Blocking ports and other lans

devnull

Hi,

I've been trying to do two things but can't seem to get neither of them to work.

The first is that I've got 5 internal networks (LAN, Office, Classrooms, WiFi, Tel).
Now I've created aliases for ports that I want open from inside to out for each network and in-staid of the default pass rule I created a general block rule and another pass rule that contains the alias of ports that I want opened on this lan.
But it either blocks everything or it blocks nothing.
I don't know do I have to set up something with NAT (I'm using manual outbound rule generation because of SIP phones used) or can I just stop traffic withe rules?
Or what am I supposed to do to only allow a list of ports outbound from an internal network.

The second is that I would like to block the internal networks from seeing each other.
I've tried making a rule that blocks traffic from class subnet to lan subnet and the same to other networks.
But as I said it doesn't work.
So how would I go about blocking traffic from one network to another but still be able to pass trough a few IPs on the LAN network?

Thanks for any advice I really thought that these rules would work for my but I don't know where I went wrong.

Bye

Efonnes

Are you assigning the firewall rules to the correct interfaces?  The firewall rule should be on the the network for the source address you use.  For example, your rule that blocks traffic from class subnet to lan subnet should be on the Classrooms network.  Also be sure you are putting it at the top of the list.

By the way, NAT rules do not bypass the firewall, so that should not be the issue. (an exception to this is if you are using a 2.0 beta build and have a port forward that is set to "pass")

devnull

Hi,

thanks for the tip. Guess I only made a mistake of putting the block rule after the allow rule.
So block should always be before allow right?

Now here's a follow up question.  :)

Now that I've blocked the wanted networks, how do I allow only specific IP addresses to be accessed on the previously blocked networks (File server, web server, etc).
My thought was to make an alias something like allowed_ips and then make a rule like allow from one of the networks to destination the alias I made. But it doesn't seem to work either.
Did I screw up the rule order or just the rule in general?  ;D

Thanks for the help and patinas, it's my first time setting up a complex network like this so I'm hitting a lot of walls before I get it the way it should be.

By the way how would I go around blocking outbound ports on these networks? I've already created aliases for ports on each specific network but again if I put in a rule for passing these ports…. it all gets blocked....  :-\

Bye

devnull

Hi,

well it seems that I got the port blocks in place all I had to do is disable the default pass rule and it's working.

But I still don't know how to allow only some access from one lan to another.

Thanks for the help.

danswartz

that's really too vague, sorry :(  please post the rules you are trying to use and we can check them.

devnull

Hi,

sorry, it was a little vague.

Here are my rules for let's say office lan:
            Proto      Source        Port      Destination                Port  Gateway  Schedule  Description
BLOCK    *        Office net  *  blocked_office_networks  *          *                              BLOCK Office -> Not allowed networks
                                                        (192.168.0.0/24,192.168.3.0/24, etc)
PASS    TCP/UDP  Office net  *                *    allowed_office_ports  *                          Allowed ports for Office 
                                                                                          (21,25,53,80,110,443)
PASS        *          Office net  *    allowed_addresses            *            *                              Office -> Allowed hosts  (this doesn't work)
                                                        (192.168.0.10, 192.168.0.20, 192.168.0.21)

No Office(192.168.2.0/24) network can't access the LAN(192.168.0.0/24) witch is right. But I would still like any host on Office to access let's say some IPs on LAN(192.168.0.10, 192.168.0.20, 192.168.0.21).
I would like to get this working so I don't have to setup a file server on each lan with content that may be accessible to all.

Thanks

Efonnes

The pass rule that you want to override the block should go above the block rule.  The rules are checked in top-down order, with the first matching rule being the one it uses.

devnull

Hi,

thanks for the tip Efonne. I didn't realize the order is that important.
So the rules are checked in from the top down to the bottom and block rules always overrule pass. So if I had fist a pass and then a block for the same thing the block rule would take precedence. I think I get it now.

Thanks again.

Bye

Efonnes

Regardless of whether it is block or pass, the first rule that matches the traffic is the one that will take effect.  It does not go looking further down the list when it has already found a matching rule for the traffic.

As far as I know, every list of any kind of firewall, forwarding, or NAT rule is like this in pfSense.  However, I'm not at this moment going to go into explaining the extra details about schedules on firewall rules, because it gets a bit more confusing there. (unless you want me to)

devnull

Thanks again Efonne.

I've now got everything working the way I planed it.

I don't think a have a use for scheduling yet, but I see how it could come in handy.

Thanks for the help again and bye