Can I Block Outgoing Traffic to Ports on WAN Interface?
-
Is it possible to block outgoing traffic on the WAN interface (possibly with a floating rule)?
I want to prevent traffic for the following ports 135, 136, 137, 138, 139, 445, 593, 1900, 5000, 5353 ever going out on the intenet.
(Should I be adding anything to this list for a home setup?)If I just had a LAN/WAN, then it would be no problem, just put a rule on the LAN, but I have several VLANS.
I want to keep things simple, so it would be better to not have to put rules on each VLAN interface.
Any help would be much appreciated.
-
this would be a good rule to put in floating for outgoing.
But to be honest - none of that traffic should ever really go out the wan.. Are you seeing this traffic leave now? Simple sniff on your wan would show you if that is currently the case. Or could just put in the floating rule and then log it and come back later to see if any hits on the rule.
-
Yeah a floating rule on WAN outbound would be a good place for that.
Reject quick interface WAN direction out protocol any source address any source-port any dest address any dest port a a port alias containing all of those ports.
Probably enable logging on the rule too so if it blocks something unintended it will be logged so you can see it.
-
Thanks very much for the replies johnpoz & derelict
Extra big thanks to derelict for giving me the rule, because I'm still struggling with how floating rules work.
But to be honest - none of that traffic should ever really go out the wan.. Are you seeing this traffic leave now? Simple sniff on your wan would show you if that is currently the case. Or could just put in the floating rule and then log it and come back later to see if any hits on the rule.
Are there built in firewall rules to prevent this broadcast traffic from leaving the network? Not sure if they have fixed it, but the cable company network allows a lot of stuff to float around that shouldn't be.
-
Are there built in firewall rules to prevent this broadcast traffic from leaving the network?
Broadcast traffic would not be routed out WAN.
You are looking at preventing unicast traffic to those ports out WAN.
Not sure if they have fixed it, but the cable company network allows a lot of stuff to float around that shouldn't be.
Your ISP is in the business of routing traffic. It is not necessarily in the business of blocking things you might not want to receive. Someone else might want that traffic for some reason. "Shouldn't be" is subjective. That's why you can run your own firewall tailored to your own specific needs.
-
UPDATE:
After a bit of logging I notice that 192.168.x.2:138 does a broadcast to 192.168.x.255:138. If that gets to create a firewall state, it's game over for any open network shares. I had it happen once with DD-WRT - fortunately nothing really bad happened, but I was just lucky. -
UPDATE:
After a bit of logging I notice that 192.168.x.2:138 does a broadcast to 192.168.x.255:138. If that gets to create a firewall state, it's game over for any open network shares. I had it happen once with DD-WRT - fortunately nothing really bad happened, but I was just lucky.Sorry but you don't seem to yet understand what a broadcast is and why it can't cross routers. Broadcasts are limited to the immediately connected network segment, you can almost guess this by looking at a broadcast address. A broadcast address 192.168.x.255 means exactly "all the network nodes that are directly reachable on the same network segment (usually connected to the same wire but bridges can change that) that have an address in the 192.168.x.0/24 network".
Yes a broadcast can create a state on the LAN interface of pfSense (assuming 192.168.x.* is your LAN but see below) but that's not going to do anything on the WAN interface because broadcasts are not routed across interfaces. The only way to have broadcasts/multicasts routed is to have a proxy on the router do the job and pfSense doesn't include proxies for most of the broadcast/multicast based protocols, the one notable case is the avahi package that can proxy mDNS traffic and you have to install the package first and enable the service.
If 192.168.x.* is on your WAN side then I don't understand why you even think the broadcasts could get trough, the default policy is to block unrecognized traffic including broadcasts.
-
So did you create the floating rule? How many hits you seeing ;) The ports you listed are normally broadcast/multicast ports that would never be sent out your want.. Ie 1900 and 5353.. Those netbios ports you listed.. While its possible that windows being as stupid as it is might do a netbios query to you websites you hit, etc. That would most likely be on 139..
I put a block on 137-139 tcp/udp on my floating outbound on the long while back, in answer to another thread and someone wanting an example.. I never removed it.. So almost 1 million evaluations.. Zero triggers..
