Help denying NAS internet unless specific port



  • I have a nas torrent box that connect to the internet via a vpn…
    in my old router i have it setup, that it will deny all internet access unless its was going throw 2 specific ports...
    im sure their is tons of better way to do that in here, but im trying for now to get it to works here the same way it was..

    allow nas box 10.1.1.10 internet access only on port 53 and 1723... router ip 10.1.1.1

    here is my old routing table...

    
    _IF="$(ip route | awk '/^default/{print $NF}')"
    iptables -I FORWARD -i br0 -s 10.1.1.10 -o $WAN_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
    iptables -I FORWARD -i br0 -p tcp -s 10.1.1.10 -o $WAN_IF -m state --state NEW -j REJECT --reject-with tcp-reset
    iptables -I FORWARD -i br0 -p udp -s 10.1.1.10 --dport 53 -o $WAN_IF -m state --state NEW -j ACCEPT
    iptables -I FORWARD -i br0 -p tcp -s 10.1.1.10 --dport 1723 -o $WAN_IF -m state --state NEW -j ACCEPT
    
    

    can i do the same in here…
    in wan or lan section or both
    how many rules i should have to make?

    thanks again
    s0rcier


  • Galactic Empire

    You'd place the rule on the LAN interface.

    You could create an alias that contains your local subnets and create a firewall rule at the top that allows the nas to talk to anything that isn't in the alias using port 53  the same for port 1723 using the invert match option.

    I'd also put a deny rule directly underneath that blocks the nas to talk to any.

    I like to see the hits against my blocks so I have block rules, but the default is to deny any at the bottom.

    You could even create an alias for port 53 & 1723 and have a single allow rule.

    pfSense reads the firewall rules top down, so as long as you block anything from your nas after it should work.

    Just popped some rules on an unused VOICE lan, check out the rules attachment.

    And I have just corrected the typo on my n_ipv4_local_subnets alias :)






  • wow! did see the picture till i log back on to reply … didnt know you can put a rules to exlude your local ip subnets like that ... i was trying wan_net and wan_address to block without success :(

    i make 1 alias for my synology nas, so if i change is ip i just have the alias to update

    thanks a lot :)

    added picture as attachment not sure if works lol



  • LAYER 8 Netgate

    didnt know you can put a rules to exclude your local ip subnets like that

    Yeah, and you shouldn't.

    You should block to the local subnet alias (and don't forget self) then pass any (or a subset of any).

    If you want to block traffic, block it. Don't "block" traffic to a destination with pass rules to ! destination.

    ![Screen Shot 2017-02-22 at 12.59.35 AM.png](/public/imported_attachments/1/Screen Shot 2017-02-22 at 12.59.35 AM.png)
    ![Screen Shot 2017-02-22 at 12.59.35 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-02-22 at 12.59.35 AM.png_thumb)


  • Galactic Empire

    @Derelict:

    didnt know you can put a rules to exclude your local ip subnets like that

    Yeah, and you shouldn't.

    You should block to the local subnet alias (and don't forget self) then pass any (or a subset of any).

    If you want to block traffic, block it. Don't "block" traffic to a destination with pass rules to ! destination.

    What's the issue with using pass & !, I only ask as I may need to revisit my rules ?

    The only problem I can see is when you add a new subnet and forget to add it to the alias.

    I tend to like all my passes at the top of my firewall rules and blocks at the bottom.


  • LAYER 8 Netgate

    There can be logic problems in the generated rule set.

    I was preaching this basic concept of firewalling long before this was discovered:

    https://redmine.pfsense.org/issues/6799

    If that was a block rule to LAN net the traffic would just be blocked period.


  • Galactic Empire

    Thanks dude.


Log in to reply