Netgate 2100 and any any rules questions
-
@johnpoz, I had to set to the specific IP address for the XBOX last week, I did not like the double rules, I wanted to be able to add 2 IP addresses to one rule for them The Xbox 360, and the One private Ip addresses only. Tunnels are a issue Yes.
-
-
-
It looks like NIST is already planning a course of action of HTTPS /3 QUIC over UDP
-
Thank you this is what I needed I have my email running with specific USA only Ip addresses for Gmail now.
sbcglobal.net that was passed to yahoo.com and after to currently from att.net through yahoo.com is another quest.
-
Thank you so much I generated a Aliases with the correct Ip addresses found with nslookup and it is now working. With all the FBI email issues in the news recently, I wanted to research a way to make a device only use a approved IP address for email on SMTP and IMAP. Your solution worked thank you again.
-
You can also just enter the FQFNs in the alias and pfSense will resolve them periodically for you.
Where that will fall down is for something that can resolve to a large number of IPs like mail.google.com. The alias will only ever contain the IP it resolved to at the time pfSense generated the ruleset. Anything that doesn't use pfSense for DNS, like something hardcoded for 8.8.8.8 for example, might get a different IP and then be blocked.
https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html#using-hostnames-in-aliases
Steve
-
Thanks for everyone that helped me on this.
I have updated the ACLs and it is working perfectly all day. I had to add the main and backups for each email type and it worked. I just did not want tunnels on my network and to make the rules more specific. Each day I am trying to make it more secure.Thank you. This is solved.
-
@jonathanlee said in Netgate 2100 and any any rules questions:
Each day I am trying to make it more secure.
But not aware of anything going on that shouldn't - your still not logging your deny you put in. So your not going to log anything trying to be done on tcp/udp..
And your xbox(s) are still being allowed to tunnel out, and therefore bypass any firewall rules you might put in place - how is that secure?
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
Mmm, moving consoles to a different interface would be more secure. Assuming traffic between the subnets is blocked.
Physically wiring that could be a problem.Steve
-
@stephenw10 if it's Bridged to a wifi connection can I do that with a VLAN still? I could make a different subnet however the Wifi system handles the connections before the firewall. The way it is set up now only the 2 consoles IP address can use those ports, and nothing else. I need the Xboxes to run and they require those ports open. I want to do a VLAN I should look into creating one and only adding the XBOXs.
-
@stephenw10 I use to have a Ethernet over AC devices but they made way to much noise for my shortwave radios that I get global news with so I had to disconnect them.
-
-
@jonathanlee it logs default deny out of the box ;)
Your default deny there on the bottom is pretty pointless.. Unless you wanted it on purpose not to log traffic that the default deny already does..
But sure if you want a rule in the gui to "see" for your default deny, that is a better way to do it - any rule with logging.
-
Do you have other things on WIFI?
I would look at creating a separate SSID for the xboxes and connecting that with a VLAN if your access points support it.
Steve
-
^ exactly I would for sure segment such devices from the rest of my network. Especially if I was going to allow it to create a tunnel that bypasses all the firewall rules anyway to the public internet.
-
@johnpoz
Created a VLAN
But no traffic I have static assigned ip addresses for them.
-
No traffic at all is probably a layer 2 issue.
How do you have the VLAN configured in pfSense? What is it connected to?
-
The Lan
Make sure to upvote
-
Ah, I forgot this is a 2100.
So OPT1VLAN20 is assigned as mvneta1.20?
How is the switch configured?
How is your AP connected?
Steve
