Pfsense open ports [SOLVED]

vorgusa · Mar 3, 2011, 6:45 PM

here is that file

jimp · Mar 3, 2011, 8:08 PM

pass  in  quick  on $WAN reply-to ( re0 x.x.x.x )  proto TCP  from any to x.x.x.x keep state  label "USER_RULE: OpenVPN Home wizard"

There is no port on that rule for OpenVPN - so it's letting all TCP traffic in to your WAN IP.

Did you alter that rule?

vorgusa · Mar 3, 2011, 8:15 PM

Nope I did not, both times I just let the wizard create the rule (USER_RULE: OpenVPN Home wizard) and did not alter it. I will check on it when I get home

vorgusa · Mar 3, 2011, 8:20 PM

the screenshot I put of my rules page clearly has port 443 on it before hand. That would be the port you were talking about in the previous line? why would the port be listed there but not in the rules.debug?

jimp · Mar 3, 2011, 8:44 PM

ok, edit and save your OpenVPN rule, see if that fixes it. Make sure to re-select UDP as the protocol if it's supposed to be UDP and not TCP.

I fixed a bug with the wizard earlier today that was apparently causing this to happen, too.

The protocol (TCP or UDP) was getting into the rule as upper case, not lower case, and the port was being left off because it didn't match "tcp" or "udp".

Anyone on a new snap should be OK though. At least the next new one.

vorgusa · Mar 3, 2011, 8:36 PM

Just attached part of the config.xml If I change the 3rd one to match the other two and then restart my box, would that fix the problem? /cf/conf/config.xml

rules.txt

vorgusa · Mar 3, 2011, 8:39 PM

I am using TCP and I just upgraded to the newer snapshot a little while ago hoping it would fix the problem, but guess we nailed it down to that rule.

jimp · Mar 3, 2011, 8:45 PM

Just edit and save the rule - no need to alter config.xml

The problem is this:

<protocol>TCP</protocol>

Needs to be:

<protocol>tcp</protocol>

vorgusa · Mar 3, 2011, 8:50 PM

:( cant get into the web interface now. Guessing thats a good thing since its open to the world, lol

vorgusa · Mar 3, 2011, 11:41 PM

hmmm ok, so where can I edit and save the rule.. is the rule.debug file going to be persistent?

jimp · Mar 3, 2011, 11:44 PM

Edit the OpenVPN rule on Firewall > Rules on the WAN tab - edit that, save, and it should fix itself.

Or update once the next snapshot uploads, I committed a couple different protections against this.

vorgusa · Mar 4, 2011, 1:33 AM

Worked like a charm.. I got someone to run nmap on the IP and the firewall is back up. Thanks for your help! Did you guys find a bug in the Wizard?

jimp · Mar 4, 2011, 1:41 AM

Yeah, it was a problem in the wizard:

https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/6be90004d477bd74c5610ae341aae3ae9fcc9281

But I added some extra protection so that on future snapshots even people who have the 'bad' rules won't be harmed by it:
https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/06b3df52262764723289a3ac65c3a7c05a8a8f4c
https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/7ec0e6e2f5206d750a6c00d598700836a57d056f