Transparent Firewall Passing All traffic from WAN -> LAN?!?
-
Hello all,
My transparent firewall is acting very strange. It appears, to a grc.com scan from a machine behind the pfSense bridge, and a nmap scan from my wifi on a different network, that my pfSense filtering bridge is passing all traffic from WAN -> LAN.
I've created all my rules on the WAN tab and I even created a block all rule at the very bottom, but grc and nmap still show almost all ports as opened.
I created a rule at the top on the LAN tab to block port 135 as a test, to/from all, but it is still showing as open to the outside world.
What is going on?
-
Could you show screenshots of your rules?
It's kind of hard to imagine what rule is where doing what.
Also: what are you trying to achieve? (rest of the network around?) -
Sure, there are a lot of them though. They are all pretty basic.
The firewall is acting very weird. A grc scan showed everything as stealth, then running it again shows certain ports as open (like the MS RPC) … like the firewall is selectively filtering traffic.
http://fw-test.alphatheory.com/fw1.png
http://fw-test.alphatheory.com/fw2.pngThanks.
I have the pfSense box configured as a bridging filter for our rack of network servers. The line coming from our provider is connected to the WAN and then the LAN is connected to a switch. All my servers are connected to the switch.
I just need to open Web/FTP/SSH/PPTP ports to the servers, but all the servers need to keep public IP addresses, which is why I configured the pfSense box as a filtering bridge. I want all outbound traffic allowed, but only certain inbound traffic allowed.
-
I removed the GRE and PPTP rules and the firewall is now blocking traffic properly.
So, how do I make my MS PPTP server operate behind the pfSense box?
-
The PPTP rule at http://fw-test.alphatheory.com/fw2.png has any as destination port. For PPTP you only need TCP 1723 (and the GRE protocol), not any. Any opened it up completely (at least for TCP traffic).
-
The PPTP rule at http://fw-test.alphatheory.com/fw2.png has any as destination port. For PPTP you only need TCP 1723 (and the GRE protocol), not any. Any opened it up completely (at least for TCP traffic).
Thanks. I can't believe I fat fingered that. I re-created the rules and re-tested and I apparently created them right this time because VPN traffic is working and the GRC scan is showing everything like it should.
Whew, I was worried for a bit.
Thanks everyone!