Firewall blocking outbound egress rules



  • Trying to make my outbound safer with some basic blocks

    If
    LAN address is the address of the interface of the pfSense to the LAN. (ie. 192.168.1.1/32)
    LAN Net is the subnet attached to this interface. (ie. 192.168.1.0/24)

    Would my blocks be like this for MS RPC as example? Trying to understand if I need wan net or wan address.

    TCP/UDP
    Source = Lan Net
    Source port = any

    Dst = Wan Address
    Dst port = 135


  • Rebel Alliance

    Outboud to "Internet" ?

    WAN Address != Internet

    Internet = "ANY"

    https://docs.netgate.com/pfsense/en/latest/firewall/index.html



  • Thanks, I think i have it now

    nmap -p 1-1024 -Pn scanme.nmap.org

    PORT STATE SERVICE
    22/tcp filtered ssh
    25/tcp filtered smtp
    80/tcp open http
    135/tcp filtered msrpc
    137/tcp filtered netbios-ns
    138/tcp filtered netbios-dgm
    139/tcp filtered netbios-ssn
    445/tcp filtered microsoft-ds


  • LAYER 8 Global Moderator

    You do get that 135,127-139, 445 etc are blocked by many/most isp anyway.. And shoot even most docsis modems block it those in their firmware.. Those are not public internet viable ports.. And pretty much always blocked.. Little use to worry about it on your end to be honest.

    Sure not going to hurt anything - just kind of pointless.



  • If that's the case, when I ran a nmap scan this morning to an external source, I seen that all of those ports were open. I have a fiber line coming into the house going directly into pfSense so there's no modem of sorts on my end.

    Bell fibe is my isp


  • LAYER 8 Global Moderator

    Like I said not going to hurt anything... But amount of places that actually have those ports open at the isp level is not very much.. More an exercise in how to do it more than actual security..

    Here is from one of my vps box out of the net

    Starting Nmap 7.01 ( https://nmap.org ) at 2019-06-02 09:54 CDT
    Nmap scan report for scanme.nmap.org (45.33.32.156)
    Host is up (0.015s latency).
    Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
    Not shown: 1022 closed ports
    PORT   STATE SERVICE
    22/tcp open  ssh
    80/tcp open  http
    
    Nmap done: 1 IP address (1 host up) scanned in 1.96 seconds
    

    Here is from my home connection

    Starting Nmap 7.01 ( https://nmap.org ) at 2019-06-02 09:48 CDT
    Nmap scan report for scanme.nmap.org (45.33.32.156)
    Host is up (0.062s latency).
    Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
    Not shown: 1012 closed ports
    PORT    STATE    SERVICE
    22/tcp  open     ssh
    25/tcp  filtered smtp
    55/tcp  filtered isi-gl
    67/tcp  filtered dhcps
    77/tcp  filtered priv-rje
    80/tcp  open     http
    135/tcp filtered msrpc
    137/tcp filtered netbios-ns
    138/tcp filtered netbios-dgm
    139/tcp filtered netbios-ssn
    445/tcp filtered microsoft-ds
    496/tcp filtered pim-rp-disc
    
    Nmap done: 1 IP address (1 host up) scanned in 322.31 seconds
    

    As you see 25 blocked by isp as well.. Home connections that is almost always blocked as well.. But if your on some sort of fiber...


Log in to reply