Bleedover of services

criley · Jun 2, 2022, 5:44 PM

@johnpoz That is why I am so confused. I checked and I do not have a deny all rule on the Wan side, I do have the Block private networks rule, the Block bogon networks, then a rule to allow ICMP and then I start with individual port openings where I open FTP, HTTP, HTTPS, etc.

This firewall has been running for years and I am just wondering if there is a rule that was dropped over that period or was lost in a upgrade.

I am running all of my scans from a entirely different network that should not have any elevated privileges.

Any assistance is greatly appreciated as I got bosses breathing down my neck.

SteveITS · Jun 2, 2022, 5:58 PM

@criley LAN has "allow to all" rules by default. All other interfaces have no rules, so the default deny rule applies and all traffic gets dropped unless allowed.

Do you have any WAN rules or NAT rules allowing ports 8081 or 8443?

In pfBlocker DNSBL settings do you have "Web Server Interface" set to WAN?

You can view active rules: https://docs.netgate.com/pfsense/en/latest/firewall/pf-ruleset.html

johnpoz · Jun 2, 2022, 6:17 PM

@criley do you have any rules in floating? Can you post up your wan rules..

As mentioned the default is deny, it is not shown.. If there is no allow rule on wan, or in floating then unsolicited traffic is denied by default.

criley · Jun 2, 2022, 6:52 PM

@johnpoz I am not sure how to post just the WAN rules so I zipped up and attached both the firewall and nat rules. I appreciate you taking a look and hopefully pointing me into the right direction.

firewall-rules.zip

johnpoz · Jun 2, 2022, 6:54 PM

@criley said in Bleedover of services:

I am not sure how to post just the WAN rules

simple screen shot

criley · Jun 2, 2022, 7:38 PM

@johnpoz Here we go....

johnpoz · Jun 2, 2022, 7:43 PM

@criley do you have anything floating tab..

criley · Jun 2, 2022, 7:55 PM

@johnpoz Here you go

johnpoz · Jun 2, 2022, 8:09 PM

@criley well you got any any rule from anything NA

And what are those rules 80 and 443 that don't show any interface? Pretty sure those would allow on any interface.. From looking at the rule in the zip you sent.

pass inet proto tcp from any to any port = http flags S/SA keep state label "USER_RULE: Global HTTP" ridentifier 1472233311

criley · Jun 2, 2022, 8:49 PM

@johnpoz Those two rules that you pointed out were put their by pfBlockerNG. I have disabled them and will retest.

johnpoz · Jun 2, 2022, 9:05 PM

@criley well your using pfblocker wrong then ;) It only does what you tell it to do.. But a floating quick rule would be evaluated before any rules on your wan interface.

criley · Jun 2, 2022, 9:09 PM

@johnpoz I went ahead and disabled both of those as well as the global http that you mentioned and I am still able to see ssh as well as the 8081 and 8443 both of which are from PFBlocker. Like I said the thing that really makes me crazy is why ssh still shows and when I try to ssh to the servers ip it drops me at the firewall ssh prompt.

SteveITS · Jun 2, 2022, 9:22 PM

@criley Did you have open states?
https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#new-rules-are-not-applied

What are the NAT rules for port 22?

pfBlocker blocks are generally added to LAN (outbound) or WAN (inbound) and not floating rules which can appear unpredictable to those not familiar with them.
https://docs.netgate.com/pfsense/en/latest/nat/process-order.html#floating-rules-notes
https://docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html