Block all incoming/outgoing traffic except some ports

reyntjensw

Hi,

I'm about to put my pfsense firewall in a dmz so I'd like it to be safe.
How can I block all incoming traffic except :80 and :1723? (As you can see in the print screen, I haven't blocked private networks. Because otherwise my vpn won't work)
![Picture 14.png](/public/imported_attachments/1/Picture 14.png)
![Picture 14.png_thumb](/public/imported_attachments/1/Picture 14.png_thumb)

Cloverleaf

I'm going to make some assumptions… so tell me if I'm wrong:

Network:
WAN (192.168.1.X) -- pfSense Box -- LAN (192.168.2.X)

You want to only allow access to those two ports on the LAN (192.168.2.X) network, right?

How do you plan on addressing the machines in the LAN? Will you be running PF as a bridge, or will you be natting IPs from the WAN network into the LAN?

Depending on the answers, there are a few variations on what you can do.

reyntjensw

Here is my situation

Wan –-->(192.168.123.x)pfsense -----> lan (192.168.1.x)
So my pfsense machine is dhcp server for the lan only

I only want the lan clients to connect with the basic ports such as :80, :21,....

Cloverleaf

Hmm… perhaps I'm misunderstanding you. Do you want people in the WAN to connect to the servers in the LAN? Like if you have a web page on a server in 192.168.1.X? Or are you saying that you only want the servers in the LAN to be able to talk to certain ports in the WAN, like port 80, 21, etc?

If you have resources in the LAN that you want WAN users to be able to talk to, then you should create a Virtual IP in the WAN with a WAN IP (say, 192.168.123.10) and use Port Forwarding to forward those specific ports to the resources in the LAN (like forward traffic going to 192.168.123.10 port 80 to 192.168.1.55 port 80). If you keep the check mark checked a the bottom of the port-forward form, it will automatically create a rule to allow all WAN traffic to that port forward, otherwise you will need to create a firewall rule in the WAN allowing the servers you want to connect.

If you want users in the LAN to only be allowed to only reach certain ports in the WAN, then simply remove the default "Allow All" rule in the LAN and add a rule (or rules) that restrict access to only those ports that you have chosen.

reyntjensw

Thanks for your answer, what I'm trying to do is to only allow the lan clients to access the internet on some ports (:80, :20, :21,…).
The wan is the internet so I don't need to access servers on the wan side.

Cry Havok

Create a rule or rules allowing access on the LAN interface to your chosen ports
Disable the default "Allow all" rule on the LAN interface

Done.

reyntjensw

Ok thanks