Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    understanding firewall rules

    Scheduled Pinned Locked Moved Firewalling
    22 Posts 5 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      Inxsible
      last edited by Inxsible

      From what I understand pfSense has a default deny applied to incoming traffic on a network. I saw a video where the user put in these 2 rules
      eddd6b31-bff5-4cff-adaf-970c8fdc7a7d-image.png

      My question is that if pfSense denies by default, why do we specifically need the Block Firewall Web Access rule to be defined? Wouldn't it be denied by default? What am I missing?

      JKnottJ Bob.DigB 2 Replies Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by Gertjan

        Hi,

        GUEST users should be able to connect to the pfSense IP of the GUEST interface.
        Like DNS on port 53, TCP and UDP, and may NTP be port 123, UDP.
        Upfront, port 10443, TCP is blocked, as this is (probably) the GUI interface - and guests shouldn't admin your pfSense.

        This is what I use on my 'guest' network :
        f7a55906-31cd-429c-b366-83a3fc1cb761-image.png
        pfSense has no FTP service but ports 22 and 23 could be served.

        Netbios ports (not served) are also 'grounded'.

        I just realized that a rule before the rule showe above :

        faeeec0b-8de2-4373-8b19-80a81beec694-image.png

        already blocks all pfSense ports, except the DNS allowed above.

        The image you showed : the answer depends on what the alias "PrivateNetworks" is.
        Probably all -other ? - local networks like 192.168.x.0/24 so this rules allows guest to visit the net.
        If "PrivateNetworks" doesn't include the GUEST network then the first rule makes sense.
        If it includes the GUEST network, then users couldn't use pfSense's DNS facilities (probably ok for pure DoH fans).

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        I 1 Reply Last reply Reply Quote 1
        • JKnottJ
          JKnott @Inxsible
          last edited by

          @Inxsible

          The 2nd line allows guests to do anything, anywhere, which would include the firewall. I did a bit more than that. I allow ping only to the guest network, then block everything else on my home network and also my WAN interface, before allowing access to the rest of the world.

          4929052e-cdc2-409c-b681-0e61f17236c7-image.png

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 1
          • Bob.DigB
            Bob.Dig LAYER 8 @Inxsible
            last edited by Bob.Dig

            @Inxsible said in understanding firewall rules:

            What am I missing?

            Good question.
            I don't know but it could be the case, that "this firewall" is not blocked by default, because it is on the same network. As far as I know, you can't block any host on the same network other then the firewall itself and that might not be the default in pfSense, so you have to do it manually.

            JKnottJ 1 Reply Last reply Reply Quote 0
            • JKnottJ
              JKnott @Bob.Dig
              last edited by

              @Bob-Dig

              On my firewall, I had to specifically allow ping to the guest interface. Without that I couldn't ping it. Of course, as you mention, that doesn't stop guests from seeing others, unless blocked by the AP.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by johnpoz

                Well his rule below that allows anything that is not rfc1918, or that is what I am guessing from his privatenetworks alias.. Maybe he has multiple Ips on the firewall that are not rfc1918?

                Say his wan.. If he only had the one, would prob be better/clearer to use wan address vs the every IP on the firewall alias?

                Where did you see that? Also keep in mind many users post up guides and images of how they do stuff without really understand what they are doing ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 1
                • Bob.DigB
                  Bob.Dig LAYER 8
                  last edited by Bob.Dig

                  So I tested it myself and I was wrong. But I thought having seen it this way often. 😌
                  So the first rule is not needed if the alias contains all rfc1918, which it looks like.

                  JKnottJ 2 Replies Last reply Reply Quote 1
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by johnpoz

                    Also pfsense out of the box wouldn't even be listening on port 10443, guessing he is using that as his webui port? Would be my guess.

                    edit: d'oh he even calls out block web access ;) Unless he has multiple IPs on his firewall that do not fall within his private alias, no reason to use the this firewall alias. Then again it is a way to make sure you block access to any IP the firewall might have.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 1
                    • JKnottJ
                      JKnott @Bob.Dig
                      last edited by

                      @Bob-Dig said in understanding firewall rules:

                      But I thought have seeing it this way often.

                      One thing I've often noticed over the years is someone stating something that indicates they don't really understand the situation and so pass on nonsense. It's not limited to pfSense or even networks. I've even had a few occasions where I had to correct or teach an instructor, even at college level.

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      1 Reply Last reply Reply Quote 1
                      • JKnottJ
                        JKnott @Bob.Dig
                        last edited by

                        @Bob-Dig

                        In my rules I used 172.16.0.0 /16 to block the entire range. I could have done that, but didn't see RFC1918 in the available selection.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        Bob.DigB johnpozJ 2 Replies Last reply Reply Quote 0
                        • Bob.DigB
                          Bob.Dig LAYER 8 @JKnott
                          last edited by Bob.Dig

                          @JKnott I have crafted an even slicker rule for my IoT known this now. 😉

                          dsgrfgfd.JPG

                          1 Reply Last reply Reply Quote 1
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator @JKnott
                            last edited by

                            @JKnott said in understanding firewall rules:

                            didn't see RFC1918 in the available selection.

                            You have to create your own alias for this.. Its a one time set it and always have it sort of thing..

                            alias.png

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            JKnottJ 1 Reply Last reply Reply Quote 1
                            • JKnottJ
                              JKnott @johnpoz
                              last edited by

                              @johnpoz

                              I guess I'll have to set up that alias, though in my application I don't need anything beyond the 172.16.0.0 block. Does having the 3 ranges affect filter performance?

                              PfSense running on Qotom mini PC
                              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                              UniFi AC-Lite access point

                              I haven't lost my mind. It's around here...somewhere...

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by johnpoz

                                Not sure how have a couple extra networks in aliases would affect anything to be honest.. Other than the table that stores them would be bigger ;)

                                If your not using the other networks, not really going to matter.. But this way if you do happen to throw up a vlan using some other rfc1918 space, you wouldn't need to alter your rules blocking your vlans ;)

                                To be honest, might not be a nice built in addition.. but then again it takes all of 5 seconds to create - and if built in, users would prob use it wrong anyway ;) heheheh

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                JKnottJ 1 Reply Last reply Reply Quote 0
                                • JKnottJ
                                  JKnott @johnpoz
                                  last edited by

                                  @johnpoz

                                  I have created the alias and see I can add it to rules. However, I'm surprised it wasn't already there, given it's a default rule on the WAN interface. However, adding 172.16.0.0 /16 was easy enough.

                                  PfSense running on Qotom mini PC
                                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                  UniFi AC-Lite access point

                                  I haven't lost my mind. It's around here...somewhere...

                                  1 Reply Last reply Reply Quote 0
                                  • I
                                    Inxsible @Gertjan
                                    last edited by

                                    Thank you all for your responses. Let me answer any questions that were directed to me.
                                    @Gertjan said in understanding firewall rules:

                                    The image you showed : the answer depends on what the alias "PrivateNetworks" is.
                                    Probably all -other ? - local networks like 192.168.x.0/24 so this rules allows guest to visit the net.
                                    If "PrivateNetworks" doesn't include the GUEST network then the first rule makes sense.
                                    If it includes the GUEST network, then users couldn't use pfSense's DNS facilities (probably ok for pure DoH fans).
                                    Yes the PrivateNetworks did not include GUEST & IOTCRAP. It included all the other networks that are listed on top -- ie LAN, OFFICE, CAMERA & PHONE

                                    @JKnott Thanks for your rules. They make sense. Was the Allow ICMP rule only to make sure that you can connect to the GUEST network in case the internet is not working for the Guest device?

                                    @johnpoz said in understanding firewall rules:

                                    Well his rule below that allows anything that is not rfc1918, or that is what I am guessing from his privatenetworks alias.. Maybe he has multiple Ips on the firewall that are not rfc1918?
                                    No privatenetworks were just his other networks as I mentioned above. I don't think he included the RFC1918 networks. If we include RFC1918 -- would it mean that 2 guest devices won't be able to see each other either?

                                    @johnpoz said in understanding firewall rules:

                                    Where did you see that? Also keep in mind many users post up guides and images of how they do stuff without really understand what they are doing ;)

                                    This was a youtube video by Lawrence Systems. Here's the link: https://www.youtube.com/watch?v=ouARr-4chJ8

                                    So from all the replies, I understand that if you include the RFC1918 networks, then you don't need to explicitly create the Block rule for the Web Admin to pfSense. But if the RFC1918 is not included in the alias, then that rule is required in order to explicitly block Guest devices from accessing the pfSense admin.

                                    Thank you all again -- you guys gave me some good tips regarding firewall rules. Much appreciated.

                                    JKnottJ 1 Reply Last reply Reply Quote 0
                                    • I
                                      Inxsible
                                      last edited by

                                      Trying to edit my previous post to separate my answers which kind of got included in the quotes. But the forum keeps giving me this error:

                                      ERROR
                                      Post content was flagged as spam by Akismet.com

                                      Is post editing not allowed?

                                      1 Reply Last reply Reply Quote 0
                                      • JKnottJ
                                        JKnott @Inxsible
                                        last edited by

                                        @Inxsible said in understanding firewall rules:

                                        @JKnott Thanks for your rules. They make sense. Was the Allow ICMP rule only to make sure that you can connect to the GUEST network in case the internet is not working for the Guest device?

                                        That is correct. I like to be able to test things. With my rules it is possible to ping elsewhere on the Internet, but if that fails, where's the problem? With pinging the interface available, I know at least WiFi is working properly and pfSense is up.

                                        PfSense running on Qotom mini PC
                                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                        UniFi AC-Lite access point

                                        I haven't lost my mind. It's around here...somewhere...

                                        1 Reply Last reply Reply Quote 1
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by

                                          So that have that same rule on all of their interfaces they were showing.. But if they are only going to have allow rules to specific - like the camera vlan where he only allows access to camera server on 192.168.5.5 it serves no real purpose..

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          I 1 Reply Last reply Reply Quote 0
                                          • I
                                            Inxsible @johnpoz
                                            last edited by

                                            @johnpoz said in understanding firewall rules:

                                            So that have that same rule on all of their interfaces they were showing.. But if they are only going to have allow rules to specific - like the camera vlan where he only allows access to camera server on 192.168.5.5 it serves no real purpose..

                                            So I guess the reason they didn't block the RFC1918 address is so that they could allow the CAMERA net to have access to their NVR which was on their internal LAN.

                                            JKnottJ 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.