Firewall 101
-
Why would you allow management from RED? Wan??
Red Blue Green - you a IPcop user?
What is in your dns_internal_hosts alias? You understand that the gateway (pfsense) to get off green is not talked to talk to something on the green network. Do you have some IP that is say blue network in this alias? Also dns is not "always" only udp, tcp can be used for dns over 53.. Your dns rule should allow both udp and tcp to 53
Do you have any rules in floating?
Also your browser saying rejected.. Who said it was pfsense that rejected it - maybe it was the server you were trying to talk to? Browser errors are horrible for troubleshooting a firewall with - did pfsense log that it blocked where you were trying to go. You don't have a reject setup for ipv4 other ports since you have 443 allowed above it, all ipv6.. Did your browser try and use IPv6 maybe? Look to the firewall log to what was blocked or rejected.
-
@johnpoz said in Firewall 101:
Red Blue Green - you a IPcop user?
Yea IPFire haha, I've just made the switch to pfsense.
@johnpoz said in Firewall 101:
What is in your dns_internal_hosts alias?
Yea I have another DNS server across the WireGuard S2S link, it's in the 10.1.0.0/18 range and so I've just put all the local DNS servers on this side of the WAN into one alias and allowing to them.
@johnpoz said in Firewall 101:
Also dns is not "always" only udp, tcp can be used for dns over 53
That's right and I'm using DoT (TCP/853) out bound from pfsense. My DNS is working all good. I just can't get HTTPS to work, the rule flow as you describe it is not working, i reject all on LAN (GREEN) and I allow HTTPS on LAN, however unless I put a matching rule on RED (WAN) it will not let me connect to any sites on 443.
-
@propercactus said in Firewall 101:
That's right and I'm using DoT (TCP/853) out bound from pfsense
which has ZERO to do with any rules.. Unless you setup outbound rules on floating?
-
@johnpoz said in Firewall 101:
Unless you setup outbound rules on floating?
Nah I removed all my rules from floating and anywhere else, what you see is all my rules.
And I rebooted the device.
-
dot over 853, sure ok use tcp.. But normal dns over 53 can also use tcp..
Its been years and years since played with ipcop or ipfire - but I don't recall them using any outbound rules either. Was always inbound to the interface for rules.
-
@johnpoz said in Firewall 101:
But normal dns over 53 can also use tcp..
Yes that's right but in my case all DNS locally is 53/UDP and it goes out TCP/853 for external look ups.
@johnpoz said in Firewall 101:
Its been years and years since played with ipcop or ipfire - but I don't recall them using any outbound rules either. Was always inbound to the interface for rules.
Yea so you can configure the default behaviour of the firewall in IPFire. So yes by default it allows all out, but in Firewall settings you can set it to default block all out, and then we just choose what we want to allow out.
-
@propercactus said in Firewall 101:
all DNS locally is 53/UDP
That is not always true.. DNS client can switch to tcp when the answer is larger than what udp would allow for. Which use to be 512, with edns that has gotten larger and normally defaults to 4096. But it is not good practice to prevent a client from using tcp over 53, in the event answer to what its looking for exceeds the max size that can be done over udp. And it would have to switch to tcp.
-
@johnpoz said in Firewall 101:
DNS client can switch to tcp when the answer is larger than what udp would allow for
Ok I changed that rule to allow TCP/UDP.
Error still remains tho, I cannot get to any website.
-
Did you look at the firewall log to see if blocking anything - if not logged in pfsense, again your browser error is not always good source of where something prevented you from doing something.
And just to be complete. Here is test showing client switching to TCP over udp doing a test where I turned off edns with +noedns in the query..
dig @192.168.9.253 test.knot-resolver.cz. TXT +noedns
You can see in the sniff client switched to tcp
If pfsense is not logging that it blocked where you were trying to go in the browser - then sniff on pfsense wan (red) and did the traffic get sent?
-
@johnpoz said in Firewall 101:
dig @192.168.9.253 test.knot-resolver.cz. TXT +noedns
I think the floating rules table was gammied up? I added a rule in floating to allow all HTTPS, then I deleted that rule and now it is working.
