How/why is port 443 allowed by default?
-
Hello fellow pfSensers. I'm new to pfSense but like it so far. The configurability is awesome.
Couple questions regarding the internal network (LAN1) side. I have two questions for you guys.
-
Not sure why the firewall is allowing HTTPS through.
-
Also, I cannot block ICMP. I have tried to "block all" and "block icmp" and nothing can block ICMP.
Any ideas why these two things are happening?
-
-
Hi rogers - I think right now your Block * as the last rule isn't working, that's why ICMP and HTTPS are getting through - To block all packets use Source = LAN subnet
To block ICMP ping from LAN –> WAN you'll be adding
Action = Block
Interface = LAN
Protocol ICMP
ICMP type = Echo
Source = LAN subnet
destination = ANY
Schedule (your choice)
gateway = default10 rem Warren
20 goto 10 -
The built in mechanisms will not allow you to disable HTTPS since this is required to access the WebGUI. You can go to System -> Advanced and disable the Anti-lockout rule.
Take note that you MUST at least add an allow rule to access the pfsense LAN IP via HTTPS or switch it to HTTP before disabling the anti-lockout rule!You don't need to add a block all rule for LAN. Simply disabling the default LAN->ANY rule will do. There is an implicit deny all in the rule set.
Last but not least, you need to remember to flush the firewall states after changing the rules before you test. Existing connections are not subjected to changes in rules changes!
-
Hi rogers - I think right now your Block * as the last rule isn't working, that's why ICMP and HTTPS are getting through - To block all packets use Source = LAN subnet
To block ICMP ping from LAN –> WAN you'll be adding
Action = Block
Interface = LAN
Protocol ICMP
ICMP type = Echo
Source = LAN subnet
destination = ANY
Schedule (your choice)
gateway = default10 rem Warren
20 goto 10Thanks rootuser, I will try this and see what happens. I was also attempting to use "LAN address" and did realize that it wanted an actual LAN IP address. This interface will just take some getting use to. Thanks for the reply and helping me figure this out.
The built in mechanisms will not allow you to disable HTTPS since this is required to access the WebGUI. You can go to System -> Advanced and disable the Anti-lockout rule.
Take note that you MUST at least add an allow rule to access the pfsense LAN IP via HTTPS or switch it to HTTP before disabling the anti-lockout rule!You don't need to add a block all rule for LAN. Simply disabling the default LAN->ANY rule will do. There is an implicit deny all in the rule set.
Last but not least, you need to remember to flush the firewall states after changing the rules before you test. Existing connections are not subjected to changes in rules changes!
I belive I did "flush" the firewal rule states after changing. Isn't that the "Apply Changes" button or is there something else I need to do to cycle the firewall state??
-
Diagnotics -> States -> Reset States.
-
I'm having the same problem (http://forum.pfsense.org/index.php/topic,30482.0.html). Any solution for this yet?
-
I'm having the same problem (http://forum.pfsense.org/index.php/topic,30482.0.html). Any solution for this yet?
I tried using "lan subnet" and it worked. But it seems that you are trying to perform a more complex task using a VPN. I know that doesn't help at all but I am still trying to learn this myself. If all else fails, I would try "bumping" your thread.
-
hi @ all,
- Not sure why the firewall is allowing HTTPS through.
–> hmmm, ssl login to gmx f.e. or ebay
- Also, I cannot block ICMP. I have tried to "block all" and "block icmp" and nothing can block ICMP.
–> you cant block, i can ;)
Block ICMP LAN net * * * * Block LAN Ping