Firewall pin hole question



  • I have a server behind pfsense that I created a pin hole for in 1.2.3 before I upgraded.
    Version built on Tue Mar 15 08:53:58 EDT 2011

    Here is what one of my pin hole configs looked like:

     <rule><protocol>tcp</protocol>
    			<target>192.168.1.115</target>
    			<local-port>22</local-port>
    			<interface>wan</interface>
    
    			<source>
    				 <any><port><destination><port>222</port>
    				<network>wanip</network></destination></port></any></rule> 
    

    The above code is for an ssh server running on port 22 but the wan accepts TCP packets on port 222. This is from 1.2.3 that is now in my 2.0 config.

    I tried the same thing for another server. Note this is a new rule created within 2.0.

     <rule><source>
    				 <any><destination><network>wanip</network>
    				<port>8080</port></destination> 
    			<protocol>tcp</protocol>
    			<target>192.168.1.102</target>
    			<local-port>4040</local-port>
    			<interface>wan</interface>
    
    			<associated-rule-id>nat_4d815dd0cb6bd4.83257174</associated-rule-id></any></rule> 
    

    The 2.0 rule for server 1.102 is not working correctly. The server runs on 4040 but the WAN accepts TCP packets from port 8080. Why isn't this working?



  • Okay I attempted to modify the config manulally to correct the problem.

    I changed the NAT entry for 1.102 like so:
    Orginal:```
    <rule><source>
    <any><destination><network>wanip</network>
    <port>8080</port></destination>
    <protocol>tcp</protocol>
    <target>192.168.1.102</target>
    <local-port>4040</local-port>
    <interface>wan</interface>

    		<associated-rule-id>nat_4d815dd0cb6bd4.83257174</associated-rule-id></any></rule> 
    
    
    To modified:
    

    <rule><protocol>tcp</protocol>
    <target>192.168.1.102</target>
    <local-port>4040</local-port>
    <interface>wan</interface>

    		<source>
    			 <any><port><destination><port>8080</port>
    			<network>wanip</network></destination> 
    		<associated-rule-id>nat_4d815dd0cb6bd4.83257174</associated-rule-id></port></any></rule> 
    
    
    Now the firewall entries.
    Original:```
     <rule><source>
    				 <any><interface>wan</interface>
    			<protocol>tcp</protocol>
    			 <destination><address>192.168.1.102</address>
    
    				<port>4040</port></destination> 
    
    			<associated-rule-id>nat_4d815dd0cb6bd4.83257174</associated-rule-id></any></rule> 
    

    To modified:

     <rule><type>pass</type>
    			<interface>wan</interface>
    			 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    			 <os><protocol>tcp</protocol>
    			<source>
    				 <any><destination><address>192.168.1.102</address>
    
    				<port>4040</port></destination> 
    
    			<associated-rule-id>nat_4d815dd0cb6bd4.83257174</associated-rule-id></any></os></statetimeout></max-src-states></max-src-nodes></rule> 
    

    And now it works! Really why??



  • Now my pptp VPN is working again just because I manually modified the config to match the 1.2.3 legacy rules.

    Why does 2.0 create those xml rules in a way that breaks the firewall pinhole and other things like pptp? What can I do to correct this for other firewall pinhole that I will create in the future without manually editing the config.xml?



  • I was hoping someone could tell me if they are experiancing the problem or maybe someone could shed some light on the issue. Thoughts?


Log in to reply