Block source ports vs destination ports

  • My pfSense v1.2.3 firewall has 3 NICs. One for the gateway, one for the main LAN, and one for a separate LAN for the web server running RHEL 5.4 with Apache http server. I have a rule to block all from the web LAN to the main LAN.

    We have installed a Windows Server 2008 with IIS. We set up Apache to proxy the Windows server for an application. I put in a new rule (above the block all rule) to allow all from the web server to the Windows server. Everything works. Now I want to limit this new rule. I set source protocol to TCP. Everything still works. When I limit the source port to 80, things stop working. I turned debug on Apache and turned on logging for the new rule. With all ports open, I see only port 80 being used. I see pfSense passing port 80 to the Windows server. When I limit the source to port 80, pfSense does not show any traffic.

    If I leave all ports open on source and limit destination to port 80, everything works. Why would limiting the source to port 80 not work but limiting the destination to port 80 work? Does it matter if I limit destination and not source?


  • Approximately speaking, a connection to a web server will always have a destination port of 80 but the source port will be a random number in the range 1024 to 65535. If the source port were always 80 it would not be possible for TCP to distinguish between multiple http connections between the same pair of hosts.

Log in to reply