[SOLVED] Defining ports on GEOIP allow rule does not work

gabrimonfa

I'm on pfsense 2.3.2-p1 x86 with pfblocker-ng uptodate.
The box is a physical machine that worked correctly for years.

I've create an allow rule under GeoIP tab.
The rule is not floating, should allow IPv4 Inbound traffic from one country.
In "Advanced Inbound Firewall Rule Settings" I have enabled Custom DST port using an alias.

The rule is created correctly under WAN, it's positioning is correct and it shows the alias in Destination Port.

Connections to the allowed ports from other countries do not match the rule and are blocked.
Connections to the allowed ports from allowed country do match the rule and pass.

So far so good?
No.

The problem is that connections from the allowed country to other ports strangely do match the rule and pass.
I'm sure of that since I've logged just the problematic roule and it shows the connection, and the connection works.

This behaviour is a bit scary for me since services are exposed that I thought to be blocked.
I've double checked all configuration and cannot find any issue.
Is this a bug?

Can anyone confirm the issue or that this setup (with custom destination ports) works as intended in their environment?

doktornotor

@gabrimonfa:

Can anyone confirm the issue or that this setup (with custom destination ports) works as intended in their environment?

Works just fine here:

# pfctl -vvsr | grep Europe
@122(1770004813) pass quick on igb1 inet proto udp from <pfb_europe_v4:2637>to <wan_ips:2>port = openvpn keep state label "USER_RULE: pfB_Europe_v4 auto rule"
@123(1770004813) pass quick on gif0 inet proto udp from <pfb_europe_v4:2637>to <wan_ips:2>port = openvpn keep state label "USER_RULE: pfB_Europe_v4 auto rule"
@124(1770004709) pass quick on igb1 inet6 proto udp from <pfb_europe_v6:786>to <wan_ips:2>port = openvpn keep state label "USER_RULE: pfB_Europe_v6 auto rule"
@125(1770004709) pass quick on gif0 inet6 proto udp from <pfb_europe_v6:786>to <wan_ips:2>port = openvpn keep state label "USER_RULE: pfB_Europe_v6 auto rule"</wan_ips:2></pfb_europe_v6:786></wan_ips:2></pfb_europe_v6:786></wan_ips:2></pfb_europe_v4:2637></wan_ips:2></pfb_europe_v4:2637> 

gabrimonfa

doktornotor:

If you have a pass rule on some ports, can you confirm that connections to other ports do not pass (aka do not match the pass rule)?

doktornotor

Well of course they don't match the pass rule with port = openvpn specified. Check the pfctl output for what you've produced there (or /tmp/rules.debug).

BBcan177

Did you define the protocol setting in the Adv. Inbound settings?

gabrimonfa

Default: any
Select the Protocol used for Inbound Firewall Rule(s).
Do not use 'any' with Adv. Inbound Rules as it will bypass these settings!

:-X :-X :-X
Grrr. Ok I've overlooked the help text.

Maybe it's a bit confusing that one of the advanced options has a default value that make not applicable all other options.
IMHO it would be better to warn the user if he/she sets the ports and protocol is left to any.

Or maybe the UI should be made consistent with the "Add rule".
Default protocol is TCP and choosing any hide source and dest ports

BBcan177

@gabrimonfa:

IMHO it would be better to warn the user if he/she sets the ports and protocol is left to any.

Or maybe the UI should be made consistent with the "Add rule".
Default protocol is TCP and choosing any hide source and dest ports

This is already fixed in the next package release… Just in testing phase now ...