Firewall review

Jarhead

@Antibiotic said in Firewall review:

@Jarhead said in Firewall review:

default Block All on all interfaces

Block all to pfsense and allow all from pfsense? is it correct?

You're not understanding still. All traffic is evaluated "entering" the interface that network is attached to.
So yes, block all to pfSense if you wanna say it that way, but not allow all from pfSense because it depends on where that traffic is coming from.
If it's from another interface on pfSense and blocked on that interface, it wouldn't be allowed from pfSense.

@Antibiotic said in Firewall review:

@Jarhead said in Firewall review:

coming in

I want to use ports which me allow coming out not come in

So then you have to block or allow the traffic on the interface attached to pfSense.
If you have a pc on OPT1, and you want to block it's traffic to the LAN, you put the block rule on OPT1. That blocks that pc's out as you're calling it.
So you have to think about what each interface, or device, can access, and create rules to do that.

Antibiotic

@Jarhead said in Firewall review:

If it's from another interface on pfSense and blocked on that interface, it wouldn't be allowed from pfSense

When you install pfsense this one is default rule on LAN

Sorry protocol also any , it mean all allow out from interface LAN

Antibiotic

@Jarhead said in Firewall review:

So then you have to block or allow the traffic on the interface attached to pfSense.

tHAT WJY , ME ASKING CORRECT EXAMPLE TO ALLOW ONLY PORTS WHAT ME WANT TO COMMUNICATE ON SUBNETS AND COMMUNICATE WITH INTERNET. DO NOT HAVE A BIG EXPIRIENCE ,THAT ALL WHAT I WANT

Jarhead

@Antibiotic It means allow all traffic from the LAN subnet to anywhere it wants to go.
Once traffic is allowed into the firewall, it can then go anywhere.

Don't know how else to say this, traffic is either allowed or blocked as it enters the interface from the network directly attached to that interface.
If you're LAN is 192.168.1.0/24 and you have a pc at 192.168.1.2, and you want to block it from accessing the internet, you put the rule on the LAN interface, not the WAN.

Antibiotic

@Jarhead said in Firewall review:

from accessing the internet

i DO NOT WANT TO BLOCK INTERNET, JUST WANT TO RESTRICT TO PORTS NUMBERS WIHCH I WANT

Antibiotic

@Jarhead said in Firewall review:

you put the rule on the LAN interface, not the WAN.

My friend if you have a time and desire can you please just simple show 2 examples
First allow only ports to use by local subnets which you set in your aliases

Second allow to communicate with internet outside of pfsense with ports which you set in second aliases

Jarhead

@Antibiotic said in Firewall review:

@Jarhead said in Firewall review:

you put the rule on the LAN interface, not the WAN.

My friend if you have a time and desire can you please just simple show 2 examples
First allow only ports to use by local subnets which you set in your aliases

Second allow to communicate with internet outside of pfsense with ports which you set in second aliases

I don't understand what you mean by either of those.
Give an exact example of what you want.

Antibiotic

@Jarhead Yes , if possible and this action do not hurt you

Jarhead

@Antibiotic No, I'm asking you to give an exact example of what you want to do.

tedquade

@Gertjan Actually "If you please"

Ted

Antibiotic

@Jarhead
Dude i think going communication between forest and sea. If you can read , I post what i want to do! If you do not want, than no problem

Jarhead

@Antibiotic Ok. Good luck.

Antibiotic

@tedquade

@tedquade said in Firewall review:

Actually "If you please"

@Jarhead said in Firewall review:

you put the rule on the LAN interface, not the WAN.

My friend if you have a time and desire can you please just simple show 2 examples
First allow only ports to use by local subnets which you set in your aliases

Second allow to communicate with internet outside of pfsense with ports which you set in second aliases

JonathanLee

@Antibiotic I never needed loopback rules for my system.

JonathanLee

Wan you only need to set what you want coming in. Anything originating from LAN that is approved will get out. So a VPN port if needed would be an example of a WAN rule. But I have only 1 wan rule everything else is block, my LAN has the rules

Antibiotic

@Gertjan said in Firewall review:

(I presume you already removed the "LAN subnets" from Source)

Source LAN subnet going to WAN gateway, by NetGate docs rule. Why need to remove source?
I'm understood that rule correct apply to interface belong, but totally can be LAN subnet only direct to WAN gateway or VPN gateway only?

Gertjan

@Antibiotic

This is an image from what ? LAN ? WAN ?

Antibiotic

@Gertjan

This is LAN, first rule anti-lokout on LAN))) It mean possible to make rule where is LAN rule going to WAN gateway

Gertjan

@Antibiotic

IMHO, rules look fine to me.

Antibiotic

@Gertjan Yea, I know that look fine because its from NetGate docs! Want to warry that as mentioned above you told that rule source LAN can not be for WAN)))