Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Destination Rule - "This Firewall (self)"

    Firewalling
    3
    5
    1766
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      beedix last edited by

      I was going to setup some rules to allow limited access to the pfsense web server, SSH, DNS, and DHCP server.  Is this essentially what is intended by the destination "This Firewall (self)"?

      I basically want to allow access to the HTTPS and SSH port via WAN from my work IP (i'll trust my coworkers).  Then on a couple untrusted LAN subnets, I'm blocking all private addresses on the LAN, but I want to be sure DNS and DHCP services provided by the router are available.

      If that's not the correct destination, what exactly is "This firewall (self)" used for?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • M
        magrw2066 last edited by

        @beedix:

        I was going to setup some rules to allow limited access to the pfsense web server, SSH, DNS, and DHCP server.  Is this essentially what is intended by the destination "This Firewall (self)"?

        <block>I think you need to understand the networking(bsd !=linux) more:
        1: no /proc fs
        2: no 'ip' cmd
        3: netstat is different
                Try 'netstat -p tcp -i' and 'netstat -a|less' vs linux 'netstat -plan'
        4:  try ssh/telnet/wget with custom dest ports to probe
        Sincerely,
        JC Magras</block>

        I basically want to allow access to the HTTPS and SSH port via WAN from my work IP (i'll trust my coworkers).  Then on a couple untrusted LAN subnets, I'm blocking all private addresses on the LAN, but I want to be sure DNS and DHCP services provided by the router are available.

        If that's not the correct destination, what exactly is "This firewall (self)" used for?

        Thanks!

        1 Reply Last reply Reply Quote 0
        • johnpoz
          johnpoz LAYER 8 Global Moderator last edited by

          You don't have to worry about dhcp server, once you enable it the correct rules are enabled in the background that you can not see with the gui.

          The firewall self alias is just that, every IP of the firewall.. All interfaces.. So its easy way to block a connection from talking to any IP on the firewall, be it lan or wan, opt1 opt2, vlan, etc. etc…. Would not normally use it in an allow rule.

          If you want to allow some remote IP to your wan IP for ssh, https then create a rule to the wan address as the dest with your remote IP as the source.  With allow your should always be very specific, ie the wan address.  When you block you can do so with very broad strokes - ie every IP on this firewall...

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

          1 Reply Last reply Reply Quote 0
          • B
            beedix last edited by

            Thanks, noted on DHCP, clarifying "self", and clarifying the WAN address for remote access.  Much appreciated on the explanation.

            For internal LAN on OPT2 (192.168.3.1/24) and OPT3 (192.168.4.1/24) only, I was planning to deny access to all private IP's (RFC 1918).  These are untrusted subnets, one being mostly internet of things devices and the second being a camera network that is known to have vulnerabilities.
            I want to allow these untrusted networks DNS and DHCP.  I understand DHCP is done automagically.  What interface is the firewall providing DNS resolving on these subnets?  Does each subnet have it's own DNS instance on 192.168.3.1 and 192.168.4.1?  Or is there a single DNS service on the primary LAN?

            1 Reply Last reply Reply Quote 0
            • johnpoz
              johnpoz LAYER 8 Global Moderator last edited by

              Are you running unbound resolver, have you edited what it listens on?  It default to all.  But yes in general you should let dns through to the interface on that network address.

              keep in mind blocking to firewall alias is very valid rule once you allow what you want.. Maybe this example will help, here is my dmz rules.

              So I allow icmp to the dmz address
              I then allow dns to the dmz address
              I then block all access to any firewall address at all, be dmz, wan, lan, etc..
              I then allow any access if NOT rfc1918 via alias created
              I then allow ipv6 any as long as not any of my IPv6 address ranges.. I have /48 from HE.


              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

              1 Reply Last reply Reply Quote 0
              • First post
                Last post