Block all ports except some
-
Hi,
I would like a validation of my configuration.
I want to block all ports from my lan to wan except some (80, 443...)
I created a port alias named Ports_LAN_OK containing ports 80, 443... and I created a firewall rule.The result is :
It's good ? Sorry for this noob question
-
@fjmp24 yeah that works.. Clearly its working you have moved almost 7 gig over it already ;)
I assume you have 53 in there, otherwise not sure how you would be doing dns, unless your browser was doing doh over 443.
-
I don't understand when I click on the "states" link of my rule I can see :
The port 5228 is not in my alias !? I I shouldn't have this line !?
-
I did a states reset...
-
@fjmp24 Is that IP that we can't see a member of LAN_NET?
-
@mcury Yes
-
@fjmp24 I would reset the states table and/or reboot to make sure it's not a state that pre-dates your filter rule.
-
@rcoleman-netgate Thanks that works
-
Sorry but there is a thing that I don't understand.
In my LAN network I have a service which uses the port 8081. This port is not in my alias.
But all computer in my LAN can access to this service. Why ? -
@fjmp24 Because it is not going through the Firewall.
You can not filter on the same Interface. -
@fjmp24 said in Block all ports except some:
In my LAN network I have a service which uses the port 8081
This seems to be some common misconception to new users to networking.. Pfsense is the router to get off a network, ie the gateway for a device on network A to get to networks other than A.
When devices talk to other devices on the same network as them - they don't send that traffic to their gateway, ie the router.. They just send it to the IP on their same network directly via the mac address.
You have 192.168.1.a/24 and he wants to talk to 192.168.1.b -- the device knows hey 192.168.1.b is on my network so it arps, gets back the mac address of 192.168.1.b from 192.168.1.b and then sends the traffic to that mac.
Pfsense has nothing to do with that traffic.
Now when 192.168.1.a wants talk to say 8.8.8.8 or 192.168.2.x - it knows hey that is not my network.. Let me send that traffic to my router/gateway - they will know how to get there. So it arps for the mac address of its gateway say 192.168.1.254 or 192.168.1.1, whatever you have setup on your network as the gateway (pfsense IP on that network) and sends the traffic to that mac.. Pfsense then says oh you want to go to 8.8.8.8 - let me look in my routing table - oh Im not attached to that network, let me send it to my gateway (your isp)..
edit: To be complete in the info - so here my pc arp table 192.168.9.100 for other IPs it has talked to recently on its own network..
When I ping 192.168.9.10 you see it sends that to the mac address it has for that IP in its arp table..
Now when I ping 8.8.8.8 it sends it to the mac address of pfsense IP 192.168.9.253, this pc gateway to get off its 192.168.9/24 network.
Hope that helps you understand why pfsense has no say in what devices on the same network do between themselves.
