Can't go to websites without universal allow.
-
Hello all,
I am trying to tighten down my firewall.
Unless I allow the rule * * * * * * Allow all TraffiI can't bring up websites, secured and unsecured.
I have the following rules set up:
TCP * 80 (HTTP) LAN address 80 (HTTP) * Allow WebpagesTCP * 443 (HTTPS) LAN address 443 (HTTPS) * Allow Secure Webpages
ICMP * * * * * WAN Ping
TCP/UDP 192.168.1.1 * LAN address 53 (DNS) * Allow outgoing DNSTCP * * LAN address 53 (DNS) * Block rogue DNS servers
Anyone have any idea of where I am going wrong?
Thanks!
-
You don't want HTTP or HTTPS for the source port numbers, only the destination port numbers. TCP clients will almost always use an ephemeral (random) source port, so leave those as '*'.
-
block udp LANnet * !lanaddress 53 * (block 4000+ dns of namebench!!) https://code.google.com/p/namebench/
pass udp LANnet * lanaddress 53 *
pass tcp LANnet * * 80 *
pass tcp LANnet * * 443 *
pass icmp LANnet * * * *
-
Thanks a lot, that's got it!
On the ICMP rule, would it be bad to allow to ping on the wan(setting source to any instead of Lan net) too, can something follow a ping home?
-
Hiding yourself from pings doesn't really make you any safer.
-
Point taken…
I am noticing that FTP seems to be able to get out without an enable rule, I can create a rule to block it though.
Any other ports that PFSENSE will have open by default?