Firewall disable by bad rule?

cmpufxr · Sep 18, 2016, 2:02 PM

I have rule that was pointing to a port alias, some how the alias had gotten removed so that the rules was still there but the alias that it was pointing to was gone. This disabled the entire firewall, none of the other rules were active and if I went to www.grc.com and ran the shields up firewall test it showed all the ports as being open (red) or blocked (blue).

Normally it would show that the ports are all in stealth mode (green), once I added the alias back all the ports are now in stealth mode (green)

I understand that the missing alias is my fault, but we should all be aware that if you have a bad port forwarding firewall rule that the firewall will stop working.

johnpoz · Sep 18, 2016, 2:18 PM

What ports did it show actually in red? And blocked? And how is your network setup? Pfsense wan is public? If there was a rule that prevent load of rule base How would it have forwarded anything?

cmpufxr · Sep 18, 2016, 3:33 PM

I don't remember all of the red ports but 80 443 138 139 etc… some of the ports should be in red, those were the ones that I have configured in the port forwarding rules but the others ie 138, 139 were showing as red or open. other than the ports in red ALL of the other ports were shown as blue or blocked.

normally it would show only the port forwarding ports as red or open,,, ie 80 and 443 for the website and then all of the other ports would be shown as stealth or green.

I am not a firewall wizard but I do know that having 138, 139 and other ports open to the internet is not the way is should be.

johnpoz · Sep 18, 2016, 4:01 PM

"138 139"

I can say with 100% for certain this was not freaking pfsense.. Did you install samba or something on your pfsense? There is nothing in pfsense that would ever listen on those ports.. And sure and the hell not going to forward them inbound if firewall did not load, etc.

Why don't you duplicate what you say happened, with a port scan before, and a port scan after you duplicate the issue. And we can go over what your seeing or not seeing, etc. Post up your wan rules and your forwards as well.

So your saying you used an alias that was not there and that allowed all traffic from the internet to be forwarded into to clients inside pfsense? Which clients? How would pfsense pick which one to forward too? Are you talking IPv6?? Where there is no forwarding?

What removed the alias that was in use. I tried to duplicate by creating a rule with an alias and then going to delete the alias but it won't let me do that - Says alias is in use.

If your firewall was disabled how would it be doing nat for you to get outside and run a grc scan? Do you have the log for when this happened?

cmpufxr · Oct 4, 2016, 12:57 AM

Nothing was else was installed on the server

I only did a port scan on GRC and it said what it said, I did not try to connect to any of the ports in question so if I could connect or not, I don't know… also I did not look to see if there was anything to connect to or not.

IPv6 is disabled

I don't know how the port forwarding rule ended up using an alias that did not exist in the alias list.

I am just passing on what happen and how I fixed it, I assume that this is not a wide ranging issue with pfsense as I have been using it for a few years now and have never had any issues until this happen.

I don't know if the firewall was disabled completely but under the "https://doc.pfsense.org/index.php/Aliases" it does say that if the "The alias will be resolved according to the list [on the Aliases page of the WebGUI]. If an alias cannot be resolved (e.g. because it has been deleted), the corresponding element (e.g. filter/NAT/shaper rule) will be considered invalid and skipped."

I think that is what happen…