Firewall block all rules

onkeldave83 · Nov 22, 2010, 11:48 AM

hello my rules are:


	  	Proto 	Source 	Port 	Destination 	Port 	Gateway 	Schedule 	Description 	

       * 	* 	* 	* 	* 	* 	  	Block WAN ALL  	
TCP/UDP 	* 	* 	* 	6666 	* 	  	OpenVPN  	
TCP/UDP 	* 	* 	* 	3333 	* 	  	NAT Squid Port Forward  	
TCP/UDP 	* 	* 	* 	110 	* 	  	Allow WAN POP  	
TCP/UDP 	* 	* 	* 	995 	* 	  	Allow WAN POP SSL  	
TCP/UDP 	* 	* 	* 	143	    * 	  	Allow WAN IMAP  	
TCP/UDP 	* 	* 	* 	993  	* 	  	Allow WAN IMAP SSL  	
TCP/UDP 	* 	* 	* 	25  	* 	  	Allow WAN SMTP  	
TCP/UDP 	* 	* 	* 	465  	* 	  	Allow WAN SMTP SSL  	
TCP/UDP 	* 	* 	* 	587 	* 	  	Allow WAN SMTP TLS  	
TCP/UDP 	* 	* 	* 	21	* 	  	Allow WAN FTP  	
UDP       * 	* 	* 	123  	* 	  	Allow WAN NTP  	
ICMP     	* 	* 	* 	* 	* 	  	Allow Ping  	
TCP       * 	* 	* 	4804 	* 	  	Allow BunkerTV Radio  	
TCP/UDP 	192.168.10.25 	* 	* 	* 	* 	  	Allow Only Lafoffice01

why blocked me the firewall?
i am client 192.168.10.25

thanks for help!

jabalv · Nov 22, 2010, 12:34 PM

Are thees rules are under Firewall->Rules->WAN tab?

I have similar problem. I want block all traffic from wan and just allow some things. In my case I think there is problem with (Block private networks and Block bogon networks) checkboxes under Interfaces->Wan tab!

onkeldave83 · Nov 22, 2010, 1:50 PM

yes i agree with your last point, but i have disable this point of blocking! (disabled: block bogon networks)

my first block rule = block all

and the last should agree me in, but all is block …. why?

i have this rule for LAN and WAN
first block any any any any
and last rule set for an client ip tcp/udp all free
but the client cant connect to anything!!! :(
what make i wrong?

(have i to set all protocol for 192.168.10.25 - that this client can access?)

onkeldave83 · Nov 22, 2010, 3:14 PM

how you realized that no other can access but your network??????

thanks for helping me!

jabalv · Nov 22, 2010, 9:27 PM

1.) Try use TCP not TCP/UDP on that kind ports like POP,SMTP,FTP,etc.
2.) Allow thees ports on Firewall->Rules->LAN tab and remove them from WAN tab, for wan only set BLOCK rule for all ports and maybe later some other things like HTTPS management over your router.

And maybe take a look on this page: http://doc.pfsense.org/index.php/Example_basic_configuration

Best wishes, Janis!

jammcla · Nov 22, 2010, 10:35 PM

Remember that rules are resolved top down. So rules that are at the top will take priority over the ones at the bottom of the list.

onkeldave83 · Nov 23, 2010, 9:51 AM

cool this are very good news!!

firewall rules:
Top=Hiph priority
buttom=low priority

and this tutorial for outbound lan rules are very good, gives this for wan?

have i only set for wan http, https????
what is with imap and pop3, smtp ??? only in lan rules?!

thanks for helping me and understanding pfsense ;)

BIG THX

jabalv · Nov 23, 2010, 4:23 PM

I can show how I do that, I actually don`t know if this is right, but I have like:

In LAN -> ALLOW FROM LAN SUBNET TO Destination PORT -> HTTP, HTTPS, POP, SMTP, SSH, ftp and so on.
In WAN -> ALLOW Management from wan (HTTPS) from specified IP and THEN BLOCK ALL rule. And I`m planing here put more rules for port forwarding.

onkeldave83 · Nov 24, 2010, 8:27 AM

alright….thats good!

but why to set internet rules in lan interface?
wan has access to internet....

can you explain me?

jabalv · Nov 28, 2010, 8:06 PM

1.) When you don`t have any firewall rules under LAN interface, then all is blocked from LAN interface. Looks like no rules in LAN (then all is blocked in LAN).

2.) Actually, I dont know. But I think its good to do it in LAN interface if you use multiple LAN interfaces. Example you have LAN1(192.168.1.1/24) and LAN2 (192.168.10.1/24) and you want allow mail (POP and SMTP) ports only on LAN2 interface.

Dont take my serious, because, I just tested and discovered this all :) So im not a big expert on this :)

Cheers, Janis!

CeilingKitten · Nov 28, 2010, 9:23 PM

The rules take a priority from the TOP to the bottom, so Block * WAN * will refuse any allows that appear after it to fix this, move your block statement to the very bottom of your list, and all will be fixed.

Change your rules to look like this.

TCP/UDP * * * 6666 * OpenVPN
TCP/UDP * * * 3333 * NAT Squid Port Forward
TCP/UDP * * * 110 * Allow WAN POP
TCP/UDP * * * 995 * Allow WAN POP SSL
TCP/UDP * * * 143 * Allow WAN IMAP
TCP/UDP * * * 993 * Allow WAN IMAP SSL
TCP/UDP * * * 25 * Allow WAN SMTP
TCP/UDP * * * 465 * Allow WAN SMTP SSL
TCP/UDP * * * 587 * Allow WAN SMTP TLS
TCP/UDP * * * 21 * Allow WAN FTP
UDP * * * 123 * Allow WAN NTP
ICMP * * * * * Allow Ping
TCP * * * 4804 * Allow BunkerTV Radio
TCP/UDP 192.168.10.25 * * * * Allow Only Lafoffice01
* * * * * * Block WAN ALL