How/why is port 443 allowed by default?



  • Hello fellow pfSensers. I'm new to pfSense but like it so far. The configurability is awesome.

    Couple questions regarding the internal network (LAN1) side. I have two questions for you guys.

    1. Not sure why the firewall is allowing HTTPS through.

    2. Also, I cannot block ICMP. I have tried to "block all" and "block icmp" and nothing can block ICMP.

    Any ideas why these two things are happening?



  • Hi rogers - I think right now your Block * as the last rule isn't working, that's why ICMP and HTTPS are getting through - To block all packets use Source = LAN subnet

    To block ICMP ping from LAN –> WAN you'll be adding
    Action = Block
    Interface = LAN
    Protocol ICMP
    ICMP type = Echo
    Source = LAN subnet
    destination = ANY
    Schedule (your choice)
    gateway = default

    10 rem Warren
    20 goto 10



  • The built in mechanisms will not allow you to disable HTTPS since this is required to access the WebGUI.  You can go to System -> Advanced and disable the Anti-lockout rule.
    Take note that you MUST at least add an allow rule to access the pfsense LAN IP via HTTPS or switch it to HTTP before disabling the anti-lockout rule!

    You don't need to add a block all rule for LAN.  Simply disabling the default LAN->ANY rule will do.  There is an implicit deny all in the rule set.

    Last but not least, you need to remember to flush the firewall states after changing the rules before you test.  Existing connections are not subjected to changes in rules changes!



  • @rootuser:

    Hi rogers - I think right now your Block * as the last rule isn't working, that's why ICMP and HTTPS are getting through - To block all packets use Source = LAN subnet

    To block ICMP ping from LAN –> WAN you'll be adding
    Action = Block
    Interface = LAN
    Protocol ICMP
    ICMP type = Echo
    Source = LAN subnet
    destination = ANY
    Schedule (your choice)
    gateway = default

    10 rem Warren
    20 goto 10

    Thanks rootuser, I will try this and see what happens. I was also attempting to use "LAN address" and did realize that it wanted an actual LAN IP address. This interface will just take some getting use to. Thanks for the reply and helping me figure this out.

    @dreamslacker:

    The built in mechanisms will not allow you to disable HTTPS since this is required to access the WebGUI.  You can go to System -> Advanced and disable the Anti-lockout rule.
    Take note that you MUST at least add an allow rule to access the pfsense LAN IP via HTTPS or switch it to HTTP before disabling the anti-lockout rule!

    You don't need to add a block all rule for LAN.  Simply disabling the default LAN->ANY rule will do.  There is an implicit deny all in the rule set.

    Last but not least, you need to remember to flush the firewall states after changing the rules before you test.  Existing connections are not subjected to changes in rules changes!

    I belive I did "flush" the firewal rule states after changing. Isn't that the "Apply Changes" button or is there something else I need to do to cycle the firewall state??



  • Diagnotics -> States -> Reset States.



  • I'm having the same problem (http://forum.pfsense.org/index.php/topic,30482.0.html). Any solution for this yet?



  • @sinac:

    I'm having the same problem (http://forum.pfsense.org/index.php/topic,30482.0.html). Any solution for this yet?

    I tried using "lan subnet" and it worked. But it seems that you are trying to perform a more complex task using a VPN. I know that doesn't help at all but I am still trying to learn this myself. If all else fails, I would try "bumping" your thread.



  • hi @ all,

    1. Not sure why the firewall is allowing HTTPS through.

    –> hmmm, ssl login to gmx f.e. or ebay

    1. Also, I cannot block ICMP. I have tried to "block all" and "block icmp" and nothing can block ICMP.

    –> you cant block, i can ;)
    Block ICMP LAN net * * * *   Block LAN Ping


Log in to reply