Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can a port be hard blocked?

    Scheduled Pinned Locked Moved General pfSense Questions
    20 Posts 10 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      battles
      last edited by

      After reading about the release of the NSA hacking tools (Eternalromance) here:

      https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/

      I tried to find if pfSense would hard block a port.  The ports used by Eternalromance are TCP ports 445 and 139.  I
      figured if that hack/spyware got into your Windows machine, that pfSense would possibly allow it through since it
      is coming from your system.  I can't see how to hard block specific ports anywhere in pfSense or pfBlockerNG.  Anyone
      know if and how this could be done?

      Thanks

      pfSense 2.3.4-RELEASE-p1 (i386)
      FreeBSD 10.3-RELEASE-p19
      pfBlockerNG 2.1.2_1
      Snort Security 3.2.9.5_3
      Intel(R) Atom(TM) CPU N270 @ 1.60GHz

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Hard block?  You mean reject?  Hard block is not a infosec term..  Between what and what exactly?

        Pfsense has zero to do with traffic between devices on the same layer 2 network.. Pfsense is a layer 3 firewall / router.  If you don't want network A talking to network B on port X then yes pfsense can prevent that.  Be it "blocked" or actually rejected..

        If you don't want machine A on your network talking to machine B put them on different networks and let pfsense firewall between them.. Use a software firewall on your machines, or use a switch that allows for ACLs or private vlans where device A can not talk to device B, etc.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • B
          battles
          last edited by

          @johnpoz:

          Hard block?  You mean reject?  Hard block is not a infosec term..  Between what and what exactly?

          Pfsense has zero to do with traffic between devices on the same layer 2 network.. Pfsense is a layer 3 firewall / router.  If you don't want network A talking to network B on port X then yes pfsense can prevent that.  Be it "blocked" or actually rejected..

          If you don't want machine A on your network talking to machine B put them on different networks and let pfsense firewall between them.. Use a software firewall on your machines, or use a switch that allows for ACLs or private vlans where device A can not talk to device B, etc.

          As you can see, I'm not an infosec guy.  Yes, reject anything coming through psSense to/from TCP ports 445 and 139.  There is only one computer connect to my controller to WAN.

          pfSense 2.3.4-RELEASE-p1 (i386)
          FreeBSD 10.3-RELEASE-p19
          pfBlockerNG 2.1.2_1
          Snort Security 3.2.9.5_3
          Intel(R) Atom(TM) CPU N270 @ 1.60GHz

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Put a reject rule on all interfaces such as:

            Reject IPv4 TCP source LAN net dest any port 139
            Reject IPv4 TCP source LAN net dest any port 445

            Change the source network to the network on the specific interface.

            Put those rules above the rule that poasses traffic to the internet.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • K
              kpa
              last edited by

              Note that rejecting connections is a less secure than silently ignoring them with a drop rule because answering to connection attempts when you're not going to accept them can make you a target for DDoS attacks. All this depends on the use case though, if you have a large website that you're hosting with lots of other services exposed the reject policy is not any more dangerous because everyone already knows that your IP address will answer to connection attempts anyway.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                I disagree with that "more secure" assertion when you are dealing with connections from the inside.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  So you have 1 computer behind pfsense??  Why would you think you need to "hard block" 445 and 139??

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • JailerJ
                    Jailer
                    last edited by

                    @johnpoz:

                    So you have 1 computer behind pfsense??  Why would you think you need to "hard block" 445 and 139??

                    1 Reply Last reply Reply Quote 0
                    • B
                      battles
                      last edited by

                      @johnpoz:

                      So you have 1 computer behind pfsense??  Why would you think you need to "hard block" 445 and 139??

                      To block "The ports used by Eternalromance".

                      pfSense 2.3.4-RELEASE-p1 (i386)
                      FreeBSD 10.3-RELEASE-p19
                      pfBlockerNG 2.1.2_1
                      Snort Security 3.2.9.5_3
                      Intel(R) Atom(TM) CPU N270 @ 1.60GHz

                      1 Reply Last reply Reply Quote 0
                      • B
                        battles
                        last edited by

                        I think that Derelict has what I was looking for.  Thanks

                        pfSense 2.3.4-RELEASE-p1 (i386)
                        FreeBSD 10.3-RELEASE-p19
                        pfBlockerNG 2.1.2_1
                        Snort Security 3.2.9.5_3
                        Intel(R) Atom(TM) CPU N270 @ 1.60GHz

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          And like you said your not in infosec, and clearly have no understanding of what eternalromance is or how it infects is even used.  Blocking it on pfsense outbound has ZERO to do with your machine getting infected or being compromised with said tool.

                          Even if your isp allowed 139 and 445 over the public internet.. Many of them block this port.. The default wan rules are deny all.  Have you forwarded 445 or 139 to your machine?  You clearly have no other hostile machines on your network that could be attacking your machine.. And if you did blocking it on pfsense has ZERO to do with another machine on your network from attacking your machine.

                          Blocking it outbound would prevent your machine from using that tool outbound to infect/hack other machines ;)  That is all that rule is going to do.. be it you just block or reject..  So I look to see if these ports can get to my public IP across the internet..  As you can see they are reported closed.  Because I don't forward them ;)  And 2nd they don't even get to me.. Look in the firewall rules - sniff on the wan interface while testing.  Those packets do not get to me, and more than likely they can not get to you either. Because many isp block these ports across the public internet…  And or the isp blocks it from being used on the networks they connect their clients too - because if they have stupid clients that plug their boxes directly in they don't want client A seeing client B's machine, etc.

                          Blocking 445 and 139 on your lan interface or wan is doing ZERO about this hack tool your so worried about.  If the traffic got through from the public internet because you forwarded it let say.. Your block or reject rule would do nothing on the lan interface because you would be answering a stateful connection not creating a new connection outbound.

                          blockedbyisp.png
                          blockedbyisp.png_thumb

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • B
                            battles
                            last edited by

                            OK, thanks.  I didn't know some of the things you discussed.  I am using a VPN, but I am sure that they operate the same as my ISP.  The current government spying on everyone is anathema to me, having come out of the Nazi German era.  If it were up to governments, they would have all of us embrace Joseph Goebbels' statement that 'If you have nothing to hide, you have nothing to fear'.  I also have wondered if agents illegally (the norm for law enforcement today) were to gain access to my computer when I was out, if they then might be able to plant Eternalromance or something like it on my machine.  Since I have authored several encryption programs that make communications completely transparent and undetectable, I need to be especially careful.

                            pfSense 2.3.4-RELEASE-p1 (i386)
                            FreeBSD 10.3-RELEASE-p19
                            pfBlockerNG 2.1.2_1
                            Snort Security 3.2.9.5_3
                            Intel(R) Atom(TM) CPU N270 @ 1.60GHz

                            1 Reply Last reply Reply Quote 0
                            • T
                              TS_b Banned
                              last edited by

                              You are one paranoid dude.

                              If a first world government agency wants to hack you, they most certainly will and there is not a thing you can do about it no matter what programs/firewalls/OS/tin foil lead lined helmet you use.

                              There's good news though! The government does not care what you are doing  ;).

                              Rest easy sweet man, there are no "illegal agents" sneaking into your house to see what kind of crazy things you've been up to lately.
                              Or maybe they are, but if they are and you are asking questions here then you already lost  :).

                              pfSense is an outstanding firewall as long as you have realistic expectations. Protecting you from government level zero days (or anything government level that's targeted) is not realistic.

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                The tinfoil hat stuff drives me crazy.. As TS_b mentions.. If someone like the NSA wanted to spy on you.. Do you think they would have any qualm about just entering your house and putting whatever they needed to on your system?  Did you check your house for bugs and cameras? ;)

                                A remote exploit tool like Eternalromance is sure and the F not going to come into play ;)

                                If your going to be paranoid about the black helicopter ninja's - at least get the software they would being using correct… All of those tools listed in the article are not keyloggers or spyware.. They are remote escalation type tools.. Which even that article you posted states "With the exception of Esteemaudit, the exploits should be blocked by most firewalls."  The tool Esteemaudit has to do with remote desktop.. You sure and the hell are not forwarding remote desktop 3389 to your machine are you?  So there you go that to is out too..

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • B
                                  battles
                                  last edited by

                                  It is unfortunate that some always resort to labeling a cautious person as paranoid.  My knowledge into the history and current methods of spying is far greater than yours,  I can assure you.  I am yet to be as knowledgeable as you when it comes to firewalls and the web, but much more knowledgeable and advanced when it comes to computer spyware and stealth communications.

                                  pfSense 2.3.4-RELEASE-p1 (i386)
                                  FreeBSD 10.3-RELEASE-p19
                                  pfBlockerNG 2.1.2_1
                                  Snort Security 3.2.9.5_3
                                  Intel(R) Atom(TM) CPU N270 @ 1.60GHz

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by

                                    Sure ok - if you think that guess its true ;)

                                    So you think a tool on your machine that was designed to send data elsewhere would you ports 445 or 139?  Why would it not just use standard web ports, 80, 443 etc.. and just hide in your normal surfing traffic.. Most likely going to some CDN that your machine normally talks to all the time.. Like windows update, or some server in the amazon CDN or the huge akamai cdn..

                                    Sure and the F not going to use some port that is not use for normal internet traffic..  If so the people writing the code are pretty freaking stupid - or want to be caught or blocked..

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    1 Reply Last reply Reply Quote 0
                                    • stephenw10S
                                      stephenw10 Netgate Administrator
                                      last edited by

                                      If you want to get as much control as possible try approaching this from the other direction; remove the default allow rule and add back only rules for traffic you want to pass.

                                      It's relatively common to see that for public wifi for example. Allow DNS to the firewall only, where you can filter it, and http/s. Reject, everything else.

                                      Of course like a lot of things you reach a security vs convenience trade-off.

                                      Steve

                                      1 Reply Last reply Reply Quote 0
                                      • F
                                        Finger79
                                        last edited by

                                        @stephenw10:

                                        If you want to get as much control as possible try approaching this from the other direction; remove the default allow rule and add back only rules for traffic you want to pass.

                                        It's relatively common to see that for public wifi for example. Allow DNS to the firewall only, where you can filter it, and http/s. Reject, everything else.

                                        Of course like a lot of things you reach a security vs convenience trade-off.

                                        Steve

                                        This x100.  It's best practice to start with default deny then allow only necessary traffic through any interface.

                                        1 Reply Last reply Reply Quote 0
                                        • ?
                                          Guest
                                          last edited by

                                          After reading about the release of the NSA hacking tools (Eternalromance) here:

                                          https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/

                                          And now you are afraid of them? They have other methods to get your data without using any kind of tools if they must do this!
                                          I personally think that the new IPTVs are all together more sniffing and talking to others then the NSA will ever do!

                                          I tried to find if pfSense would hard block a port.  The ports used by Eternalromance are TCP ports 445 and 139.  I
                                          figured if that hack/spyware got into your Windows machine, that pfSense would possibly allow it through since it
                                          is coming from your system.

                                          An Application based firewall such the a Next Generation Firewalls (NG-Firewalls) or string DPI

                                          I can't see how to hard block specific ports anywhere in pfSense or pfBlockerNG.

                                          • strong DPI (firewall)
                                          • Switch ACLs (switch)
                                          • Firewall rules (firewall)
                                          • GeoIP Blocking (firewall)
                                          • HostIDS such OSSec (sensors & server)
                                          • NetIDS such Snort or Suricata (firewall, or sensors & server)
                                          1 Reply Last reply Reply Quote 0
                                          • P
                                            pfBasic Banned
                                            last edited by

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.