Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ephemeral Port range change not taking affect.

    Scheduled Pinned Locked Moved Firewalling
    1 Posts 1 Posters 1.4k Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E Offline
      erasedhammer
      last edited by erasedhammer

      I have a floating firewall rule blocking some undesirable ports from going out or coming in on the WAN interface (3389, 1900, 1433, ect) but my problem is that it looks like pfsense is choosing RHPs in the registered port range.
      I changed the port range through sysctl:

      net.inet.ip.portrange.reservedlow: 0
      net.inet.ip.portrange.reservedhigh: 1023
      net.inet.ip.portrange.hilast: 65535
      net.inet.ip.portrange.hifirst: 49152
      net.inet.ip.portrange.last: 65535
      net.inet.ip.portrange.first: 16384
      net.inet.ip.portrange.lowlast: 600
      net.inet.ip.portrange.lowfirst: 1023

      But my firewall rule is still catching valid connections using RHPs in the registered port range.
      Here are a couple examples of the logs:
      WANIP:1433 --> 8.8.8.8:53 UDP
      WANIP:1900 --> 129.80.22.17:443 TCP:S
      WANIP:1434 --> 172.217.13.234:443 TCP:S
      WANIP:1900 --> 8.8.8.8:53 UDP

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.