Block rule (simple…) help wanted
-
So for states and schedules by default, atleast in 2.1 under advanced misc there is this check box, which is off by default
By default schedules clear the states of existing connections when the expiration time has come. This option overrides that behavior by not clearing states for existing connections.
So when your schedule to allow expires - all states should be clear, and since that rule is now now allowed no new states should be able to be created until the the schedule allows it again. So you should be good from a states point of view
Your rules are still wrong. As stated above you normally never assign source ports, you never know what source port an application will be using, its normally random above 1023. Should of pointed that out to you before, but since I showed you exactly how the rules should look ;)
-
Thank you,
So, I should permit -any- to -my desired- ports?
Best regards
Kostas
The Source Port should be * (Any) just like the rest of your rules.
-
Thanks John,
They are still wrong indeed, I haven't touched them yet…
;D -
So, here are my revised rules.
Clients can access the Internet, but they can also access other services, which they should not (I have permitted only ports 80, 443 and 53 in the Aliases.
I have to mention that I haven't cleared the states. Is that the reason that they can access ports that they should not?
If I disable the pass rule, then the clients cannot use the ports mentioned (80, 443 and 53), but can use any other port.
Best regards
Kostas
![Screen Shot 2013-05-08 at 19.30.45 ?.?..png](/public/imported_attachments/1/Screen Shot 2013-05-08 at 19.30.45 ?.?..png)
![Screen Shot 2013-05-08 at 19.30.45 ?.?..png_thumb](/public/imported_attachments/1/Screen Shot 2013-05-08 at 19.30.45 ?.?..png_thumb) -
Do you have rules below there? And what is your source alias Mikrotik consist of?
Be default there should be a default BLOCK.. So if your saying stuff is still getting out - then I would have to assume you have some rule they are matching below what you posted, or there is a current state allowing it.
-
Thank you,
Below is my setup and another image with all my LAN rules.
Mikrotik has two interfaces, one for each network.
When the states get cleared?
Best regards
Kostas
-
Are these your current rules??
You have webports as source for your allow rule there for mikrotik - there is like almost never a time that you setup a source port in a rule.. And only too pfsense lan address?? When is that going to happen when they want to access the web gui of pfsense..
What happened to your deny all for mikrotik??
I didn't ask how many interfaces your mikrotik had – I asked what is in the alias?? Your mikrotik is doing NAT -- so your source IP should be from your drawing 192.168.0.244, use the IP vs an alias - for all I know your alias is not resolving, etc.
-
The shot form the LAN rules was the old one (with the source ports).
Here is the correct one.
Yes, the Alias is the IP of the Mikrotik for the network that I need to protect (192.168.0.244).
I will remove the alias and use the IP instead, if this is better.
Best regards
Kostas
-
still shows your alias vs actual IP.. And since you have a default allow at the bottom - if your alias is not correct or doesn't match for some reason when it hits the bottom it would be allowed out.
-
I have changed it now, but I am sure it does resolve fine.
So, maybe I am doing it wrong, but here is how I check:
I am checking port 548 TCP (AFP) from a machine of the 192.168.1.x network to a machine in the 192.168.0.x network, in order to see if blocking works, and since we have allowed only 80, 443 and 53, it supposed to not have access.
But it has.
Kostas
-
Your not checking right.. pfsense has nothing to do with your access from mikrotk to 192.168.0.x/24 that rule would have to be put on the mikrotk.
The only time your pfsense rule would come into play is when your using it as gateway off the 192.168.0 - so your on the 192.168.1.x and gateway off that is your mikrotik router.. and your trying to go to 192.168.0 – says great I have interface in that network and sends the packets on. Pfsense is not aware of that traffic at all. Pfsense is only aware of traffic this trying to leave the 192.168.0 network or is directed to its address on the 192.168.0.
-
Thank you,
So this clarifies the thing. I thought that, since Mikrotik has pfsense as its gateway, pfsense could "filter" the traffic from its ip to the mikrotik ip.If mikrotik was out of the equation, and had two "LAN" interfaces in the pfsense, I guess I could filter the traffic between those two?
Best regards
Kostas
-
exactly if you had 192.168.0 on 1 and 192.168.1 on other so that pfsense is router between the segments - then sure you could filter traffic between those 2 segments.