@peter_apiit said in Not able to ssh to outside world (WAN): connect my company jumphost using ssh Can you change the settings of this ssh access ? Change the '22' port to '2222' and you'll be good.

You don't do that on pfsense - pfsense has no say in devices on the same network from talking to each other. Pfsense is L3 router/firewall - it routes and firewalls traffic leaving 1 network and going to a different network. If you want to firewall PC X from talking to PC Y - move it to a different network/vlan, or use host firewalls on your devices you don't want it talking to. Or setup private vlan on your switching environment, etc. Pfsense can not stop X from talking to Y when they are on the same network.

Is this 203. network routed to you? I would "assume" your behind pfsense nat.. If so if you want to get to some webserver behind pfsense on an rfc1918 address you would need to do a port forward..

@johnpoz said in Filtering ICMPv6 Messages (RFC 4890): @metebalci said in Filtering ICMPv6 Messages (RFC 4890): is it possible to specific the code of an ICMPv6 type in a rule ? Yes [image: 1626173405572-type.png] This is type and it is how I do it, I wonder if it is possible to filter by code also. @johnpoz said in Filtering ICMPv6 Messages (RFC 4890): you can always look to the full rules to see what is allowed/blocked etc.. that might not be shown in the gui https://docs.netgate.com/pfsense/en/latest/firewall/pf-ruleset.html Thanks, I didnt know this, I will check.

ill try what you offer it is more logic. i was not aware that it block by default. also i like the picture :)

To kill all states for a list of ips under an alias do this: pfctl -t aliasname -T show | xargs -I % sh -c 'pfctl -k %'

Changing it to DUID-LLT did nothing for me, even after a reboot. @jknott I use it on one interface to give only one special host IPv6 connectivity to the internet, everything else on this interface has no NAT rule and because of that no IPv6 internet. I got dynamic prefixes and with this, it is one simple solution to my "problem". I also use it to do DDNS on pfSense and not have to do it on the hosts. I wish the DHCPv6 Server could to DDNS by itself, this would be the best spot, but pfSense is not ready yet I guess. I myself like dynamic IPs and prefixes because of privacy reasons, as long as DDNS is working.

@peter_apiit Yes. You can do that with one simple firewall rule if you have already created the VPN connection as a pfSense gateway.

@johnpoz said in Firewall 101: dig @192.168.9.253 test.knot-resolver.cz. TXT +noedns I think the floating rules table was gammied up? I added a rule in floating to allow all HTTPS, then I deleted that rule and now it is working.

@kuberan I use the Powershell script from Microsoft. It generates the IPv4 addresses in a text file. This is uploaded daily to an FTP server via task scheduling. I have deactivated ipv6 and Urls in the Powershell-Script. Maybe this will help other users. <# Get-O365WebServiceUpdates.ps1 From https://aka.ms/ipurlws v1.1 8/6/2019 DESCRIPTION This script calls the REST API of the Office 365 IP and URL Web Service (Worldwide instance) and checks to see if there has been a new update since the version stored in an existing $Env:TEMP\O365_endpoints_latestversion.txt file in your user directory's temp folder (usually C:\Users\<username>\AppData\Local\Temp). If the file doesn't exist, or the latest version is newer than the current version in the file, the script returns IPs and/or URLs that have been changed, added or removed in the latest update and writes the new version and data to the output file $Env:TEMP\O365_endpoints_data.txt. USAGE Run as a scheduled task every 60 minutes. PARAMETERS n/a PREREQUISITES PS script execution policy: Bypass PowerShell 3.0 or later Does not require elevation https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-ip-web-service?view=o365-worldwide #> #Requires -Version 3.0 # web service root URL $ws = "https://endpoints.office.com" # path where output files will be stored #$versionpath = $Env:TEMP + "\O365_endpoints_latestversion.txt" $versionpath = "C:\Powershell\O365_endpoints_latestversion.txt" #$datapath = $Env:TEMP + "\O365_endpoints_data.txt" $datapath = "C:\Powershell\O365_endpoints_data.txt" # fetch client ID and version if version file exists; otherwise create new file and client ID if (Test-Path $versionpath) { $content = Get-Content $versionpath $clientRequestId = $content[0] $lastVersion = $content[1] Write-Output ("Version file exists! Current version: " + $lastVersion) } else { Write-Output ("First run! Creating version file at " + $versionpath + ".") $clientRequestId = [GUID]::NewGuid().Guid $lastVersion = "0000000000" @($clientRequestId, $lastVersion) | Out-File $versionpath } # call version method to check the latest version, and pull new data if version number is different $version = Invoke-RestMethod -Uri ($ws + "/version/Worldwide?clientRequestId=" + $clientRequestId) if ($version.latest -gt $lastVersion) { Write-Host "New version of Office 365 worldwide commercial service instance endpoints detected" # write the new version number to the version file @($clientRequestId, $version.latest) | Out-File $versionpath # invoke endpoints method to get the new data $endpointSets = Invoke-RestMethod -Uri ($ws + "/endpoints/Worldwide?clientRequestId=" + $clientRequestId) # filter results for Allow and Optimize endpoints, and transform these into custom objects with port and category # URL results $flatUrls = $endpointSets | ForEach-Object { $endpointSet = $_ $urls = $(if ($endpointSet.urls.Count -gt 0) { $endpointSet.urls } else { @() }) $urlCustomObjects = @() if ($endpointSet.category -in ("Allow", "Optimize")) { $urlCustomObjects = $urls | ForEach-Object { [PSCustomObject]@{ category = $endpointSet.category; url = $_; tcpPorts = $endpointSet.tcpPorts; udpPorts = $endpointSet.udpPorts; } } } $urlCustomObjects } # IPv4 results $flatIp4s = $endpointSets | ForEach-Object { $endpointSet = $_ $ips = $(if ($endpointSet.ips.Count -gt 0) { $endpointSet.ips } else { @() }) # IPv4 strings contain dots $ip4s = $ips | Where-Object { $_ -like '*.*' } $ip4CustomObjects = @() if ($endpointSet.category -in ("Allow", "Optimize")) { $ip4CustomObjects = $ip4s | ForEach-Object { [PSCustomObject]@{ category = $endpointSet.category; ip = $_; tcpPorts = $endpointSet.tcpPorts; udpPorts = $endpointSet.udpPorts; } } } $ip4CustomObjects } # IPv6 results $flatIp6s = $endpointSets | ForEach-Object { $endpointSet = $_ $ips = $(if ($endpointSet.ips.Count -gt 0) { $endpointSet.ips } else { @() }) # IPv6 strings contain colons $ip6s = $ips | Where-Object { $_ -like '*:*' } $ip6CustomObjects = @() if ($endpointSet.category -in ("Optimize")) { $ip6CustomObjects = $ip6s | ForEach-Object { [PSCustomObject]@{ category = $endpointSet.category; ip = $_; tcpPorts = $endpointSet.tcpPorts; udpPorts = $endpointSet.udpPorts; } } } $ip6CustomObjects } # write output to screen Write-Output ("Client Request ID: " + $clientRequestId) Write-Output ("Last Version: " + $lastVersion) Write-Output ("New Version: " + $version.latest) Write-Output "" Write-Output "IPv4 Firewall IP Address Ranges" ($flatIp4s.ip | Sort-Object -Unique) -join "," | Out-String Write-Output "IPv6 Firewall IP Address Ranges" ($flatIp6s.ip | Sort-Object -Unique) -join "," | Out-String Write-Output "URLs for Proxy Server" ($flatUrls.url | Sort-Object -Unique) -join "," | Out-String Write-Output ("IP and URL data written to " + $datapath) # write output to data file # Write-Output "Office 365 IP and UL Web Service data" | Out-File $datapath # Write-Output "Worldwide instance" | Out-File $datapath -Append # Write-Output "" | Out-File $datapath -Append # Write-Output ("Version: " + $version.latest) | Out-File $datapath -Append # Write-Output "" | Out-File $datapath -Append # Write-Output "IPv4 Firewall IP Address Ranges" | Out-File $datapath -Append ($flatIp4s.ip | Sort-Object -Unique) -join "`r`n" | Out-File $datapath -Append # Write-Output "" | Out-File $datapath -Append # Write-Output "IPv6 Firewall IP Address Ranges" | Out-File $datapath -Append # ($flatIp6s.ip | Sort-Object -Unique) -join "," | Out-File $datapath -Append Write-Output "" | Out-File $datapath -Append # Write-Output "URLs for Proxy Server" | Out-File $datapath -Append # ($flatUrls.url | Sort-Object -Unique) -join "," | Out-File $datapath -Append } else { Write-Host "Office 365 worldwide commercial service instance endpoints are up-to-date." } $file = "C:\Powershell\O365_endpoints_data.txt" # Do not use special characters # . / % & etc. for password!!! $ftpuri = "ftp://username:password@my-ftp-server.com/ms365.txt" $webclient = New-Object System.Net.WebClient $uri = New-Object System.Uri($ftpuri) $webclient.UploadFile($uri, $file) [image: ms365urltable.jpg]

@planedrop said in EasyRule Adds Rule to Wrong Interface: so I don't think that would be the cause either. Multihome devices with legs in multiple networks are quite often a source of asymmetrical traffic flow. If you talk to it from 192.168.X.X network to its 192.168.Y.Y address and has an interface in 192.168.X it will answer back from that interface.. almost always!

@kom Tanks

@cool_corona said in Log anomalies on the network??: @bmeeks Totally agree. BUT.... usually the scan of hosts includes the LAN Ip as well and I want pfsense/suricata to react and send an alert when proned by a network scan... If you are running an IDS on the LAN interface, then it can respond to scans of that particular interface IP. It won't necessarily see scans from one LAN host directly to another LAN host in a switched network. That's because modern network switches will isolate traffic among ports, so even with the firewall's LAN interface in promiscuous mode, it won't see traffic among LAN hosts because the Ethernet switch will filter traffic among its ports based on the MAC registered on that port. So if the destination MAC is registered on say port 6, then only port 6 will see the traffic. To get around this, you need to use a SPAN port (or port mirroring, for the more generic term). If you run dumb network hubs (and not switches), then every port on the hub sees all traffic from other ports. That's not a good thing for performance, though. Edit: I went back and read your reply again later. Not entirely sure what you mean by this statement: BUT.... usually the scan of hosts includes the LAN Ip as well and I want pfsense/suricata to react and send an alert when proned by a network scan... If the intruder is port scanning your firewall, then an IDS could detect that. So if the IDS was monitoring the WAN interface, and the intruder port scans the WAN, he could be detected. Ditto if the intruder were port scanning through your firewall to internal hosts. But if he can do that, then your firewall is nothing but swiss cheese (that is, shot full of holes), and your network is toast! Your earlier reply to @JKnott, when he asked "how do they get in initially?", was "any of those mentioned". So I answered the question from the point of view of endpoint devices on the internal network or networks. In other words, a bad actor or piece of malicious software running reconnaissance on the internal network. Finally, note that Suricata really has no internal port scan detection mechanism. Snort, on the other hand, has a special port scan preprocessor. However, these tools are often fooled by legitimate traffic. That's one reason why Suricata never got a specific port scan module. There are some primitive Emerging Threats rules for Suricata that can sort of do port scan detection, ,but it's not the same technology as Snort uses.

No disagreement. Unfortunately, we have a contract commitment that is apparently non-negotiable. It may be stupid and based on ignorance, but we are bound to it. (It's also very lucrative! Pay us enough and we will do conform to whatever lunacy you request, as long as it's not illegal.) We do allow access to some .gov domains and .mil domains, but only for email, and a few .edu domains. I don't believe there are any .net or .org domains in the exception list. (We also have a totally separate network for "personal" use, and it's completely unfiltered.) I finally found a list of all Akamai IP addresses, although I'm sure it's obsolete or soon will be. Of course, we have no way of knowing if Akamai is unknowingly hosting malicious content. but they seem to have processes to assure that they don't. I also have a list of Microsoft IP's, but that list doesn't include Azure. It is useful for blocking the telemetry though! In the next contract negotiation I am going to insist that the client provide us with the list of OK addresses :-) I suspect that will make clear the idiocy of this policy. Incidentally, it's my expectation that we will, eventually, end up with two Internets, one of which requires authentication (digital cert plus token) of both the connection and the user before allowing access. That the only effective way of stopping phishing attacks, money laundering, etc. because it makes everything traceable. -- Rog

@firewalladmin Netgate can help you. You should have a support plan with such a new purchase. I believe Netgate has an automated tool that can convert in a Jif!

@steveits said in Unable to Remote Desktop: @zulk_85 said in Unable to Remote Desktop: can RDP the vm's from my office pc So then I'd look at the firewall rules on the VPN interface, or the firewall on the PC isn't allowing access from the VPN. Thanks for reply...that is what i'm thinking....looking on it and will update accordingly...

@steveits Yeah, the not is essential .... sorry about that.

@joshhboss Here are my rules: [image: 1624738306367-527a0b10-2ce4-429c-861b-0192c08da5d2-image.png] These allow only access to the Internet and ping the interface.