Deny All Outbound
-
Evening,
Trying to get my head around denying all outbound traffic from my pfSense box. At the minute this is is in test before I move it live.
My first rule is to block any protocol from LAN net to WAN net.
I then have my rules to allow:
UDP 53 to selected servers from LAN net
TDP/UDP 123 to selected servers from LAN net
TCP 80 + 443 s from LAN net
I then have other rules such as:
UDP 500 + 4500 to my mobile phone provider for WiFi callingThen the two built in rules at the bottom IPv4+6 LAN Net to anywhere Default allow LAN IPv4/6 to any rule which is set to block.
Have I done this right? Certain things that access specific ports still seem to work, have I done anything wrong?
-
WAN net != The Internet. It is only the actual defined subnet of your WAN.
-
Yeah this question comes up like once a week ;)
Maybe there should be some note on all the firewall tabs that blinks HUGE red letters – WAN net is not the internet ;) hehehe
Its pretty clear on the firewall basic's page
LAN net - The subnet configured on the LAN interface under Interfaces > LAN. On pfSense 2.2+, this also includes IP alias networks on that interface.
LAN address - The IP address configured on the LAN interface under Interfaces > LAN
zzz Net / zzz address - Works the same as LAN above but for other interfaces (WAN, OPT1, OPT2, etc.)Maybe we should really add a note there that specific for WAN net, that this is not the internet but only the network wan is connected too… Going to add that now I think to the wiki.