Firewall blocking outbound egress rules

rcmpayne

Trying to make my outbound safer with some basic blocks

If
LAN address is the address of the interface of the pfSense to the LAN. (ie. 192.168.1.1/32)
LAN Net is the subnet attached to this interface. (ie. 192.168.1.0/24)

Would my blocks be like this for MS RPC as example? Trying to understand if I need wan net or wan address.

TCP/UDP
Source = Lan Net
Source port = any

Dst = Wan Address
Dst port = 135

ptt

Outboud to "Internet" ?

WAN Address != Internet

Internet = "ANY"

https://docs.netgate.com/pfsense/en/latest/firewall/index.html

rcmpayne

Thanks, I think i have it now

nmap -p 1-1024 -Pn scanme.nmap.org

PORT STATE SERVICE
22/tcp filtered ssh
25/tcp filtered smtp
80/tcp open http
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

johnpoz

You do get that 135,127-139, 445 etc are blocked by many/most isp anyway.. And shoot even most docsis modems block it those in their firmware.. Those are not public internet viable ports.. And pretty much always blocked.. Little use to worry about it on your end to be honest.

Sure not going to hurt anything - just kind of pointless.

rcmpayne

If that's the case, when I ran a nmap scan this morning to an external source, I seen that all of those ports were open. I have a fiber line coming into the house going directly into pfSense so there's no modem of sorts on my end.

Bell fibe is my isp

johnpoz

Like I said not going to hurt anything... But amount of places that actually have those ports open at the isp level is not very much.. More an exercise in how to do it more than actual security..

Here is from one of my vps box out of the net

Starting Nmap 7.01 ( https://nmap.org ) at 2019-06-02 09:54 CDT
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.015s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 1022 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 1.96 seconds

Here is from my home connection

Starting Nmap 7.01 ( https://nmap.org ) at 2019-06-02 09:48 CDT
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.062s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 1012 closed ports
PORT    STATE    SERVICE
22/tcp  open     ssh
25/tcp  filtered smtp
55/tcp  filtered isi-gl
67/tcp  filtered dhcps
77/tcp  filtered priv-rje
80/tcp  open     http
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
496/tcp filtered pim-rp-disc

Nmap done: 1 IP address (1 host up) scanned in 322.31 seconds

As you see 25 blocked by isp as well.. Home connections that is almost always blocked as well.. But if your on some sort of fiber...