Help with Firewall Rules
-
Please post a screenshot of your firewall rule(s).
By the way. If there isn't any visible rule on the firewall then there is still a default BLOCK rule. There is always a default BLOCK rule at the end of every firewall list but not visible.
Please provide a screenshot and tell us what you want to realize.
-
Guys thanks for your help!
I purchased the book and have done alot of reading with this and your guys help I starting to understand how everything works!
I still have an issue I don't understand. The Default Lan rule is basically set to allow everything. I'm working on trimming this down, to only pass what I need. But, I've run into a problem. Of course if I disable this it shuts down the Lan from accessing anything, OK, but I have added rules for HTTP, HTTPS, and it still won't allow an internet connecting, I applied the changes and reset the states, still nothing, I continued adding Protocals and ports until I had a long list and still no connection. After disabling all the new rules and enabling the default rule everything works again. What am I missing!
Rules used
TCP
LAN net
80 (HTTP)
*
*
*
none
TCP 80 (HTTP) from LAN subnet to anywhere
–------------------------------------------------------
TCP
LAN net
443 (HTTPS)
*
*
*
none
TCP 443 (HTTPS) from LAN subnet to anywhere
TCP
LAN net
21 (FTP)
*
*
*
none
TCP 21 (FTP) from LAN subnet to anywhereNone of these worked, I had to go back to the default rule to gain internet access.
Default Lan rule
LAN net
*
*
*
*
none
Default allow LAN to any rule -
Please post a screenshot of your firewall rule(s).
By the way. If there isn't any visible rule on the firewall then there is still a default BLOCK rule. There is always a default BLOCK rule at the end of every firewall list but not visible.
Please provide a screenshot and tell us what you want to realize.
In work!
-
Firewall Rules Images attached.
-
Just took a shot look on the screens.
All your rules are "wrong". You have to use the ports in DESTINATION PORT.
If you establish a connection to a webserver you start the connection with destination IP and destination port (80). Then the webserver answers you on your source port. But this source port is randomly generated.
So correct your rules - I will have a look on them again and post back if I found more "errors" ;)
Please post back if it works. -
Just took a shot look on the screens.
All your rules are "wrong". You have to use the ports in DESTINATION PORT.
If you establish a connection to a webserver you start the connection with destination IP and destination port (80). Then the webserver answers you on your source port. But this source port is randomly generated.
So correct your rules - I will have a look on them again and post back if I found more "errors" ;)
Please post back if it works.If I understand you, you mean for instance the Source HTTP port 80, should also read Destination HTTP port 80?
-
All your rules with destination "WAN net" are unneccessary. You do not need to block ports if they are not allowed by default.
Your intention is to only allow special ports like FTP (21), http(80), https(443), you need DNS (53). So if you only allow these few ports, than there is no need to block these ports. If they aren't allowed they are blocked.
The block rule OPT1 subnet to LAN subnet, this is useful.
-
SOURCE Port ist in nearly 99.999% of all scenarios "any" " * "
Just move your ports from "source" to destination. -
SOURCE Port ist in nearly 99.999% of all scenarios "any" " * "
Just move your ports from "source" to destination.If I have it correct, I still have no access.
 -
(…)
Your intention is to only allow special ports like FTP (21), http(80), https(443), you need DNS (53). So if you only allow these few ports, than there is no need to block these ports.
(…) -
(…)
Your intention is to only allow special ports like FTP (21), http(80), https(443), you need DNS (53). So if you only allow these few ports, than there is no need to block these ports.
(…)Yes, I miised DNS 53 on the screen shot, but it has been added and still no connection.
-
Still no connection.
 -
change destination IP "WAN net" to any.
DNS works with TCP,too, but in general it uses UDP.
If you like to ping servers on the internet, you need to allow ICMP.
-
change destination IP "WAN net" to any.
DNS works with TCP,too, but in general it uses UDP.
If you like to ping servers on the internet, you need to allow ICMP.
"BINGO" it worked, I can't thank you enough for taking the time to help me, Thanks! I changed DNS to TCP/UDP or should it just be UDP? And concerning the ICMP should that be setup the same as the other rules? Also whats is the best order to have these in or soes it matter for these specific rules?
Thanks again!
-
Hi,
ICMP is setup as the other rules. ICMP is something "special". ICMP is not using ports. just chose protocol: ICMP and source/destination IP "any".
an additional port for FTP is port 20 TCP.
for getting e-mails via an e-mail client like outlook you need additional ports for POP3 and SMTP (check google or wikipedia for the ports).
To make it easier for you to maintain your rules you could create an alias.
create a Port-Alias e.g. called "InternetPorts" and then put all your ports in this alias.
after this create a rule with protocol "TCP/UDP", source/destination IP: any, source port: any and destination port your Alias "InternetPorts". So you only have to maintain one or two firewall rules instead of many. And if you need more ports like for gaming you can put them into the alias and thats all.But this is up to you. The order of the rules in your case is unneccessary.
–--edit----
Again to your son. If he is playing many online games than there will be many ports you need to allow. This will be some work to do. Finding the ports the game uses and so on. If he is using a VoIP software like skype or TeamSpeak there are surely additional ports to open. But so you can check what he is playing and which software he is using ;-)
And as I told you in some posts before - a virus or trojan is using common ports like port 80 or port 443 which aren't blocked in most environments - and aren't in yours, too.Separating the networks is a really good solution. Only allowing some ports is the best you can do but takes the moste time to configure and maintain.
-
Thanks for your help, it not only solved my problem but also educated me on the proper use of the Firewall rules. If you ever need a port list look at the link below they have a "HUGE" list of Games and application port list.
http://portforward.com/cports.htm
-
Great!
As you can see there. There are many games (Battlefield" and so on which are using ports 80 and 443 to establish their connection because the developers know that most of the other ports are blocked.
This is the same as "virus-developers" think ;-) -
Great!
As you can see there. There are many games (Battlefield" and so on which are using ports 80 and 443 to establish their connection because the developers know that most of the other ports are blocked.
This is the same as "virus-developers" think ;-)I know this isn't the proper thread but, you are very knowledgable. Have you got SNORT and HAVP antivirus to work correctly in vs 2.0 RC3? Everytime I have tried either of them the both cause issues with the system or don't properly work at all.
-
Hi,
I do not use SNORT or HAVP. I know that snort isn't easy to configure and not so many people are using it because of its complexity.
HAVP shouldn't be so hard to configure but I do not have any pfsense box here to test.
So the best way would be that you create a new thread and asking for help to configure HAVP and then someone who knows HAVP can help you or you provide screenshots of the configration pages so that we can help you with this.