Port restriction rule!
-
If create firewall rule to restrict some ports from LAN interface to WAN address ( do not expose to world), will this rule work as well for OpenVPN interface. What I mean , if lets say some local host connected to LAN (LAN gateway set to OpenVPN) and inet going via VPN tunnel. Do I need create ports restrictions rules for OpenVPN interface in this case or rules restrictions for LAN will work and for OpenVPN interface as well?
-
-
@Antibiotic what do you think this would accomplish. Why would something on your lan be trying to access your wan address?
That is just your wan address, that isn't the internet. There is a default deny (not shown) on any interface if you do not allow something it denied.. Your rule there at the end forces everything out your vpn.. So you should be able to access your wan IP anyway..
-
@johnpoz Like that will work?
-
@Antibiotic not getting what your wanting to accomplish exactly.. What ports do you want to not go out your vpn?
But those 2nd and 3rd rules are pointless because the top rule already handles both tcp and udp.
-
Different set of ports, different aliases.
You don;t need to set a gateway on a reject rule. It doesn't open a state.
But I agree, it's unclear what you are trying to accomplish here?
-
@stephenw10 I good catch on that the aliases are slightly different - I had missed that.
-
@johnpoz The ports are different but the rules order are correct for restriction? will this work?I try to restrict ports to expose to world ( do not leave WAN but still available for LAN) by this instruction: https://www.sans.org/media/score/checklists/FirewallChecklist.pdf
-
@stephenw10 The ports are different but the rules order are correct for restriction? will this work?I try to restrict ports to expose to world ( do not leave WAN but still available for LAN) by this instruction: https://www.sans.org/media/score/checklists/FirewallChecklist.pdf
-
@Antibiotic said in Port restriction rule!:
estrict ports to expose to world ( do not leave WAN )
There is a huge difference in expose to world, ie allow that unsolicited inbound to your wan from the internet, or forwarded inbound to something behind the internet, and allow a client outbound to the internet that wants to talk on those ports.
The checklist is worded horrible in making that distinction - and the references are from 2000,2001..
But you do you.. Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated. Or of blocking doesn't really matter if you have no allow between them... Some of that stuff makes no sense to be honest... Block 80/443 except for external webservers.. Well no shit, where else would you be going to for webservers.. And your firewall wouldn't blocking traffic for stuff on your own network talking to each other.
That is a pretty dated horribly written guide from 2000, I wouldn't given it to much credence to be honest.. BGP.. What on your network would be talking outbound to the internet via BGP? They list ntp as port 37.. That is the old timeservice and hasn't been used in like forever. Then they also list NTP on 123..
Out of the box pfsense does not "expose" anything to the world - the wan is default deny and their are no rules.. Nothing is getting to pfsense or stuff behind it, unless pfsense or something behind it requested the conversation.
It says to block ping.. You want to block your clients from pinging something out on the internet? Mentions dns TCP, that is not only used for zone transfer, that is used when the response is too big for UDP as well.. They mention finger, you worried about blocking outbound to finger, what the maybe 2 servers still running that - if any ;)
-
@johnpoz said in Port restriction rule!:
Out of the box pfsense does not "expose" anything to the world - the wan is default deny and their are no rules.. Nothing is getting to pfsense or stuff behind it, unless pfsense or something behind it requested the conversation.
Yea but if rule like that:
Like me understanding expose all to world?
-
@Antibiotic that does not EXPOSE anything to the world - that allows you to talk to the world..
Expose would be your wan rules..
If your concerned that some client on your network is going to start talking BGP to the internet out of the blue and you don't want it to do that - then sure ok vs like not running bgp on your client machine, sure feel free to block it on pfsense ;)
-
@johnpoz said in Port restriction rule!:
Expose would be your wan rules.
Could you please to show example?
-
@Antibiotic what example is there to show.. Out of the box the pfsense wan rules don't allow anything inbound to your pfsense wan IP from the internet.
What is "exposed" to the internet is what you add.. Here are my wan rules currently
This is what I have exposed to the internet... Ie some rando IP address out on the internet can talk to these ports.. The ones that are in the US, or elsewhere via my pfblocker alias of what is allowed to talk to these ports. Mostly US based IPs
I have those block rules at the end that log, because I have turned off logging for the default deny.. And this logs what I am interested in seeing. Only tcp syn traffic to my wan, and some common udp ports that might be interesting to know if seeing traffic to those ports..
Here are my LAN rules.
My clients could talk outbound on BGP... Oh no ;) hehehe
Out of the box the only rules are wan are the 2 blocking source IP of rfc1918 and bogon.. Nothing is "exposed"
-
@johnpoz Do you have openvpn server or client?
-
@johnpoz said in Port restriction rule!:
what example is there to show.. Out of the box the pfsense wan rules don't allow anything inbound to your pfsense wan IP from the internet.
Inbound yes, but outbound allow all like me undesrtanding?
-
@Antibiotic that is for my server, so I can connect while out and about. I also have a vpn client setup on pfsense that talks to one of my vpses out on the internet. But I don't normally use it.. It is there for testing/helping users with client setups.
I have two instances running, one on 443 tcp (this is for when udp 1194 might be blocked outbound where I am at).. And then your common UDP 1194 instance.
And yes I allow all outbound.. I have no reason to limit what my machines can talk too.. They are my machines and under my control, they only ever run code that I trust.. Blocking outbound would be too little and too late if I infected myself..
And then again, if I did infect myself - highly unlikely they would be using some odd ball port to talk outbound, they would use 443 most likely, just like everything else on the planet uses now.
Now I do log all my devices dns queries (I use pihole - mostly because I like its eye candy more than pfblocker).. And I do check on this now and then to see if they are talking to anything that looks weird.. But I don't block them from talking outbound.
-
@johnpoz How do you connect pi hole and any additional rules in pfsense?Why I'm asking because have also small Glinet router with built in adguard dns server and he is dusting on sofa. Could be also start using in this way!
-
@Antibiotic I point my clients to the pihole, which forwards to pfsense, which then unbound resolves. There are no rules needed on pfsense do this.. Pihole is just like any other client asking unbound for dns.
-
@johnpoz said in Port restriction rule!:
I point my clients to the pihole
How? Did you manually set pihole ip address for each home network in dns settings?
-
@johnpoz said in Port restriction rule!:
which forwards to pfsense
Did you set to forward pihole dns request to unbound than?