Block access to PFS from an interface
-
Hi there maybe it's a setting and I missed it :o , but what's the easiest way to block\lockout access to PFS (telnet, ssh, http, https, etc but of course not DHCP) from an certain interface? Or do I have to block/reject them all manually?
Thanks and cheers Qinn
-
Add Allow rule for DHCP port, then add Deny rule for the Destination of the "IP Address"?
-
Pass what you need (Like DNS - DHCP rules are automatic if there is a DHCP server enabled on the interface)
Reject IPv4 Protocol any source any dest This firewall (self) -
Pass what you need (Like DNS - DHCP rules are automatic if there is a DHCP server enabled on the interface)
Reject IPv4 Protocol any source any dest This firewall (self)Thanks I will try that, maybe a suggestion to add this feature for every interface?
-
feature? You can create such a rule on any interface you want.. You mean you want that to the be the default? I use the firewall alias in a block rule on pretty much all my interfaces
-
feature? You can create such a rule on any interface you want.. You mean you want that to the be the default? I use the firewall alias in a block rule on pretty much all my interfaces
So you do this by using an Alias and then use it as a rule on any interface, sound nice ;) Could you draw that out to me (how to), I am fairly new to using Aliases in pfs.
-
No I do not create specific alias there is a built in one for the firewall.. It auto includes all IPs of the firewall, wan, lan, opt, vips, etc.
https://doc.pfsense.org/index.php/Firewall_Rule_Basics
This Firewall (self) - Any IP address assigned to any interface on this firewall (pfSense 2.2+)
-
No I do not create specific alias there is a built in one for the firewall.. It auto includes all IPs of the firewall, wan, lan, opt, vips, etc.
https://doc.pfsense.org/index.php/Firewall_Rule_Basics
This Firewall (self) - Any IP address assigned to any interface on this firewall (pfSense 2.2+)Thanks for pointing that one out, I never knew there was a "This Firewall(self)" under Destination in the Rules and now I understand what @Derelict meant :o One last question, you do a block why not a reject?
-
Personal preference. I prefer reject for blocking connections from the inside so the users get immediate feedback.
-
^ exactly.. I use reject on some of my other interfaces. I prob never got around to changing that segment.. There until recently was nothing really on it..
I even do a reject on wan side for traceroute from linux boxes.. All depends do you really want the firewall to send back info that port is blocked or can the firewall just drop it?
