Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall disable by bad rule?

    Firewalling
    2
    5
    868
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cmpufxr
      last edited by

      I have rule that was pointing to a port alias, some how the alias had gotten removed so that the rules was still there but the alias that it was pointing to was gone. This disabled the entire firewall, none of the other rules were active and if I went to www.grc.com and ran the shields up firewall test it showed all the ports as being open (red) or blocked (blue).

      Normally it would show that the ports are all in stealth mode (green), once I added the alias back all the ports are now in stealth mode (green)

      I understand that the missing alias is my fault, but we should all be aware that if you have a bad port forwarding firewall rule that the firewall will stop working.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        What ports did it show actually in red?  And blocked?  And how is your network setup?  Pfsense wan is public?  If there was a rule that prevent load of rule base How would it have forwarded anything?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 23.05 | Lab VMs CE 2.6, 2.7

        1 Reply Last reply Reply Quote 0
        • C
          cmpufxr
          last edited by

          I don't remember all of the red ports but 80 443 138 139 etc… some of the ports should be in red, those were the ones that I have configured in the port forwarding rules but the others ie 138, 139 were showing as red or open. other than the ports in red ALL of the other ports were shown as blue or blocked.

          normally it would show only the port forwarding ports as red or open,,, ie 80 and 443 for the website and then all of the other ports would be shown as stealth or green.

          I am not a firewall wizard but I do know that having 138, 139 and other ports open to the internet is not the way is should be.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            "138 139"

            I can say with 100% for certain this was not freaking pfsense.. Did you install samba or something on your pfsense?  There is nothing in pfsense that would ever listen on those ports..  And sure and the hell not going to forward them inbound if firewall did not load, etc.

            Why don't you duplicate what you say happened, with a port scan before, and a port scan after you duplicate the issue.  And we can go over what your seeing or not seeing, etc.  Post up your wan rules and your forwards as well.

            So your saying you used an alias that was not there and that allowed all traffic from the internet to be forwarded into to clients inside pfsense?  Which clients?  How would pfsense pick which one to forward too?  Are you talking IPv6??  Where there is no forwarding?

            What removed the alias that was in use.  I tried to duplicate by creating a rule with an alias and then going to delete the alias but it won't let me do that - Says alias is in use.

            If your firewall was disabled how would it be doing nat for you to get outside and run a grc scan?  Do you have the log for when this happened?




            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 23.05 | Lab VMs CE 2.6, 2.7

            1 Reply Last reply Reply Quote 0
            • C
              cmpufxr
              last edited by

              Nothing was else was installed on the server

              I only did a port scan on GRC and it said what it said, I did not try to connect to any of the ports in question so if I could connect or not, I don't know… also I did not look to see if there was anything to connect to or not.

              IPv6 is disabled

              I don't know how the port forwarding rule ended up using an alias that did not exist in the alias list.

              I am just passing on what happen and how I fixed it, I assume that this is not a wide ranging issue with pfsense as I have been using it for a few years now and have never had any issues until this happen.

              I don't know if the firewall was disabled completely but under the "https://doc.pfsense.org/index.php/Aliases" it does say that if the "The alias will be resolved according to the list [on the Aliases page of the WebGUI]. If an alias cannot be resolved (e.g. because it has been deleted), the corresponding element (e.g. filter/NAT/shaper rule) will be considered invalid and skipped."

              I think that is what happen…

              1 Reply Last reply Reply Quote 0
              • First post
                Last post