hm, i made screens again, the rule is one of the most simple i can guess…. can u spot the wrong setting? the rule is btw -auto-created by dashboard and was -moved up in the rule order later manually by me. and http gets really blocked... ####EDIT#1##### i think it was an existing state. how could i kill those too? Yeeeeah, its dead and it was killed by a MYSQL möppel! ####EDIT#2##### @jimp: im trying now the next: adding subnets. since im from europe, only ripe ranges are interesting through u need low latency in gamng (which makes it possible for me to get subnet info easily) they have some REST API, u can test it here: http://lab.db.ripe.net/whois/search?source=ripe&query-string=83.141.4.230 a friend already helped out with a little PHP script that can translate an ip range from ripe style (like peer2guaridan "1.2.3.4 - 2.3.4.5") to cdir notation. (is attached for those who like...) Here u can test urself... http://www.dswp.de/IPRangeConvert.php?ip=83.141.4.230 (if no IP is passed, it will take ur ClientIP...) Now i would like to add this functionality to easyrule.php Do u have any sugestions for me? [image: remote_firewall3.png] [image: remote_firewall3.png_thumb] [image: remote_firewall4.png] [image: remote_firewall4.png_thumb] IPRangeConvert.php.txt

If you enabled the FTP proxy, it adds a rule that lets FTP out.

@jimp: There is no way to filter out those log entries automatically, since they are identical to normal blocked packets. It's just that whatever server you are connecting to is either sending them back from a different IP, or after the state has been removed. It isn't normal to see a ton of these, but it has more to do with the server you are connecting to than anything else. You can try to set the firewall optimization to "conservative" under the advanced options, but iirc that really only helps with UDP, not TCP states. The dynamic view is locked to 50 entries because if you go much larger than that, the JavaScript involved gets really slow. Thanks for the info. I really appreciate it.

i'm really looking forward and expecting a lot from pfsense 2 :) i hope it will be stable soon so that i can implement it in production. EDIT: is there any tutorial on how to use layer 7 filtering already?

Squid should have all of that in its access log, I believe. EDIT: Not sure about the file name on second thought. That might depend on the upload form. It should at least show a POST request, who did it, when, and where though.

Check your port forwards and make sure their "external address" is set to your WAN address, and not "Any". That can cause problems if you have NAT reflection enabled, and will do almost exactly what you describe.

Point taken… I am noticing that FTP seems to be able to get out without an enable rule, I can create a rule to block it though. Any other ports that PFSENSE will have open by default?

Thanks for the replies. I did find a solution. I disabled the FTP Proxy on the LAN tab. I am unsure why but everything immediately started working. I then went in and modified the rules to allow only the vendors subnet instead of the entire world. I appreciate the help.

I doubt you will see a modified approach to work exactly as you describe. By default all new interfaces (other than the default LAN with its default allow any rule) block all traffic. Then you allow only the traffic out that you want, in your case possibility2 works very well to accomplish what your goal is. Aliases provide an easy way to get this functionality. pfSense generally requires that you understand how firewall rules are evaluated once you move beyond a basic LAN/WAN two interface setup, in order to configure things properly, but it's very powerful (and secure-by-default–except for the default LAN-out rule which is less secure but expected behavior) once you understand how rules are evaluated. And it's actually kind of nice IMHO to have all interfaces be on "equal footing" with each other, without special rules unless you create them (although LAN and WAN are a bit different, but still you can have multiple of either, with a WAN being defined as having a default gateway and any other interface is internal, and there is more "automation" to NAT rules than direct firewall rules). In other words, you need to understand how pfSense does things (which is more like many enterprise firewalls and routers than home ones) to configure it well. I don't see that changing, though 2.0 does add a lot of nice new functionality. But conceptually very similar. However, in version 2.0 (still in beta though usable to some extent, arguably (sometimes heavily argued :-) ), you can create "interface groups." Add whatever interfaces you want to a group, and then create rules that apply to all the interfaces in that group. The rules still apply after the direct per-interface rules (as far as order evaluated) but it may give you a more logical layout to accomplish what you're wanting to do. You'd still need the LOCAL alias, as pfSense does not have a built-in idea of "all protected networks" beyond "this is a WAN" and "this is a LAN" (as defined as having a default gateway or not). It makes more sense this way too, given that many people have multiple WAN connections and multiple LAN/DMZ connections; assumptions would likely only work for some cases. There's my six cents ;-)

Can you post /tmp/rules.debug?

You cannot use synproxy with a bridge. A recent discussion on the freebsd-pf mailing list describes why, pull up its archives for a thorough explanation. SYN flooding isn't of a whole lot of concern anymore unless you're running 10+ year old OSes behind your firewall, pretty much every modern OS handles SYN flooding on its own very well. As for DDoS protection in general, you have a 100 Mb pipe, which means even a small DDoS is going to take you completely offline by overloading your connection to your provider. There is nothing you can do to change that, it's too late once it gets to you, and you can't do anything about the traffic upstream. Your provider would have to help in such scenarios.

The default deny rule is hard coded and cannot be removed, anything that doesn't match a user-defined rule hits it. Short of modifying the source code to take it out, you cannot disable it. You can override it with user-defined rules, essentially eliminating its purpose if you allow everything on every interface.

Assuming you mean in the pull-down menu for the port? SIP is udp/5060, although some providers (few now, AFAIK) support SIP over TCP.

DOH! Bypass firewall rules for traffic on the same interface  … check this box.. all is good

good to hear.

Thanx for the hint, it does seem it did the trick, the logging is working again. There are a few tabs where logs are not yet updating, like OpenVPN, thought something should've been noted there in 3 hours. I'll keep an eye on it, FW logs are working though, I can do test connections and see that they are entered in FW log vindow. Right now I have a somewhat "complex" setup with a VPN as a second WAN interface and doing some route adding and deleting manually and using that with policy routing, but this shouldn't have anything to do with logging working or not I guess?

Then disable or remove that rule.