Want to know about firewall/nat rules



  • Hello Friends,

    I am new to this forum and my networking knowledge is limited. I wanted to know about firewall rules of PFsense before deploying PFsense firewall for my network.

    1. How pfsense firewall rules works. i.e on each interface or as a single box.
      2. As far as my network is concerned …..
            i.  I need only outbound connection and I want to reject all incoming traffic.
            ii. I want to open HTTP/HTTPS/VPN ports form wan side to access web server/VPN server.

    I want to know that on which interface all these rules should  be applied.

    Also Can I access the internet without Nating and what are the default rules(firewall/Nat) on pfsense.

    Mangesh



  • http://forum.pfsense.org/index.php/topic,7001.0.html

    1 & 2: see link above.

    unless you have a public ip-range which you can use in your LAN you will have to use NAT.

    default rules:

    • NAT any immediately connected subnet and via static route known subnet to WAN
    • allow any from LAN-subnet to any
    • block any on all other interfaces (like WAN or OPT1)


  • @GruensFroeschli:

    http://forum.pfsense.org/index.php/topic,7001.0.html

    1 & 2: see link above.

    unless you have a public ip-range which you can use in your LAN you will have to use NAT.

    default rules:

    • NAT any immediately connected subnet and via static route known subnet to WAN
    • allow any from LAN-subnet to any
    • block any on all other interfaces (like WAN or OPT1)

    What I understood from your reply about the default rule is
      1. outgoing connection from LAN interface is open and incomming connection is blocked
      2. Incomming connection to LAN from WAN/OPT1 interface is bolcked

    so If I wanted to open HTTPS port to access internal web site then I have to put rules on WAN interface as well as LAN interface.



  • Read the link i posted again with a bit more attention.

    @http://forum.pfsense.org/index.php/topic:

    Traffic is filtered on the Interface on which traffic comes in.
    So traffic comming in on the LAN-Interface will only be processed by the rules you define on the LAN tab.

    If you want to forward https traffic to a server you need an NAT-mapping as well.



  • my question is kinda the same
    running pfsense with ipsec vpn and dhcp range 192.168.1.100-192.168.1.150 and wanna do following:
    1 lan users except dhcp clients - everything closed except email and vpn
    2 lan dhcp clients - all open

    i've tried different setting but it looks like i'm missing something. could somebody point me to the right direction please?
    for example what should rules in the attachment should do? as far as i understand 192.168.5.1 shouldn't have access to internet, right?




  • Destination WAN-address means exactly that: when the destination is the IP of the WAN of pfSense (never going to happen, unless you want to access the webGUI via the WAN).

    Set the destionation to any (the internet is any, right?) and 192.168.5.1 will no longer be able to access the internet.



  • ok, but it closed vpn too… how can i keep vpn and ftp inside vpn open?



  • Obviously, since you closed all ports for your .5.1 client.
    Open up the VPN ports and your host should be fine accessing a VPN. Remember to put the allow rule(s) above the block all rule (first come, first serve)!



  • @jahonix:

    Obviously, since you closed all ports for your .5.1 client.
    Open up the VPN ports and your host should be fine accessing a VPN. Remember to put the allow rule(s) above the block all rule (first come, first serve)!

    what is "vpn ports"? as far as i know ipsec is riding on top of tcp and udp and not using ports.
    i have everything open on ipsec tab. should i open tcp/udp 500 port on lan? but this port is used only for isakmp negotiations and it is done by pfsense already. thanks!



  • You didn't tell us which VPN solution you are using alas I couldn't answer that question exactly.
    For IPsec you need pass rules for AH and ESP protocols, not ports.
    Further reading might start (but isn't limited to!  ;D) here:
    http://en.wikipedia.org/wiki/Ipsec



  • ???
    i don't understand how ah and esp could be involved here? may be if i do this it'll clear some things

    vpn tunnel
    192.168.5.1 - > [pfsense] < –----(internet)------ > [pfsense] <- 192.168.1.129
    xp wrkstn        vpn server                                    vpn server    web/ftp server
                              ipsec                                          ipsec

    what i wanna do is to close access to the internet for 192.168.5.1 but keep access to 192.168.1.129 open for this station.
    ipsec tab in rules is set to allow everything. closing everything for .5.1 on lan and then opening ah and esp wont do anything. WALL
    thanks!



  • You are asking the wrong questions and only give hints in pieces.
    We are not here to pull each and every useful piece of information out of you…
    With 121 post as of today I don't consider you a newbie anymore needing to be spoon-fed.

    @covex:

    ok, but it closed vpn too… how can i keep vpn and ftp inside vpn open?

    Your client .5.1 obviously needs access to client .1.129 for specific services.
    The VPN tunnel should be completely transparent for this machine, shouldn't it?

    Have you tried creating a rule for .5.1 to access the other IP and maybe limiting it to the respective services?



  • Did you read the link i posted in my first reply?
    If you really want help you should provide all availlable information.
    You didnt say anything about pfSense handling the VPN connection.
    As you described it, it sounded as if the client behind pfSense initiated a VPN connection.

    Anyway: Can you figure that if you want access over the VPN connection, that you need a rule to allow this access?
    Just create a rule above your block rule that allows as destination the other side of your tunnel.

    Alternatively you could change your existing block rule to: Destination: "NOT other_side_of_tunnel".



  • crushed and destroyed  :-[
    [b]GruensFroeschli i'll read your first post again  :(

    thanks for your help guys!  :)



  • No need to be crushed and destroyed :)
    Just read the availlable info more carefully ;)
    If you have any questions just ask again.


Log in to reply