Problems with Firewall, everything passed thorugh ?!

Marino

Hello,
for the last months, im staying here in Dhaka-Bangladesh in a guest house.
The Inet Connection is a 56kbit Wlan Connection.
Unfortunately is Broadband here very expensive.

This is internet connection is shared with 15 Guests (Rooms).
Until to the day before yesterday, it was 2k Server with Sygate personal firewall (hehe).
So it was veeery slow and unstable, because there was no restrictions in the connections or a QOS Service, so that some of
the idiot guests used p2p progs. It was awful slow.

Since yesterday, i installed here and running this great pfsense distro.
it was easy to configure, but i have  still a big problem.

What i am even to tried yesterday the hole night, the firewall is not running.
Every package/every connection is passsed through from the firewall.
Actually, should every port blocked which  is not explicitly not configured to passed thorugh.
But this doesnt working, i tried also to add a block rule to the top, which is for example blocking the port 21.
On the wan and on the lan side. but i can still visit ftp servers on port 21.
Also when im looking to the states, every connection to different ports fron lan to wan is allowed an established.

I have still no ideal.
It would be very fine, when someone can help me.
config-server.marino.net-20051110135112.xml.txt

billm

@Marino:

What i am even to tried yesterday the hole night, the firewall is not running.
Every package/every connection is passsed through from the firewall.
Actually, should every port blocked which  is not explicitly not configured to passed thorugh.

We install a default allow rule on the LAN interface (inbound on WAN is still implicitly blocked).  You will need to remove the default allow rule and add rules for stuff you want out (be careful you don't block your own access!)

@Marino:

But this doesnt working, i tried also to add a block rule to the top, which is for example blocking the port 21.
On the wan and on the lan side. but i can still visit ftp servers on port 21.
Also when im looking to the states, every connection to different ports fron lan to wan is allowed an established.

FTP is handled special.  You will need to turn off the FTP helper in System->Advanced.  FTP is handled on the LAN interface as a transparent proxy, so we NAT the traffic to localhost to be handled by a proxy on the firewall itself.  With pf (the filtering engine pfSense sits on top of), all NAT actions occur before packet filter actions.  So all rules must match the post-NAT flow, not the pre-NAT flow.  Hope that helps!

–Bill

Marino

Hey ;)
I cant believe, that was the point. Thx  ::)
I was so wondered, why the firewall is passing every incoming Packet.
I know the reason now; its the statefull firewalling ;)

1 question:
Can u the FTP Thing more exactly ?
I have one client here, who wants to be connect every time to ftp.debian.org.
I read the ftp bible http://www.slacksite.com/other/ftp.html but i dont know the way,
to configure the best and the securest way to allow one client from my lan, to other ftp servers in WAN ?
What is ur suggestion ?

billm

@Marino:

Hey ;)
I cant believe, that was the point. Thx  ::)
I was so wondered, why the firewall is passing every incoming Packet.
I know the reason now; its the statefull firewalling ;)

1 question:
Can u the FTP Thing more exactly ?
I have one client here, who wants to be connect every time to ftp.debian.org.
I read the ftp bible http://www.slacksite.com/other/ftp.html but i dont know the way,
to configure the best and the securest way to allow one client from my lan, to other ftp servers in WAN ?
What is ur suggestion ?

Hmmm, since the nat occurs first, you might try a rule at the top that does a:
pass in from special_workstation to 127.0.0.1 port 21
followed by
block in from lan to 127.0.0.1 port 21

I'm not 100% positive that will work, but it should.  Keep in mind that our rules are first match - naturally you'll need to enable the ftp helper again.

–Bill

Marino

Good, im gonna try it tomorrow.
There is somewhere a docu about the ftp helper ? I looked everywhere, but im still dont now, what the helper is ?!

I like pfsense every day a little more and im sure, that now i spent more than 25h to even play and make tests with this firewall.
But its very sad, there is not a handbook availabe, because e.g. the trafic shaper configurations are so advanced, that u need absolutely a doc/book.

sullrich

@Marino:

Good, im gonna try it tomorrow.
There is somewhere a docu about the ftp helper ? I looked everywhere, but im still dont now, what the helper is ?!

I like pfsense every day a little more and im sure, that now i spent more than 25h to even play and make tests with this firewall.
But its very sad, there is not a handbook availabe, because e.g. the trafic shaper configurations are so advanced, that u need absolutely a doc/book.

We need people to write it.  pfSense is not even out of the alpha stage yet.