue solved and to do ospf routing over VPN. As jimp has written the stateful packet inspection firewall of pfSense blocks the traffic because the TCP packets do not come back on the same interface as they were sent on. But i couldn't figure out what was wrong in the routing. Somehow I think that ipsec does not route traffic back to the gre interface. Do you/Did you have the same errors in the firewall log? Well, I try to set up a testing environment in the next days and hope to find an error. It would be very cool to get this working. If you wish i can send you my config then.

@jimp: Has anyone actually tried the nmap split handshake scans against a pfSense firewall to see if it made any difference? Without a tool I wouldn't have a clue how.  Wouldn't something this important get incorporated into tools like Metasploit?  Nothing shows up when searching there. http://www.metasploit.com/modules/

Thank you for your quick response. After I posted, it dawned on me. I added another rule below the BLOCK, schedule to ALLOW. Now all is good. pFSense 2.0 Schedule Tool tips  say "This Rule is Currently inactive" !!!  as opposed to "ALLOWing trafic. THIS is how my rules are now and work PERFERCTLY. BLOCK * XBox * * * * none MySchedule ALLOW * XBox * * * * none

ieee I posted a reply on another topic but it was actually for this one lol. Ok so it did come down to HW issue of sorts. Not sure what was up with the PCI slot I was using for the WAN interface but I reassigned the WAN to a different interface and now HTTP works w/o issue. Now I just got to get my two XBoxes to be open NAT. I have an ethernet testing tools so I can tell when there is a fault in a cable, They all seem fine

No, it isn't possible to use the GUI outside of the pfSense distribution in any meaningful way. Not without a lot of PHP code changes.

That was it. And it works brilliantly! :) Thanks

If means you have your SSH port open on WAN and someone tried to connect and login, but failed. In general it is not a good idea to allow your SSH port to be exposed to the world. If you must allow access, at least move the port to something else (222, 34890, 41383, some other random port) and enable key-only auth. That will both reduce the likelihood that someone will find the service, and that nobody can just keep trying passwords to get in.