4. Firewall blocking outbound egress rules

Firewall blocking outbound egress rules

  • R

    Trying to make my outbound safer with some basic blocks

    If
    LAN address is the address of the interface of the pfSense to the LAN. (ie. 192.168.1.1/32)
    LAN Net is the subnet attached to this interface. (ie. 192.168.1.0/24)

    Would my blocks be like this for MS RPC as example? Trying to understand if I need wan net or wan address.

    TCP/UDP
    Source = Lan Net
    Source port = any

    Dst = Wan Address
    Dst port = 135

    0
  • Rebel Alliance

    Outboud to "Internet" ?

    WAN Address != Internet

    Internet = "ANY"

    https://docs.netgate.com/pfsense/en/latest/firewall/index.html

    1
  • R

    Thanks, I think i have it now

    nmap -p 1-1024 -Pn scanme.nmap.org

    PORT STATE SERVICE
    22/tcp filtered ssh
    25/tcp filtered smtp
    80/tcp open http
    135/tcp filtered msrpc
    137/tcp filtered netbios-ns
    138/tcp filtered netbios-dgm
    139/tcp filtered netbios-ssn
    445/tcp filtered microsoft-ds

    0
  • LAYER 8 Global Moderator

    You do get that 135,127-139, 445 etc are blocked by many/most isp anyway.. And shoot even most docsis modems block it those in their firmware.. Those are not public internet viable ports.. And pretty much always blocked.. Little use to worry about it on your end to be honest.

    Sure not going to hurt anything - just kind of pointless.

    1
  • R

    If that's the case, when I ran a nmap scan this morning to an external source, I seen that all of those ports were open. I have a fiber line coming into the house going directly into pfSense so there's no modem of sorts on my end.

    Bell fibe is my isp

    0
  • LAYER 8 Global Moderator

    Like I said not going to hurt anything... But amount of places that actually have those ports open at the isp level is not very much.. More an exercise in how to do it more than actual security..

    Here is from one of my vps box out of the net

    Starting Nmap 7.01 ( https://nmap.org ) at 2019-06-02 09:54 CDT
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.015s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 1022 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 1.96 seconds

    Here is from my home connection

    Starting Nmap 7.01 ( https://nmap.org ) at 2019-06-02 09:48 CDT
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.062s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 1012 closed ports
PORT    STATE    SERVICE
22/tcp  open     ssh
25/tcp  filtered smtp
55/tcp  filtered isi-gl
67/tcp  filtered dhcps
77/tcp  filtered priv-rje
80/tcp  open     http
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
496/tcp filtered pim-rp-disc

Nmap done: 1 IP address (1 host up) scanned in 322.31 seconds

    As you see 25 blocked by isp as well.. Home connections that is almost always blocked as well.. But if your on some sort of fiber...

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy