Why vlan to vlan traffic isn't blocked?

wiz561

Hi,

I have a question about vlan to vlan traffic and why it's not being blocked.  I have a number of vlan's.  All my workstations are on the "Green" vlan.  I have a FW rule on the "Green" vlan to allow all traffic sourced from the GreenWorkstations anywhere.  It's pretty much all *'s except for the 'source' which is "GreenWorkstations net".

I have another VLAN called "PurpleServer".  I want to block all traffic coming in and leaving that VLAN, and only allow exceptions.  In the firewall rules, I have one rule, which is to reject all traffic from any source, dest, port, and protocol.  It's just all *'s in the firewall rule gui that is marked as 'reject'.

The strange thing is that it still allows traffic from the green vlan to here.  I believe it's because of the allow everything src and dst in green, but I would think that the VLAN FW rule to block everything would override this one.

Is there a way to do this?

Thanks!

GruensFroeschli

Firewall rules are applied on the interface on which traffic comes in.

Meaning only rules on the "GREEN" interface will have any impact on whether your "GreenWorkstation" can access this other VLAN or not.

A good way to manage this:

Create 2 Aliases:
One "Blocked destinations"
I generally include in this alias 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16

And an "Allowed destinations"
Put here all the servers you want to allow.

Use in the rule on your green interface something like this:
Rule1: Allow
Source: Green-subnet
Source port: any
Destination: AllowAlias
Destination port: any
Gateway: default

Rule2: Allow
Source: Green-subnet
Source port: any
Destination: !BlockAlias  (NOT the alias)
Destination port: any
Gateway: default

Like this you can:

• modify the allow alias to let your users to servers
• allow the users to access the internet, but block everything else on different subnets.

wiz561

OH….  thanks for the information!

I didn't even know about the aliases...those will come in handy!

The rules make sense...  Thanks for posting them!

Another question is why is it that for IP's that aren't being used, all ports are 'filtered' and have tcp/21 (ftp) open?

GruensFroeschli

What do you mean exactly with the ports are filtered?

The open port 21 is most probably the FTP-proxy running on the pfSense.
You can disable it on the interface config page: "Disable the userland FTP-Proxy application"

wiz561

Yeah, it was the ftp userland proxy that was causing tcp/21 to be open.  I checked the box and now nmap doesn't show that port as being open.

However, it still shows the ports as being 'filtered' as opposed to 'closed', or somewhat like a no response.  Here's the results from nmap…

root@scanner1:/home/wisniewski# nmap -PN 192.168.1.17

Starting Nmap 5.00 ( http://nmap.org ) at 2010-09-29 09:48 CDT
All 1000 scanned ports on 192.168.1.17 are filtered

Nmap done: 1 IP address (1 host up) scanned in 201.56 seconds
root@scanner1:/home/wisniewski#

Is there a way to display the ports as closed so it makes it not respond?  In the firewall, I have a rule to "REJECT" all traffic instead of "Block".  However, I have the protocol set to "ANY" instead of just "TCP".  In the notes, it says it won't work when it's set to "TCP/UDP", but I'm not sure if that applies to "ANY" as well.

Thanks!

cmb

Reject == filtered
Blocked == closed

The note about TCP/UDP just means those are the only protocols that actually return anything for reject.