Block TCP 445 in LAN out WAN2

doktornotor

Yeah when you don't want two networks to talk over SMB you need the block rule on both interfaces, with the opposite subnet as destination.

rsweb99

In effort to be more clear, what to a call a "remote network", that is not the internet?

Diagram:

PFSENSE
[LAN] <–------->  /--------------/ <-------> [WAN]
  172.16.0.0      /                  /
                          /–------------/  <-------> [WAN2] 10.10.10.34  <–-> [ROUTER]  <–--> 172.18.0.0/ 22
                                                                                                        10.10.10.36            REMOTE SITE

rsweb99

Testing…

rsweb99

(WAN2 –> REMOTE SITE interface Rules

ID     Proto       Source Port         Destination Port Gateway Queue Schedule Description

BLOCK IPv4 TCP * * *       445 (MS DS) * none Block Inbound Destination 445 From ALL
ALLOW IPv4              * * *       * *       * none Allow all traffic to and from other

Still not blocking...

doktornotor

1/ You need this on BOTH interfaces.
2/ You need to reset the states (or reboot the firewall box if unabled to find the button to do so).

If you think it's still not blocked then stick logging on the rules and look at the firewall logs.

P.S. Learn to produce screenshots instead of broken ASCII art.

rsweb99

Will provide screen shots from now on, did not know I could do that.

I will Reset states again…

rsweb99

First of all I want to thank Doktornotor for pointing out the System,States (and the ability to reset them), this was causing me false positives on my earlier testing.

Second, I want to thank Mer, for putting the stateful blocking logic as it related directly to my situation and helped to see the initial incoming connection.

After I added the correct rule, above, I did not reset the states, so it did not block.

Thank You, guys the blocking is working.

ALSO, There was one thing I did not understand/anticipate with MS SMB, after port 445 was blocked, the workstation decided to change to port 139, so my block worked, but my test failed as the file transfer was still going on.  Once I blocked 445 and 139 TCP, all worked/Blocked which is what I wanted.

Thank You!

doktornotor

Honestly, if this Windows NetBIOS/file sharing stuff is undesired, block 135-139 and 445, TCP/UDP.

johnpoz

guess I don't get any love for pointing out his rule was backwards.. ;)

mer

John, you have to let some of us catch up in karma first :)

OP:
Don't forget that all the ports should have a default deny as the first thing (it's there already you don't have to add it).  This makes it really nice:  if everything is blocked by default, then you have a smaller list of "allow this".  It feels backwards (like an old HP RPN calculator) but it makes things a lot easier on you.  On my setup I have 7 TCP services plus 3 UDP allowed,  a lot simpler than "need to block this, block that,crap missed that one".  There may be a few things I could add, but so far noone has complained.