Simple allow rule is still blocking... please help
-
New to firewalls and pfsense. did 3hr online class for pfsense learned a ton. on LAN i allowed common ports then have block all rule. Waited for problems and added those to alias of ports for allow rule. Things like wifes apple email IMAP, kids minecraft, etc. Something didnt work, i found in block log, i added ports to alias then it works, over and over. Worked great! The my son said facetime not working. I added ports to alias and it keeps blocking them. Like port UDP 16393. I put inidividual ports in alias, then removed from there and put in its own allow rule at top of list, still blocking. I tried range of ports, individual ports, I cleared states, I rebooted, still blocking...
-
And it blocking on what rule exactly?
Do you have anything in floating? Port 16393 is 1 of the ports of a range of ports that can be used?
Quick google shows these ports are need.. Your 16393 falls into a range that could be used. So that port could be changing on you.
53 TCP/UDP Domain Name System (DNS) 443 TCP Secure Sockets Layer (SSL, or “HTTPS”) 3478-3497 UDP - 5223 TCP XMPP over SSL, Apple Push Notification Service 16384-16387 UDP Real-Time Transport Protocol (RTP), Real-Time Contro Protocol (RTCP) 16393-16402 UDP Real-Time Transport Protocol (RTP), Real-Time Contro Protocol (RTCP)
When you say blocking? There is a log of something being blocked, even though you have that something allowed?
-
@matt_indy said in Simple allow rule is still blocking... please help:
on LAN i allowed common ports then have block all rule
The default rule allowing LAN to any allows all outbound traffic. Since you stated you're new to firewalls, is your goal to only allow certain types of traffic? Perhaps that could be flipped and you block certain things? Either way trying to selectively allow certain things on the Internet is going to take a bunch of time to work through all the details of each software program.
Also note pfSense is stateful so if you add a block rule and the connection state is still open, an open connection won't be blocked.
-
@steveits said in Simple allow rule is still blocking... please help:
is going to take a bunch of time to work through all the details of each software program.
Understatement to be honest ;) Its really going to be a never ending game of what doesn't work today.. Oh now it needs port xyz..
Especially stuff that can use large ranges. Today it used Y, tomorrow it might be G - when it could use A-Z, etc..
There really is little to be gained from this exercise other than frustration of something doesn't work.. And unless your filtering these X ports to specific destination.. After awhile you have large chunk of the ports open.. So doesn't really keep other software from using those ports for the bad stuff you were going to try and stop.
To be honest - most bad stuff going to go out 443 these days anyway to talk to the mothership - so blocking port Z just keeps the software you want to use from working without really stopping anything bad from happening anyway.. Also if something is trying to talk to the mothership - its already too late since its running on your machine already.
Blocking outbound has little use in a home network.. Other than for specific like - I don't want my kid using facetime on his tablet, etc..
-
Wow, thanks. I understand the exercise i followed might have been more geared to workplace firewall. Glad I did exercise cause its the only way I can learn stuff. Break, see how broke, fix, repeat... I think i will go back to basic default rule set (wizard) then add pfblocker.
So many voices online (including netgate resources) say deny all then allow only what you need.
I was quickly learning this was a battle not worth fighting at home. Many things still worked, but were obviously impaired.
thanks for helping, this forum is great resource!!!
-
@matt_indy said in Simple allow rule is still blocking... please help:
So many voices online (including netgate resources) say deny all then allow only what you need.
From a security point of view - yes this is the correct stance. But in a home network it not very viable.. Unless you want to become full time IT for your home users?
In a corp setup when user(s) need access to some odd ball resource. Its either allowed or denied. If allowed and doesn't work through proxy than specific exception made on the firewall that allows said access with sure the outbound port, along with destination.. You be hard to find any security folks that would say oh you need port X, where do you need that too.. What is the IP, or IP range that you need X too.. Oh the all freaking internet - yeah sorry no ;)
As a learning exercise sure - look how fast you found out its not really a viable solution in a home setup where stuff other than browsing the web is used ;)
Dad my new game doesn't work again!! How often you want to hear that? ;)
How many corp networks allow you to use facetime for example on their corp wifi tied to all the corp services? That should be like ZERO! Other than some small ma and pa shop... You want to use facetime - use your cell data package. Or connect to the guest wifi network that isn't tied to corp anything.