Pfsense 2.2.4 absolute nightmare with firewall rules
-
Floating rules are normally applied to all interfaces, if you want it only on the wan why are you putting it in floating? Why would your pfsense ports even be allowed on wan anyway and need a specific floating rule to supersede it?
-
I just implemented the extra security for pfsense admin ports from jflsakfja post ( I am not using pfsense admin default ports):
https://forum.pfsense.org/index.php?topic=78062.0It is not correct ?
What problem can this cause in my implementation ?
what are suggestions to fix it if wrong ? -
Well I stopped reading that thread because of all the mistakes in the first post. He clearly states right up front to do this on floating
Next up Floating tab:
Set up a rule but make these changes:
Action Block
Quick TICKED!!!
Interface Hold CTRL and click on all interfaces EXCEPT LAN(admin) and SYNC
Direction any
Source any
Destination anyWhile is says to not have it apply to lan.. And even if you read clarification later in the thread its only suppose to be for pfsense ports. You just blocked your own access to any of those ports on the internet your using for admin or any of your other interfaces.
While I believe the intentions where all the best.. Unless you fully understand what your doing trying to follow such a thread going to cause most users nothing but problems.
For starters why are you blocking both inbound and outbound on all interfaces? Wan blocks all inbound out of the box, and any other interface you bring up will block everything inbound as well. Only out of the box interface that allows all is lan. And the only reason this is because if they didn't do that most users wouldn't be able to get pfsense even up and running.
Foating rules are looked at first!! So with such a rule what if you want to access a port on machine X in lan 1 from machine in lan 2 on one of those ports your using for the admin of pfsense, even though in his first post he says ANY as dest not your alias. This is a HUGE mistake that could break your connectivity to anything..
https://doc.pfsense.org/index.php/What_are_Floating_Rules
Floating Rules are parsed before rules on other interfaces. Thus, if a packet matches a floating rule and the Quick option is active on that rule, pfSense will not attempt to filter that packet against any rule on any other group or interface tab.So right out of the gate he is setting you up to crash and burn.. You can put any rules you want on another interface - floating is looked at first! and would block your access. And the way that first post is created with dest ANY you just blocked access to everything!! in and out! except for lan interface. But lets say using port 2222 for ssh as he suggest not using the standard ports so you can get some security through obscurity – which is not true, there is no such thing as security through obscurity plain and simple. You might use it to help keep noise out of your logs - but obscurity is not a valid security principle!!
So back to our example of say 2222 was your admin port, what if user on lan2 wants to access something on this port on the internet? And you you allow any any on lan2 to the internet. Well you just blocked it with that floating rule.. Dos not matter what rule you put on lan 2, since your floating blocks access to those ports. And the way its written in the first post you just broke access to EVERYTHING with that rule!!
And he makes it clear that rule should always be on TOP of the floating tab, thought you were following that as your setup guide? Why do you have the rule on the bottom?
What I would suggest is you go back to BASIC rules of pfsense out of the box, and then work on the things you want to block 1 at a time fully understanding the rule your putting in place. If you have questions on how to block something specific then ask. But asking what is wrong with your setup with showing such a hodge podge of rules is not going to get you much help - sorry!
-
Well I stopped reading that thread because of all the mistakes in the first post. He clearly states right up front to do this on floating
That post has already confused about zillion users because the logic there makes you head spin…
To block access to WebGUI/SSH ports:
- Set up a ports alias (which you seem to have already done)
- Create a block rule on top of all other rules on each interface you want to restrict, with destination set as "This Firewall" and "Destination port range" being that alias. Make sure you do NOT block this at least on your trusted LAN (or any other management interface of your choice). And/or, tick the "Anti-lockout" checkbox.
This way, you can immediately see what's configured where. The floating rule, even if set correctly, is confusing like hell. Unless you have a zillion of interfaces, avoid it.
-
^ exactly!! I have exactly 1 rule in my floating tab, only on the wan interface and only outbound to block the netbios ports 137-129 since Windows boxes like to send queries to to public internet IPs on this port for only logic MS would understand.. So that such noise doesn't leak out to my internet connection being the nice guy that I am vs any sort of tinfoil hat reason.. Why send unwarranted traffic to the internet when you don't need too is what I always say.
-
edit:
–-----------------------------------------------------------------------------------------------------------
First for some long time I had exactly that setup on each LAN interface only specific computer access to pfsense admin, but I changed according to jflsakfja post.... any way now I deleted jflsakfja implementation and reverting to my old setup so that floating rule has gone from my setup ( except pfblocker rules ).
the rule did not stay on top because of pfblocker always put his rules on top.Please clarify if this behavior it is normal, because here I think I see a problem:
on LAN1 I have a computer (192.168.22.16) as file server ( 137-139, 445 ) only for LANs, it is also web server. ( from www to web server only a port redirected to him pure NAT 1:1 ).
-
If I try to access the shares (192.168.22.16) (137-139, 445 ) from GUESTS net ( 192.168.222.1/24) it fail - so firewall rules are working OK.
-
If I try to access from GUESTS network the web server with internal LAN1 IP (192.168.22.16:80) it work ??
( I don't think it is normal to work ) and on web server log the access is from LAN 1 interface IP, from GUESTS I can't access other any services on different ports on the same computer LAN IP
Any idea ( is this going to the DNS port because of DNS Resolver ?
see the logs:
![2015-09-21 18.37.15.jpg](/public/imported_attachments/1/2015-09-21 18.37.15.jpg)
![2015-09-21 18.29.46.jpg_thumb](/public/imported_attachments/1/2015-09-21 18.29.46.jpg_thumb)
![2015-09-21 18.29.46.jpg](/public/imported_attachments/1/2015-09-21 18.29.46.jpg)
![2015-09-21 18.37.15.jpg_thumb](/public/imported_attachments/1/2015-09-21 18.37.15.jpg_thumb)
![2015-09-21 18.37.21.jpg](/public/imported_attachments/1/2015-09-21 18.37.21.jpg)
![2015-09-21 18.37.21.jpg_thumb](/public/imported_attachments/1/2015-09-21 18.37.21.jpg_thumb)
![2015-09-21 18.37.24.jpg](/public/imported_attachments/1/2015-09-21 18.37.24.jpg)
![2015-09-21 18.37.24.jpg_thumb](/public/imported_attachments/1/2015-09-21 18.37.24.jpg_thumb)
![2015-09-21 18.37.27.jpg](/public/imported_attachments/1/2015-09-21 18.37.27.jpg)
![2015-09-21 18.37.27.jpg_thumb](/public/imported_attachments/1/2015-09-21 18.37.27.jpg_thumb)
![2015-09-21 18.38.05.jpg](/public/imported_attachments/1/2015-09-21 18.38.05.jpg)
![2015-09-21 18.38.05.jpg_thumb](/public/imported_attachments/1/2015-09-21 18.38.05.jpg_thumb) -
-
"from www to web server only a port redirected to him pure NAT 1:1"
So your doing nat reflection to access this webserver?
Where in your logs are you seeing this traffic from your guests network to 192.168.22.16:80
I notice traffic to 3128, so your also running proxy package?
I see on your webserver a get from 192.168.23.22 to 22.16:6030..
What specific source IP to what specific dest IP and port? And guessing your going through proxy.. So if using a proxy you would have to tell proxy to block that traffic not the firewall. If your allowing guest network to access the proxy.
-
LAN 1 192.168.22.1/24 - for wired only, file server, web server … on 192.168.22.16
LAN 2 192.168.23.1/24 - for wired only, from here ( 192.168.23.22 ) I monitor the connection to web server on port 6030 so is normal to appear in web server log ( first pic )
LAN 3 192.168.24.1/24 - for wifi devices
Guests 192.168.222.1/24 - test access from device 192.168.222.114
and as you can see guests are restricted to Private LANs ( 1-2-3)I am using NAT to access from www ( I can access from LAN 1-2-3 with internal IP as default )
yes I am using SQUID transparent on 3128 for filtering sites on all interfaces.ok so proxy is causing this problems here and messing firewall rules ?
I will look into it, after that I will see about cleared states when allow rule expire.edit:
OK proxy solved now.
-
for your future reference 192.168.24.1/24 would be host address not a network. When calling out a network you would use the wire/subnet address, not a host in the network. 192.168.24.0/24 would be the network, with 192.168.24.1/24 your calling out a specific host address in the 192.168.24.0/24 network.
For example if you gave an address of 192.168.24.128/25 that would be a network address while 192.168.24.129/25 would be host address in the 192.168.24.128/25 network/subnet.
Yes the use of proxies can be confusing in firewall rules all the time. So in future when asking for help with firewall rules always make sure you mention if using, and also when you use a lot of aliases please make sure you post up the entries in the aliases.. Or it can be very difficult to evaluate the rules just looking at them not knowing the details of the aliases and or if other packages are being used like snort or suricata or pfblocker (especially if having it do auto rules vs just using it with alias lists in your own rules).
-
yes, you are right, my mistake.
thank you for correcting me.