Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Firewall question

    Firewalling
    5
    8
    1014
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CallFromUSA last edited by

      Hello,

      I need to allow the user with a lan ip access to the internet (google). I disabled any to any rule on the LAN interface and wanted to write the rules one by one to give access. But it is not working. I was wondering if anyone could help me I attached a printscreen below, also does invert match make reference to stateful and stateless firewall? and when do I use it?

      1 Reply Last reply Reply Quote 0
      • C
        CallFromUSA last edited by

        LOL !! I didnt put protocol as TCP/UDP for DNS. Now its working using this forum from the new rules. If anyone wants to add anything please feel free.

        Thanks.  8) 8)

        1 Reply Last reply Reply Quote 0
        • KOM
          KOM last edited by

          Doing blocking on LAN will be an exercise in pain for you if you have more than a couple of users to worry about.  Under normal conditions, most people don't block on LAN because you end up with endless user complaints when they try to do anything.

          1 Reply Last reply Reply Quote 0
          • C
            CallFromUSA last edited by

            @KOM:

            Doing blocking on LAN will be an exercise in pain for you if you have more than a couple of users to worry about.  Under normal conditions, most people don't block on LAN because you end up with endless user complaints when they try to do anything.

            OK Thanks I will put configurations on the WAN instead, thanks.

            1 Reply Last reply Reply Quote 0
            • johnpoz
              johnpoz LAYER 8 Global Moderator last edited by

              ^ huh?  Wan blocks all unsolicited traffic inbound out of the box, what blocks are you going to put in on the wan?

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

              1 Reply Last reply Reply Quote 0
              • T
                trekkiebr last edited by

                IMHO, blocking on LAN side is still usefull.
                You minize potential problems if any machine get infected, prevent use of non desirable services, and can use proxy to restrict user access (i think its easier this way). On PfSense, just create a group and put all machines that should by pass the proxy for any reason.

                1 Reply Last reply Reply Quote 0
                • C
                  CallFromUSA last edited by

                  @johnpoz:

                  ^ huh?  Wan blocks all unsolicited traffic inbound out of the box, what blocks are you going to put in on the wan?

                  ie

                  Hello, I am still a newb to security but what I wanted to do was block unwanted visitors on my WAN interface, just make my network safe. But I see that if my LAN has a ANY rule and currently the WAN is open to all what should I do?

                  1 Reply Last reply Reply Quote 0
                  • M
                    mer last edited by

                    @CallFromUSA:

                    @johnpoz:

                    ^ huh?  Wan blocks all unsolicited traffic inbound out of the box, what blocks are you going to put in on the wan?

                    ie

                    Hello, I am still a newb to security but what I wanted to do was block unwanted visitors on my WAN interface, just make my network safe. But I see that if my LAN has a ANY rule and currently the WAN is open to all what should I do?

                    Default rules in pfSense are "default deny inbound on WAN" and "default permit inbound on LAN".  The first on means noone can initiate traffic from the Internet and get into your pfSense box (WAN faces the big bad world), so is already "…blocking unwanted visitors".  The second means anything that originates on your LAN interface (your network, your computers) is allowed into the pfSense box and then out the pfSense WAN (if that's where the traffic is destined).  Rules in pfSense are "inbound", so you have to pretend you are the pfSense CPU, looking out the WAN interface or looking out the LAN interface.  Packets coming at you are "inbound", so the "permit any to any" rule on the LAN interface is not involved with inbound WAN packets.

                    pfSense is a Stateful firewall:  this means the packets that come in on your LAN interface and go out the WAN will generate internal state.  This state is used when the reply packets come back in on the WAN interface (you initiate a DNS request from your LAN, that has DNS replies coming back into your WAN);  if an inbound WAN packet matches internal state or any permit rules, it comes in.  Otherwise it is dropped.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post