Advanced Inbound Firewall Rule Settings - confusing description on Custom Protoc

jawz101 · Sep 15, 2016, 10:41 AM

I only have one port forward on my pfSense box that's taking anything from outside trying to go to X port and forwarding it to Z server, port X.

I want to use to Deny Both inbound and outbound on that server for a few blocklists.

Advanced Inbound Firewall Rule Settings

Note: In general, Auto-Rules are created as follows:
Inbound 'any' port, 'any' protocol, 'any' destination and 'any' gateway

Configuring the Adv. Inbound Rule settings, will allow for more customization of the Inbound Auto-Rules.

Custom Protocol : Default: any
"Select the Protocol used for Inbound Firewall Rule(s).
Do not use 'any' with Adv. Inbound Rules as it will bypass these settings!"

I don't understand what "Don't use Any with adv. inbound rules as it will bypass these settings!" means. I mean, the default protocol is Any but then it says not to use it?

Should I even use that option? Do I need to specify the server and port in both the Advanced Inbound Rule Settings and the Advanced Outbound Rule Settings?

BBcan177 · Sep 15, 2016, 2:51 PM

Note: In general, Auto-Rules are created as follows:
Inbound 'any' port, 'any' protocol, 'any' destination and 'any' gateway

When you do not use Adv. In/Out settings, you need to leave the default as any…

Once you add any SRC/DST/Ports settings etc in Adv. In/Out settings, you can't use any, and must use one of the other Protocol settings…. This is a limitation of FreeBSD packet fence...

If, for example, you added Adv. In/Out settings, and left the Protocol as any, the additional SRC/DST/Ports settings etc are not utilized by packet fence and you will still see noise in the log for other blocked alerts which are already being blocked by the Default Block implicit rule.

If you only have one open WAN port, then utilizing the Adv. Inbound Settings will reduce the noise hitting the WAN and will only log blocked attempts to the open WAN port (and other settings configured in the rule)

jawz101 · Sep 17, 2016, 4:26 AM

Thanks. I guess you're saying "leave this setting at ANY if you're not changingn the Advanced Inbound Rule in any way."

So if I have a port forward to server A: port B and I want to deny inbound and outbound to that server & port using a blocklist

do I create the IP list with Deny Both and Advanced Inbound Rule with Custom Destination A and custom DST port B aliases?

Would that cover my outbound connection from that server or do I need to do anything to the Adv Outbound Rule as well?

BBcan177 · Sep 17, 2016, 4:30 AM

There are settings for both Adv In/Out settings. So if you define the Adv Inbound but leave the Adv Outbound as is (default), then with Deny Both, the inbound rules are created with the Adv dst and port settings while the Outbound is set as default blocking anything outbound to those IPs.

jawz101 · Sep 17, 2016, 4:34 AM

Ah. Thanks. I think what I did will work.

This module never ceases to amaze.