I cannot expalin that

ginosteel

my LAN rules are :

ICMP | * |* | * | * | * |pass icmp
TCP | * |* | * |80 (HTTP) | * |pass http
TCP | * |* | * |443 (HTTPS) | * |pass https
TCP | * |* | * |21 (FTP) | * |pass ftp
TCP | * |* | * |22 (SSH) | * |pass ftp
TCP | * |* | * |53 (DNS) | * |pass dns
TCP | * |* | * |110 (POP3) | * |pass dns
TCP | * |* | * |5000 - 5100 | * |pass yahoo
TCP | * |* | * |995 (POP3/S) | * |pass pop3s
TCP | * |* | * |465 (SMTP/S) | * |pass pop3s
UDP | * |* | * |27000 - 27015 | * | pass counter strike
TCP | * |* | * |27030 - 27039 | * | pass counter strike
UDP | * |* | * |1200 | * | pass counter strike
TCP | * |* | * |113 (IDENT/AUTH) | * | pass mIRC Auth-IdentD
UDP | * |* | * |113 (IDENT/AUTH) | * | pass mIRC Auth-IdentD
TCP | * |* | * |6660 - 6669 | * | pass mIRC Chat
TCP | * |* | * |8010 | * | pass pro fm
TCP | * |* | * | * | * | block all

and with Darkstat i can see traffic on port 26564

Port Service In Out Total SYNs
26564 718,674,673 954,927,067 1,673,601,740 4,118

how it is posible if i have a rule that block all?

In firewall states i see :

tcp LAN IP:26564 <- 85.132.128.2:64620 FIN_WAIT_2:FIN_WAIT_2
tcp LAN IP:1433 <- 89.37.235.2:3847 CLOSED:SYN_SENT
tcp LAN IP:26564 <- 87.250.43.3:2465 FIN_WAIT_2:FIN_WAIT_2
tcp LAN IP:26564 <- 87.250.43.3:2468 FIN_WAIT_2:FIN_WAIT_2
tcp LAN IP:26564 <- 99.239.190.3:52496 TIME_WAIT:TIME_WAIT
tcp LAN IP:26564 <- 99.239.190.3:52497 FIN_WAIT_2:FIN_WAIT_2
tcp LAN IP:26564 <- 189.71.227.3:1984 ESTABLISHED:ESTABLISHED
tcp LAN IP:26564 <- 41.221.27.5:40455 FIN_WAIT_2:FIN_WAIT_2
tcp LAN IP:26564 <- 41.221.27.5:43660 ESTABLISHED:ESTABLISHED
tcp LAN IP:26564 <- 88.146.140.6:3325 ESTABLISHED:ESTABLISHED
tcp LAN IP:26564 <- 151.77.172.6:1614 CLOSING:ESTABLISHED
tcp LAN IP:26564 <- 151.77.172.6:2126 CLOSING:ESTABLISHED
tcp LAN IP:26564 <- 151.77.172.6:2405 CLOSING:ESTABLISHED
tcp LAN IP:26564 <- 151.77.172.6:2214 CLOSING:ESTABLISHED
tcp LAN IP:26564 <- 151.77.172.6:1742 CLOSING:ESTABLISHED
tcp LAN IP:26564 <- 151.77.172.6:1535 CLOSING:ESTABLISHED
tcp LAN IP:26564 <- 77.40.197.7:58679 ESTABLISHED:ESTABLISHED
tcp LAN IP:26564 <- 79.186.95.9:53631 ESTABLISHED:ESTABLISHED
tcp LAN IP:26564 <- 81.35.199.9:4043 ESTABLISHED:ESTABLISHED
tcp LAN IP:26564 <- 71.183.210.9:16743 ESTABLISHED:ESTABLISHED

Is one of the firewall rules wrong???

GruensFroeschli

Your "block all" rule is not necessary.
There is already a "block all" rule invisible below your rules.
That's why if you remove all rules, per default everything is blocked.

What rules do you have on WAN?
Because this
tcp 89.37.227.103:26564 <- 151.77.172.6:2214 CLOSING:ESTABLISHED
looks to me alot like 151.77.172.6 established a connection to you machine on LAN and not the other way around.
The rules you have on LAN affect only the connections comming from LAN.

ginosteel

so if i put a rule on lan that is block all access to any ports it will be only on one direction??
should i put all these rules on wan too?

GruensFroeschli

so if i put a rule on lan that is block all access to any ports it will be only on one direction??

again:
You dont need a block all rule !
There is already an INVISIBLE block all rule below your own rules.
Rules are processed from top to down. If a rule catches the rest of the rules below is no longer considered.
You created ALLOW rules on the LAN.
Meaning only connection attempt that have an allow rule are successfull. All other connections attempts should "run" into the invisible block all rule at the bottom.
If you remove all rules everything gets blocked

Now to the concept of statefull firewall:
If a client on LAN attempts a connection, pfSense goes through it's rule-list on the LAN-tab.
If traffic comes in on the WAN, pfSense goes through it's rules on the WAN-tab.
If traffic comes in on the OPT1 interface, pfSense goes through it's rules on the OPT1 tab.
If there is an allow entry above the block entry pfSense will allow the attempt.
After that a state is being created which defines from where to where a connection is valid.
If you have an active connection and change your rules to block this connection, the connection will still be active until it times out or the connection gets closed.
–> pfSense only checks it's rules only on creation of the connection.

To your state-question:

The state you showed above
tcp 89.37.227.103:26564 <- 151.77.172.6:2214 CLOSING:ESTABLISHED

This is a state of an access TO my webserver:
tcp 213.196.144.185:62883 -> 10.0.0.12:80 FIN_WAIT_2:FIN_WAIT_2

This is a state on an access FROM a client on the same subnet to the internet:
tcp 82.130.70.9:143 <- 10.0.0.196:53360 ESTABLISHED:ESTABLISHED

You see the arrow indicates the DIRECTION of the connection.
Could you show us the rules you have on the WAN?
I suspect you have a rule that allows traffic into your LAN.

So just remove ALL RULES you ever created on the WAN and everything that tries to connect TO you will get blocked

ginosteel

Thx u had right. There was a rule on wan that gives access to lan. That was my problem. Thx again

jahonix

@ginosteel:

and with Darkstat i can see traffic on port 26564
Port Service In Out Total SYNs
26564 718,674,673 954,927,067 1,673,601,740 4,118

I'd say you sent out alot of your data to unknown drains already. Usually only CIA does that. SCNR

ginosteel

hey!

what abreviation is SCNR?

Perry

http://www.justfuckinggoogleit.com/search.pl?query=scnr ;D

jahonix

@ginosteel:

what abreviation is SCNR?

http://en.wiktionary.org/wiki/SCNR

ginosteel

:D