Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall blocking outbound egress rules

    Scheduled Pinned Locked Moved Routing and Multi WAN
    6 Posts 3 Posters 443 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rcmpayne
      last edited by

      Trying to make my outbound safer with some basic blocks

      If
      LAN address is the address of the interface of the pfSense to the LAN. (ie. 192.168.1.1/32)
      LAN Net is the subnet attached to this interface. (ie. 192.168.1.0/24)

      Would my blocks be like this for MS RPC as example? Trying to understand if I need wan net or wan address.

      TCP/UDP
      Source = Lan Net
      Source port = any

      Dst = Wan Address
      Dst port = 135

      1 Reply Last reply Reply Quote 0
      • pttP
        ptt Rebel Alliance
        last edited by ptt

        Outboud to "Internet" ?

        WAN Address != Internet

        Internet = "ANY"

        https://docs.netgate.com/pfsense/en/latest/firewall/index.html

        1 Reply Last reply Reply Quote 1
        • R
          rcmpayne
          last edited by

          Thanks, I think i have it now

          nmap -p 1-1024 -Pn scanme.nmap.org

          PORT STATE SERVICE
          22/tcp filtered ssh
          25/tcp filtered smtp
          80/tcp open http
          135/tcp filtered msrpc
          137/tcp filtered netbios-ns
          138/tcp filtered netbios-dgm
          139/tcp filtered netbios-ssn
          445/tcp filtered microsoft-ds

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            You do get that 135,127-139, 445 etc are blocked by many/most isp anyway.. And shoot even most docsis modems block it those in their firmware.. Those are not public internet viable ports.. And pretty much always blocked.. Little use to worry about it on your end to be honest.

            Sure not going to hurt anything - just kind of pointless.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 1
            • R
              rcmpayne
              last edited by

              If that's the case, when I ran a nmap scan this morning to an external source, I seen that all of those ports were open. I have a fiber line coming into the house going directly into pfSense so there's no modem of sorts on my end.

              Bell fibe is my isp

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by johnpoz

                Like I said not going to hurt anything... But amount of places that actually have those ports open at the isp level is not very much.. More an exercise in how to do it more than actual security..

                Here is from one of my vps box out of the net

                Starting Nmap 7.01 ( https://nmap.org ) at 2019-06-02 09:54 CDT
                Nmap scan report for scanme.nmap.org (45.33.32.156)
                Host is up (0.015s latency).
                Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
                Not shown: 1022 closed ports
                PORT   STATE SERVICE
                22/tcp open  ssh
                80/tcp open  http
                
                Nmap done: 1 IP address (1 host up) scanned in 1.96 seconds
                

                Here is from my home connection

                Starting Nmap 7.01 ( https://nmap.org ) at 2019-06-02 09:48 CDT
                Nmap scan report for scanme.nmap.org (45.33.32.156)
                Host is up (0.062s latency).
                Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
                Not shown: 1012 closed ports
                PORT    STATE    SERVICE
                22/tcp  open     ssh
                25/tcp  filtered smtp
                55/tcp  filtered isi-gl
                67/tcp  filtered dhcps
                77/tcp  filtered priv-rje
                80/tcp  open     http
                135/tcp filtered msrpc
                137/tcp filtered netbios-ns
                138/tcp filtered netbios-dgm
                139/tcp filtered netbios-ssn
                445/tcp filtered microsoft-ds
                496/tcp filtered pim-rp-disc
                
                Nmap done: 1 IP address (1 host up) scanned in 322.31 seconds
                

                As you see 25 blocked by isp as well.. Home connections that is almost always blocked as well.. But if your on some sort of fiber...

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.