Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Transparent Firewall Passing All traffic from WAN -> LAN?!?

    Firewalling
    3
    6
    2.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mevans336
      last edited by

      Hello all,

      My transparent firewall is acting very strange. It appears, to a grc.com scan from a machine behind the pfSense bridge, and a nmap scan from my wifi on a different network, that my pfSense filtering bridge is passing all traffic from WAN -> LAN.

      I've created all my rules on the WAN tab and I even created a block all rule at the very bottom, but grc and nmap still show almost all ports as opened.

      I created a rule at the top on the LAN tab to block port 135 as a test, to/from all, but it is still showing as open to the outside world.

      What is going on?

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        Could you show screenshots of your rules?

        It's kind of hard to imagine what rule is where doing what.
        Also: what are you trying to achieve? (rest of the network around?)

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • M
          mevans336
          last edited by

          Sure, there are a lot of them though. They are all pretty basic.

          The firewall is acting very weird. A grc scan showed everything as stealth, then running it again shows certain ports as open (like the MS RPC) … like the firewall is selectively filtering traffic.

          http://fw-test.alphatheory.com/fw1.png
          http://fw-test.alphatheory.com/fw2.png

          Thanks.

          I have the pfSense box configured as a bridging filter for our rack of network servers. The line coming from our provider is connected to the WAN and then the LAN is connected to a switch. All my servers are connected to the switch.

          I just need to open Web/FTP/SSH/PPTP ports to the servers, but all the servers need to keep public IP addresses, which is why I configured the pfSense box as a filtering bridge. I want all outbound traffic allowed, but only certain inbound traffic allowed.

          1 Reply Last reply Reply Quote 0
          • M
            mevans336
            last edited by

            I removed the GRE and PPTP rules and the firewall is now blocking traffic properly.

            So, how do I make my MS PPTP server operate behind the pfSense box?

            1 Reply Last reply Reply Quote 0
            • H
              hoba
              last edited by

              The PPTP rule at http://fw-test.alphatheory.com/fw2.png has any as destination port. For PPTP you only need TCP 1723 (and the GRE protocol), not any. Any opened it up completely (at least for TCP traffic).

              1 Reply Last reply Reply Quote 0
              • M
                mevans336
                last edited by

                @hoba:

                The PPTP rule at http://fw-test.alphatheory.com/fw2.png has any as destination port. For PPTP you only need TCP 1723 (and the GRE protocol), not any. Any opened it up completely (at least for TCP traffic).

                Thanks. I can't believe I fat fingered that. I re-created the rules and re-tested and I apparently created them right this time because VPN traffic is working and the GRC scan is showing everything like it should.

                Whew, I was worried for a bit.

                Thanks everyone!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.