How do i check to see if my firewall rules are working



  • how do i check to see if my firewall rules are working.

    I just set up my pfsense firewall wan,opt1 (not being used as yet),lan I also just created some rules to pass on protocol tcp/udp from source lan subnet port any destination wan address and ports 110, 443, 5000, 21, 80, 25, and the last rule to block tcp/udp on source lan subnet and port any destination wan address port any.

    The things is did i configure the rules right i only want to allow internet browsing, mail access both smtp and pop3, ftp, and port 5000 to a remote server and also where can i go to check to see if the rules are actually being applied.

    Thanks in advance



  • Be sure, rules you have created are working.
    Another question is "did you create what you wanted to create?" ;-)



  • well i think i did lol

    the thing is i want to setup some rules were workstations can only surf the internet,access mail and access port 5000 and 1227 for my dns. i have made one change to my rules which is i changes the source port from a specific number to any and the destination to any and i also disabled the block rule since i noticed that pf sense automatically blocks rules that are not defined



  • You could post a screenshot of your rules.



  • Here is the print screen




  • The first rule allows any device connected to LAN to go to anywhere using any port.
    You can safely remove all other rules.



  • the thing is i want to allow only internet browsing, access to port 5000  for now and access to port 25 and 1227 only on my mail server. I want to block all the other ports to ensure that no Trojans can send out spam.

    Question if i'm accessing a mail server from behind pfsense would i have to map port 25 on the specific computer so it can continue to access the remote  server



  • The order of the rules is important.

    If a rule catches, the other rules below are no longer considered.
    Since your first rule allow everything, all your rules below are useless.



  • ok so if i allow ports 80,25,5000, 1227,110 and 21 and turn off the rule which says default lan to any would i still be able to surf the internet and send out mail ?



  • Yes, you should be ok. I would allow one more - UDP 53 for external DNS requests.



  • udp 53 isnt that for the wan side (cause if it is for external dns requests it should be from wan to lan) jus asking also would that port on the lan side allow me to access a mail server which is out side my domain



  • ok i disabled the default lan to any rule and left all the other rules but users were not able to surf the internet nor was i able to retrive mail from an outside mail server



  • @afvadmin:

    udp 53 isnt that for the wan side (cause if it is for external dns requests it should be from wan to lan)

    Could you explain this in more details?



  • @afvadmin:

    ok i disabled the default lan to any rule and left all the other rules but users were not able to surf the internet nor was i able to retrive mail from an outside mail server

    Ok, what was going on? Did you try to ping google.ca and got name resolved? How do you access your external mail server?



  • ok i disables default lan to any an i was not able to ping google.com not even 4.2.2.2 as soon as i enable default lan to any i  recieve packets



  • You do not have rule allowing ICMP traffic that is why your pings failed. Believe me rules are working in exact way you've created them.



  • @Eugene:

    @afvadmin:

    udp 53 isnt that for the wan side (cause if it is for external dns requests it should be from wan to lan)

    Could you explain this in more details?

    reason i said that is cause port 53 jus resolves a domain to an ip, and the wan interface would be the first to get the reply from the domain transfering it to the lan interface via port 53 to a lan address via any port once it reaches the lan subnet  ( or so i think )



  • ok wow thanks i went back into the books quote Wikipedia "The Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite". how could i miss the word core so it seems like i can ping and browse now just a little bit slow so i guess that  means i have to go into configuring bandwidth settings now thanks Eugene this will definitely assist me in my feature networking  endeavors.



  • @afvadmin:

    @Eugene:

    @afvadmin:

    udp 53 isnt that for the wan side (cause if it is for external dns requests it should be from wan to lan)

    Could you explain this in more details?

    reason i said that is cause port 53 jus resolves a domain to an ip, and the wan interface would be the first to get the reply from the domain transfering it to the lan interface via port 53 to a lan address via any port once it reaches the lan subnet  ( or so i think )

    I think you misunderstand theory. What do you have on LAN as DNS server - separate server or pfSense itself?
    In first case your server will be trying to reach some external DNS server and answers from this external server will not be filtered by PfSense at WAN interface (you do not have to create any rulese on WAN for it). So, if it is your scenario then you have to creater rule on LAN to allow DNS requestes to go from LAN to Internet.



  • I have a seperate server and ok that makes alot of sense now thanks

    wait one more question i should leave icmp to any so that it can facilitate all of the replies from a ping request right.
    and also i have a pc at x.x.x.78 which needs to access a mail server outside the firewall should i just create a rule for it or is there a work around ( since i honestly don't want to open port 25 in case the PC is infected with spam Trojans that will use the open port to send spam an get me black listed again)



  • If you have pc at LAN which should be able to an e-mail server outside using port 25 then you should open this port for this PC (putting it as a source IP). In destination pur the IP of this server. In this way the PC will be able to connect to only this server.


Log in to reply