Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Rules setup - new to firewall administration

    Scheduled Pinned Locked Moved Firewalling
    13 Posts 4 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ajtradtechA
      ajtradtech
      last edited by

      Guess I'll start with the ports that are commonly open.

      Since mail needs to be retrieved/sent
      TCP port 110 (POP3)
      TCP port 143 (IMAP)
      TCP port 25 (SMTP)

      Web browsing
      TCP port 80 (HTTP)
      TCP port 443 (HTTPS)

      Download/upload of files
      TCP port 20 (FTP)

      Not sure if I'll need these
      TCP port 22 (SSH)
      UDP ports 67,68 (DHCP)
      TCP/UDP port 53 (DNS)

      Looking into what's needed for things like FB Messenger, and ports that Apple devices & services use.

      1 Reply Last reply Reply Quote 0
      • ajtradtechA
        ajtradtech
        last edited by

        Not wishing to inadvertently take down my network, I setup another interface as DEV (OPT2) and created the rules for that interface. The default pass any rules were disabled as shown below.

        Screen Shot 2020-04-21 at 1.46.21 PM.png

        Good thing I set this up on another interface! I plugged into DEV and was unable to reach any websites. I couldn't get into my SG either. How badly did I setup the rules?

        Thanks.

        1 Reply Last reply Reply Quote 0
        • S
          SteveITS Galactic Empire
          last edited by

          The source port on outgoing traffic is typically randomized, to simplify things a bit. So the source port should be * like in the two disabled rules. The destination port is what you're connecting to, e.g. 80/443 for a remote web server.

          You might consider a rule allowing from source Dev Net:* to "this firewall (self)":443 so you can get to the pfSense.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          ajtradtechA 1 Reply Last reply Reply Quote 0
          • ajtradtechA
            ajtradtech @SteveITS
            last edited by ajtradtech

            @teamits said in Rules setup - new to firewall administration:

            The source port on outgoing traffic is typically randomized, to simplify things a bit. So the source port should be * like in the two disabled rules. The destination port is what you're connecting to, e.g. 80/443 for a remote web server.

            You might consider a rule allowing from source Dev Net:* to "this firewall (self)":443 so you can get to the pfSense.

            Ah, thank you for that info. I made the source ports * and tried the DEV interface again. Progress! I can get out to the web, access the SG, and resolve addresses when specifying random websites.

            I then tried emailing myself from my phone to see if that would come through. Nope. I'm using Apple Mail so I suspect there are some other ports I need to specify. Looking that up and checking the logs as well.
            Slowly but surely...

            I'm seeing the value of having a lab network.

            GertjanG 1 Reply Last reply Reply Quote 0
            • ajtradtechA
              ajtradtech
              last edited by

              Apple has a laundry list. Going to setup some aliases where possible.

              https://support.apple.com/en-us/HT202944

              1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan @ajtradtech
                last edited by

                @ajtradtech said in Rules setup - new to firewall administration:

                I'm using Apple Mail

                Mail clients do not / should not use port 25. That one is exclusively reserved for inter mail server communication.

                Port 110 TCP is for POP access : you retrieving mail from your "mail box" into your mail client.
                Port 143 TCP : same thing, but using IMAP.
                But ... these port are probably still supported but their usage will stream your mails over the net totally visible.
                That's not done any more.
                POP has an SSL successor : port 995 TCP - IMAP SSL is using 993 TCP.
                The above 4 ports are all about retrieving mail.

                To send mails, you should be using TCP 587, known as 'mail submission' which could be using SSL (a thing called STARTSSL). Even better, use port 465, which is SMTP over SSL.

                This rule :
                a22202c5-b6f3-4681-bbed-320cc2106215-image.png
                is optional.

                There is a last, hidden rule that blocks all traffic.
                But there is also a first, hidden rule : the one that permits DHCP traffic ;)

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                ajtradtechA 1 Reply Last reply Reply Quote 1
                • ajtradtechA
                  ajtradtech @Gertjan
                  last edited by

                  @Gertjan said in Rules setup - new to firewall administration:

                  @ajtradtech said in Rules setup - new to firewall administration:

                  I'm using Apple Mail

                  Mail clients do not / should not use port 25. That one is exclusively reserved for inter mail server communication.

                  Port 110 TCP is for POP access : you retrieving mail from your "mail box" into your mail client.
                  Port 143 TCP : same thing, but using IMAP.
                  But ... these port are probably still supported but their usage will stream your mails over the net totally visible.
                  That's not done any more.
                  POP has an SSL successor : port 995 TCP - IMAP SSL is using 993 TCP.
                  The above 4 ports are all about retrieving mail.

                  To send mails, you should be using TCP 587, known as 'mail submission' which could be using SSL (a thing called STARTSSL). Even better, use port 465, which is SMTP over SSL.

                  Thank you! I'll update my rules accordingly. Port 25 is out. TCP 587 is already included (it was on that long list from Apple), and I'll add TCP 993 and 995.

                  This rule :
                  a22202c5-b6f3-4681-bbed-320cc2106215-image.png
                  is optional.

                  There is a last, hidden rule that blocks all traffic.
                  But there is also a first, hidden rule : the one that permits DHCP traffic ;)

                  Noted. Btw- I'm communicating all of this over the DEV interface :)

                  Thanks for your help!

                  GertjanG 1 Reply Last reply Reply Quote 0
                  • GertjanG
                    Gertjan @ajtradtech
                    last edited by

                    @ajtradtech said in Rules setup - new to firewall administration:

                    Port 25 is out.

                    Your rule :

                    34170609-a9cb-4db8-8dcf-642c3368639f-image.png

                    You see the 0/0 in front of the rule ? This means the rule isn't used, it didn't match any traffic.
                    If 0/0 stays 0/0 for a while, you know that that rule is not used at all. This means you can remove it. at first de activate it, leave the rule in place, eventually you can delete it.

                    After all, your mail client shouldn't even use port 25 for sending mail. That's was something from before 2000 (the last century).

                    Except, if you have a local mail server ....

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    ajtradtechA 1 Reply Last reply Reply Quote 0
                    • ajtradtechA
                      ajtradtech @Gertjan
                      last edited by

                      @Gertjan said in Rules setup - new to firewall administration:

                      @ajtradtech said in Rules setup - new to firewall administration:

                      Port 25 is out.

                      Your rule :

                      34170609-a9cb-4db8-8dcf-642c3368639f-image.png

                      You see the 0/0 in front of the rule ? This means the rule isn't used, it didn't match any traffic.
                      If 0/0 stays 0/0 for a while, you know that that rule is not used at all. This means you can remove it. at first de activate it, leave the rule in place, eventually you can delete it.

                      After all, your mail client shouldn't even use port 25 for sending mail. That's was something from before 2000 (the last century).

                      Except, if you have a local mail server ....

                      Noted.

                      Currently making good use of the Copy function to get the rules implemented on OPT5...

                      Thanks.

                      1 Reply Last reply Reply Quote 0
                      • ajtradtechA
                        ajtradtech
                        last edited by ajtradtech

                        Update:
                        Rules from my DEV interface copied to PROD (formerly OPT5) interface. Added rules for FB Messenger to function. Disabled the default Pass any rules at the bottom.

                        Email- check
                        Push notifications - check
                        Address book sync - check
                        Calendar sync - check
                        Apple TV- check
                        FB Messenger- check!

                        There is a slight pause before a YouTube video plays, but I guess that's to be expected with all of the rules to go through along with the port ranges specified on the list from Apple. I have the more specific rules at the top with more general rules with port ranges at the bottom.

                        Going forward, I'll keep an eye on the rules that don't get touched and disable them.

                        Thanks to everyone for their input.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.