Firewall Rules
-
Hi,
I wanted to crete few rules based on the requirement.
-
I also wanted to allow the Ports which is mentioned here to 192.168.12.0/24
5160
5161
5443
8083
8449
9988
6568
51820
51821
51822
50001
50002
50003
4321
1234
5222
3478
3479
3480
3481
500
4500
53
22
4567
3000
8080 -
Wanted to give access to O365, MS Teams & Web Whatsapp to LAN IP's 192.168.12.0/24
-
I wanted to give browsing access only to LAN IP Ranges - 192.168.12.101 to 192.168.12.149, others browsing blocked.
Here is my rule
I have created the alias as P1_LAN_allowed_Ports
Action: Pass
Interface: LAN
Protocol: TCP/UDP
Source: LAN Subnet (192.168.12.0/24)
Destination: any
Destination Port: P1_LAN_allowed_PortsI have created the alias as U1_O365_Teams_allowed (URL & IP Ranges of O365 & Teams, Ranges attached)
I have created the alias as P2_O365_Teams_allowed_Ports (25, 80, 143, 443, 587, 993, 995, 3478, 3479, 3480, 3481)Action: Pass
Interface: LAN
Protocol: TCP/UDP
Source: LAN Subnet (192.168.12.0/24)
Destination: U1_O365_Teams_allowed
Destination Port: P2_O365_Teams_allowed_PortsI have created the alias as U3_Browsing_allowed (192.168.12.51-192.168.12.100)
I have created the alias as P3_Browsing_allowed_Ports (80, 443)Action: Pass
Interface: LAN
Protocol: TCP/UDP
Source: Address / Alias: U3_Browsing_allowed
Destination: P3_Browsing_allowed_Ports (80, 443)
Destination Port: P3_Browsing_allowed_Ports (80, 443)Now last rule as blocking rest to everyone
Action: Reject
Interface: LAN
Protocol: Any
Source: LAN Subnet
Destination: Any
Destination Port: AnyIs this correct?
I am facing an issue with few users are able to Send & Receive E-Mails, few users not, Few users are able to attend Teams Meeting, Few are unable.
All the rules are correct or do I have to change any?
Please guide me.
Thanks in advance.
With regards
Lokesh Kamath -
-
@slkamath I didn’t notice a rule allowing DNS…LAN IP port 53 tcp/udp
-
@SteveITS Thanks for your response.
Sorry forgot to mention that rule.
Action: Pass
Interface: LAN
Protocol: TCP/UDP
Source: LAN Subnet (192.168.12.0/24)
Destination: This Firewall
Destination Port: 53Action: Pass
Interface: LAN
Protocol: TCP/UDP
Source: Any
Destination: LAN Subnet (192.168.12.0/24)
Destination Port: 53In the above which rule is right I dont know.
And Lastly I have mentioned this
Action: Reject
Interface: LAN
Protocol: TCP/UDP
Source: Any
Destination: Any
Destination Port: 53Action: Reject
Interface: LAN
Protocol: TCP/UDP
Source: LAN
Destination: This Firewall
Destination Port: 53In this also which rule is correct I dont know.
Please guide me.
-
@slkamath said in Firewall Rules:
In the above which rule is right I dont know.
the 1st one - pfsense has zero control over talking to other devices on the 192.168.12/24, while its ip does fall into that range and that rule would allow it.. Its not a good way to write rules.
Why do you have reject rules for something you allow?? Why do you have reject rules at all, there is a default deny - if rules don't allow it, then it would be denied anyway.
This rule doesn't make a lot of sense
Action: Pass Interface: LAN Protocol: TCP/UDP Source: Address / Alias: U3_Browsing_allowed Destination: P3_Browsing_allowed_Ports (80, 443) Destination Port: P3_Browsing_allowed_Ports (80, 443)Why do you have a browsing allowed in dest, that has ports on it?
It would be much easier to read and no the order if you would just paste up a pic of your lan rules.
-
-
@slkamath not a single rule trigged 0, devices are not going through this interface see the 0/0 B None of these rules have ever matched.
See you rules once matched would show traffic - here is a rule on one of my interfaces.
-
@slkamath said in Firewall Rules:
Action: Pass
Interface: LAN
Protocol: TCP/UDP
Source: LAN Subnet (192.168.12.0/24)
Destination: This Firewall
Destination Port: 53This will work because pfSense LAN is one of the This Firewall IPs.
@slkamath said in Firewall Rules:
Action: Pass
Interface: LAN
Protocol: TCP/UDP
Source: Any
Destination: LAN Subnet (192.168.12.0/24)
Destination Port: 53As noted this will work because pfSense LAN (192.168.12.1?) is in that subnet. It's just clearer to use the LAN IP and you don't need to allow it twice.
@slkamath said in Firewall Rules:
Action: Reject
Interface: LAN
Protocol: TCP/UDP
Source: Any
Destination: Any
Destination Port: 53This will reject port 53 to any DNS server. pfSense LAN IP is allowed since that rule is above this one.
@slkamath said in Firewall Rules:
Action: Reject
Interface: LAN
Protocol: TCP/UDP
Source: LAN
Destination: This Firewall
Destination Port: 53This is unnecessary because of the rule above this.
However in your picture you have a rule rejecting LAN subnets to anything, so neither of the last two rules will be reached.
Overall, rules are matched top down, in order.
-
Is this even the lan interface? I don't see the anti-lock out rule. If this is not your lan, then lan subnets as source would never trigger..
-
@johnpoz Thank you for your response.
These rules I have created and have not applied. Coz my old rules are messed up. That is the reason I have created new set of rules.
Here I have attached my old set of rules (Messedup firewall rules).
Because of the messed rules I thought of creating fresh rules and if the rules are right i thought of deleting the old rules & keeping the new rules.
Once again Thank you for your kind attention & help.
-
-
@slkamath How am I suppose to know if you need those rules are not..
Or if your new rules would work, I have no idea what you have in any of your aliases, etc.
Your last 2 reject rules for dns make no sense at all. Your 2nd dns rule from top makes no sense. And your reject rule at the end for lan not really sure what the point, only reason I could see for that sort of rule is you actually want to send reject vs just letting clients time out on a deny. But your not logging it - so you wouldn't really know if anything or what is hitting it, etc.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 26.03 | Lab VMs 2.8.1, 26.03 -
@slkamath said in Firewall Rules:
I am facing an issue with few users are able to Send & Receive E-Mails, few users not, Few users are able to attend Teams Meeting, Few are unable.
This is still the problem?
Are all Microsoft IPs covered by your U1_O365_Teams_allowed alias? I would expect Microsoft to change IPs quite often.
If you are having trouble creating rules in order, I suggest writing down, in words, what you want to do, and then create the rules from that. For example:
allow to pfSense DNS
block to any other DNS
allow to Microsoft IPs and ports
block to any other IPThen if DNS is working, and the software cannot connect, you can go through the rules and figure out why.
To upgrade, select your branch in System/Update/Update Settings. When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
Only install packages for your version of pfSense.
Upvote 👍 helpful posts! -
@johnpoz Thanks for your response.
These are the alias which i have created, these IP's & URL from Microsoft site.
-
@SteveITS Thanks for your valuable suggestion.
I tried finding the same. Didnt get any success. I have covered all the IP's & URL in alias which microsoft has suggested
-
Hi All,
With the help of below link (YouTube video) I have rectified my issue.
https://www.youtube.com/watch?v=7mW3UY67RwE
-
@slkamath horrible video.. Renaming lan is not a good idea. Why would you allow 445 to the internet? This traffic isn't even normally allowed anywhere on the internet - most isp would block this. He clearly doesn't understand how the rules work via direction. You would not need to allow unreach outbound in icmp.. Unless you were port forwarding from internet to something on your network and wanted it to send back - hey you can't get here., etc. Same goes for time exceeded.
Sure you might want reject on the end, but not even logging it?
Those rules don't even allow internet. So not how that would allow the traffic your trying to allow.
-
@johnpoz Thank you once again for your prompt response.
I have not allowed any 445 port and I have not renamed the LAN , but i have allowed ICMP. IS this should not be allowed?
My new set of rules screenshot I have attached... Please suggest anything wrongly I have done... Or any better way of placing the rules.
I have issues with Microsoft Port's (Teams & Outlook) and I am looking for solutions
Once again Thanks in advance.
-
@slkamath icmp is not an issue - that he locks it down to specifics, where some of the specifics he allows don't even make any sense. What that tells me is it is someone putting together a video that doesn't even understand what they are doing.
He also states allowed into your network, which that is not what those rules do at all.. They are outbound rules traffic entering the interface trying to go somewhere.. Has zero to do with traffic inbound into that network from elsewhere.
That he would even put 445 in as example of anything has me also question his basic understanding. If would been specific with allowing 445 to your other networks attached to pfsense - ok. But that should of been a specific to rule to your other networks, or say rfc1918 space - not a wide open rule.
Also his rules do not lock down source network.. Is this interface being used as a transit/connector network. There is no reason not to lock down the source to the network the interface is attached to. It's sloppy to say the least, rules should be as specific as possible.
-
@johnpoz Thank you once again for brief info.
I took his idea and created my own set of rules for my network. While seeing that video i got the idea. I am not sure All my rules are right.. Thats the reason I have attached the screenshot's. So that you can guide me.
Moreover after your explanation I realized those things.. Thank you.
-
Teams & Outlook are working. I have installed pfBlockerNG, in dnsbl Whitelist & TLD execution list I have added the URL of Teams & Outlook.
It is working but it is taking time (I mean the users who dont have browsing access while opening Teams or Outlook will not work, sometime after 2 min or after 5 min it will work). If we close the app & re-opens again same time (2 to 5 min) it will take.
Any suggestions?
