Firewall block all rules

onkeldave83

hello my rules are:

	  	Proto 	Source 	Port 	Destination 	Port 	Gateway 	Schedule 	Description 	

       * 	* 	* 	* 	* 	* 	  	Block WAN ALL  	
TCP/UDP 	* 	* 	* 	6666 	* 	  	OpenVPN  	
TCP/UDP 	* 	* 	* 	3333 	* 	  	NAT Squid Port Forward  	
TCP/UDP 	* 	* 	* 	110 	* 	  	Allow WAN POP  	
TCP/UDP 	* 	* 	* 	995 	* 	  	Allow WAN POP SSL  	
TCP/UDP 	* 	* 	* 	143	    * 	  	Allow WAN IMAP  	
TCP/UDP 	* 	* 	* 	993  	* 	  	Allow WAN IMAP SSL  	
TCP/UDP 	* 	* 	* 	25  	* 	  	Allow WAN SMTP  	
TCP/UDP 	* 	* 	* 	465  	* 	  	Allow WAN SMTP SSL  	
TCP/UDP 	* 	* 	* 	587 	* 	  	Allow WAN SMTP TLS  	
TCP/UDP 	* 	* 	* 	21	* 	  	Allow WAN FTP  	
UDP       * 	* 	* 	123  	* 	  	Allow WAN NTP  	
ICMP     	* 	* 	* 	* 	* 	  	Allow Ping  	
TCP       * 	* 	* 	4804 	* 	  	Allow BunkerTV Radio  	
TCP/UDP 	192.168.10.25 	* 	* 	* 	* 	  	Allow Only Lafoffice01  	

why blocked me the firewall?
i am client 192.168.10.25

thanks for help!

jabalv

Are thees rules are under Firewall->Rules->WAN tab?

I have similar problem. I want block all traffic from wan and just allow some things. In my case I think there is problem with (Block private networks and Block bogon networks) checkboxes under Interfaces->Wan tab!

onkeldave83

yes i agree with your last point, but i have disable this point of blocking! (disabled: block bogon networks)

my first block rule = block all

and the last should agree me in, but all is block …. why?

i have this rule for LAN and WAN
first block any any any any
and last rule set for an client ip tcp/udp all free
but the client cant connect to anything!!! :(
what make i wrong?

(have i to set all protocol for 192.168.10.25 - that this client can access?)

onkeldave83

how you realized that no other can access but your network??????

thanks for helping me!

jabalv

1.) Try use TCP not TCP/UDP on that kind ports like POP,SMTP,FTP,etc.
2.) Allow thees ports on Firewall->Rules->LAN tab and remove them from WAN tab, for wan only set BLOCK rule for all ports and maybe later some other things like HTTPS management over your router.

And maybe take a look on this page: http://doc.pfsense.org/index.php/Example_basic_configuration

Best wishes, Janis!

jammcla

Remember that rules are resolved top down.  So rules that are at the top will take priority over the ones at the bottom of the list.

onkeldave83

cool this are very good news!!

firewall rules:
Top=Hiph priority
buttom=low priority

and this tutorial for outbound lan rules are very good, gives this for wan?

have i only set for wan http, https????
what is with imap and pop3, smtp ??? only in lan rules?!

thanks for helping me and understanding pfsense ;)

BIG THX

jabalv

I can show how I do that, I actually don`t know if this is right, but I have like:

In LAN -> ALLOW FROM LAN SUBNET TO Destination PORT -> HTTP, HTTPS, POP, SMTP, SSH, ftp and so on.
In WAN -> ALLOW Management from wan (HTTPS) from specified IP and THEN BLOCK ALL rule. And I`m planing here put more rules for port forwarding.

onkeldave83

alright….thats good!

but why to set internet rules in lan interface?
wan has access to internet....

can you explain me?

jabalv

1.) When you don`t have any firewall rules under LAN interface, then all is blocked from LAN interface. Looks like no rules in LAN (then all is blocked in LAN).

2.) Actually, I dont know. But I think its good to do it in LAN interface if you use multiple LAN interfaces. Example you have LAN1(192.168.1.1/24) and LAN2 (192.168.10.1/24) and you want allow mail (POP and SMTP) ports only on LAN2 interface.

Dont take my serious, because, I just tested and discovered this all :) So im not a big expert on this :)

Cheers, Janis!

CeilingKitten

The rules take a priority from the TOP to the bottom, so Block * WAN * will refuse any allows that appear after it to fix this, move your block statement to the very bottom of your list, and all will be fixed.

Change your rules to look like this.

TCP/UDP * * * 6666 *   OpenVPN 
TCP/UDP * * * 3333 *   NAT Squid Port Forward 
TCP/UDP * * * 110 *   Allow WAN POP 
TCP/UDP * * * 995 *   Allow WAN POP SSL 
TCP/UDP * * * 143     *   Allow WAN IMAP 
TCP/UDP * * * 993  *   Allow WAN IMAP SSL 
TCP/UDP * * * 25  *   Allow WAN SMTP 
TCP/UDP * * * 465  *   Allow WAN SMTP SSL 
TCP/UDP * * * 587 *   Allow WAN SMTP TLS 
TCP/UDP * * * 21 *   Allow WAN FTP 
UDP      * * * 123  *   Allow WAN NTP 
ICMP    * * * * *   Allow Ping 
TCP      * * * 4804 *   Allow BunkerTV Radio 
TCP/UDP 192.168.10.25 * * * *   Allow Only Lafoffice01 
      * * * * * *   Block WAN ALL