Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Simple allow rule is still blocking... please help

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 3 Posters 604 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      matt_indy
      last edited by

      New to firewalls and pfsense. did 3hr online class for pfsense learned a ton. on LAN i allowed common ports then have block all rule. Waited for problems and added those to alias of ports for allow rule. Things like wifes apple email IMAP, kids minecraft, etc. Something didnt work, i found in block log, i added ports to alias then it works, over and over. Worked great! The my son said facetime not working. I added ports to alias and it keeps blocking them. Like port UDP 16393. I put inidividual ports in alias, then removed from there and put in its own allow rule at top of list, still blocking. I tried range of ports, individual ports, I cleared states, I rebooted, still blocking...

      johnpozJ S 2 Replies Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator @matt_indy
        last edited by

        And it blocking on what rule exactly?

        Do you have anything in floating? Port 16393 is 1 of the ports of a range of ports that can be used?

        Quick google shows these ports are need.. Your 16393 falls into a range that could be used. So that port could be changing on you.

        53 TCP/UDP Domain Name System (DNS)

443 TCP Secure Sockets Layer (SSL, or “HTTPS”)

3478-3497 UDP -

5223 TCP XMPP over SSL, Apple Push Notification Service

16384-16387 UDP Real-Time Transport Protocol (RTP), Real-Time Contro Protocol (RTCP)

16393-16402 UDP Real-Time Transport Protocol (RTP), Real-Time Contro Protocol (RTCP)

        When you say blocking? There is a log of something being blocked, even though you have that something allowed?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07 | Lab VMs 2.8, 25.07

        1 Reply Last reply Reply Quote 0
        • S Offline
          SteveITS Rebel Alliance @matt_indy
          last edited by

          @matt_indy said in Simple allow rule is still blocking... please help:

          on LAN i allowed common ports then have block all rule

          The default rule allowing LAN to any allows all outbound traffic. Since you stated you're new to firewalls, is your goal to only allow certain types of traffic? Perhaps that could be flipped and you block certain things? Either way trying to selectively allow certain things on the Internet is going to take a bunch of time to work through all the details of each software program.

          Also note pfSense is stateful so if you add a block rule and the connection state is still open, an open connection won't be blocked.

          Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
          Upvote 👍 helpful posts!

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator @SteveITS
            last edited by johnpoz

            @steveits said in Simple allow rule is still blocking... please help:

            is going to take a bunch of time to work through all the details of each software program.

            Understatement to be honest ;) Its really going to be a never ending game of what doesn't work today.. Oh now it needs port xyz..

            Especially stuff that can use large ranges. Today it used Y, tomorrow it might be G - when it could use A-Z, etc..

            There really is little to be gained from this exercise other than frustration of something doesn't work.. And unless your filtering these X ports to specific destination.. After awhile you have large chunk of the ports open.. So doesn't really keep other software from using those ports for the bad stuff you were going to try and stop.

            To be honest - most bad stuff going to go out 443 these days anyway to talk to the mothership - so blocking port Z just keeps the software you want to use from working without really stopping anything bad from happening anyway.. Also if something is trying to talk to the mothership - its already too late since its running on your machine already.

            Blocking outbound has little use in a home network.. Other than for specific like - I don't want my kid using facetime on his tablet, etc..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07 | Lab VMs 2.8, 25.07

            M 1 Reply Last reply Reply Quote 0
            • M Offline
              matt_indy @johnpoz
              last edited by

              @johnpoz

              Wow, thanks. I understand the exercise i followed might have been more geared to workplace firewall. Glad I did exercise cause its the only way I can learn stuff. Break, see how broke, fix, repeat... I think i will go back to basic default rule set (wizard) then add pfblocker.

              So many voices online (including netgate resources) say deny all then allow only what you need.

              I was quickly learning this was a battle not worth fighting at home. Many things still worked, but were obviously impaired.

              thanks for helping, this forum is great resource!!!

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator @matt_indy
                last edited by johnpoz

                @matt_indy said in Simple allow rule is still blocking... please help:

                So many voices online (including netgate resources) say deny all then allow only what you need.

                From a security point of view - yes this is the correct stance. But in a home network it not very viable.. Unless you want to become full time IT for your home users?

                In a corp setup when user(s) need access to some odd ball resource. Its either allowed or denied. If allowed and doesn't work through proxy than specific exception made on the firewall that allows said access with sure the outbound port, along with destination.. You be hard to find any security folks that would say oh you need port X, where do you need that too.. What is the IP, or IP range that you need X too.. Oh the all freaking internet - yeah sorry no ;)

                As a learning exercise sure - look how fast you found out its not really a viable solution in a home setup where stuff other than browsing the web is used ;)

                Dad my new game doesn't work again!! How often you want to hear that? ;)

                How many corp networks allow you to use facetime for example on their corp wifi tied to all the corp services? That should be like ZERO! Other than some small ma and pa shop... You want to use facetime - use your cell data package. Or connect to the guest wifi network that isn't tied to corp anything.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.07 | Lab VMs 2.8, 25.07

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.