Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Outgoing rules ?

    Firewalling
    3
    14
    3340
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfsense_user_123 last edited by

      HI all,
      Quick question.
      I want to create rule:

      block out on EXT_IF from any to <iana_reserved>block out on EXT_IF from any to <private_networks>I don't wan to send garbage in public network.

      But pfsense i construct to work on IN rules!
      There is NAT from LAN to public network on that machine. (so creating rules inbound on LAN interface is no solution!)
      And what now ?</private_networks></iana_reserved>

      1 Reply Last reply Reply Quote 0
      • GruensFroeschli
        GruensFroeschli last edited by

        Why can't you create a rule on the LAN interface saying:

        Block
        Source: LAN
        Destination: iana_reserved

        Block
        Source: LAN
        Destination: private_networks

        ?

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • P
          pfsense_user_123 last edited by

          LAN INT:
          192.168.1.1

          Block on LAN int traffic from any to 192.168.0.0/16 ? - I'll block myself.
          If i leave it, i will send garbage to this networks via public int.

          1 Reply Last reply Reply Quote 0
          • GruensFroeschli
            GruensFroeschli last edited by

            Local traffic never goes over the router/pfSense.
            The only "problem" i see is that you might block yourself from accessing services on the pfSense.

            What i'd do in your case:
            Create 2 aliases:
            One alias called: "allowed_local_traffic"
            Put into this the IP of your pfSense interface, and all local subnets you use.
            One alias called: "blocked_local_stuff"
            Put into this one all RFC 1918 subnets and whatever you think shouldn't go to the internet.

            Now add the following firewall rules to your LAN interface:
            1 allow-rule: source: LAN, destination: "allowed_local_traffic"
            2 allow-rule: source: LAN, destination: "NOT "blocked_local_stuff""

            This way you allow traffic to your selected local destinations, and you also allow traffic to all destinations except blocked_local_stuff.
            Everything else is blocked.

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • P
              pfsense_user_123 last edited by

              So ok, I can do rules like that.

              block in quick on int_if from any to <bogons>So I'll not push garbage throught WAN int, because this traffic will be  block on INT_IF before it achieve WAN.

              But what in situation like this:
              One machine (eg alix) 3 lan int.

              LAN1–------------LAN2----------LAN3-----------WAN
              10.0.0.0/8         172.16.0.0/12       192.168.0.0/16        x.x.x.x

              And what with traffic generated directly from firewall (eg log in to console, ssh, to WAN_if and ping 10.0.0.1 ? )
              Without rule block out, i will push packet throught wan int to the public network.</bogons>

              1 Reply Last reply Reply Quote 0
              • P
                pfsense_user_123 last edited by

                Local traffic never goes over the router/pfSense.

                Are You sure ?
                Couse my tcpdump says something different.
                On WAN int i see icmp packet with source IP of my public WAN and dst eg 10.0.0.1 and it goes to operator network!

                1 Reply Last reply Reply Quote 0
                • P
                  pfsense_user_123 last edited by

                  llow-rule: source: LAN, destination: "allowed_local_traffic"

                  This will pass traffic QUICK state!, so other rules won't be checked.

                  So packet will go pass throught WAN int. (if I use eg allowed_local_traffic = 10.0.0.0/8)

                  1 Reply Last reply Reply Quote 0
                  • GruensFroeschli
                    GruensFroeschli last edited by

                    @pfsense_user_123:

                    So ok, I can do rules like that.

                    block in quick on int_if from any to <bogons>So I'll not push garbage throught WAN int, because this traffic will be  block on INT_IF before it achieve WAN.

                    But what in situation like this:
                    One machine (eg alix) 3 lan int.

                    LAN1–------------LAN2----------LAN3-----------WAN
                    10.0.0.0/8        172.16.0.0/12      192.168.0.0/16        x.x.x.x

                    And what with traffic generated directly from firewall (eg log in to console, ssh, to WAN_if and ping 10.0.0.1 ? )
                    Without rule block out, i will push packet throught wan int to the public network.</bogons>

                    With a setup like this you'd simply update your alias containing your local nets.

                    No traffic generated by the pfSense won't be blocked.
                    But then, the pfSense shouldn't be generating traffic in the first place, should it?
                    I've read that it is possible to block traffic from the pfSense itself with floating rules, but i never used this nor do i know how.

                    @pfsense_user_123:

                    Local traffic never goes over the router/pfSense.

                    Are You sure ?
                    Couse my tcpdump says something different.
                    On WAN int i see icmp packet with source IP of my public WAN and dst eg 10.0.0.1 and it goes to operator network!

                    Did you generate this ping on the pfSense itself?
                    If yes, see above.
                    Did you generate this on a computer behind the pfSense? If yes, then this packet was sent to the upstream gateway because it wasn't destined for a local net.
                    Otherwise the routing table would have sent it to the correct local net and not the the next hop.

                    @pfsense_user_123:

                    llow-rule: source: LAN, destination: "allowed_local_traffic"

                    This will pass traffic QUICK state!, so other rules won't be checked.

                    So packet will go pass throught WAN int. (if I use eg allowed_local_traffic = 10.0.0.0/8)

                    See above:
                    The frame will only be passed to the next hop if the net doesn't exist locally.
                    Of course if you say you have the whole 10/8 net locally in the firewall-rule but you don't, this will go to the WAN.
                    Your aliases and actual existing local nets have to match.

                    We do what we must, because we can.

                    Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                    1 Reply Last reply Reply Quote 0
                    • P
                      pfsense_user_123 last edited by

                      I've found solution.
                      Rule syntax with "out" is available in "floating" bookmark.
                      So I create rule.
                      block quick out on EXT_IF from any to <bogons>:-)
                      WORKS FINE.

                      I've also try concept of blocking packet on "inbound" on local interface. (witch could be better solution to block unwanted garbage very fast before it reaches inside router)
                      And it work's in half way.

                      It looks like only TCP traffic with flags S/SA is checked by this rule. (witch is obviously)
                      pass in log quick on vr0 inet from 192.168.1.0/24 to ! <private_networks_out>flags S/SA keep state label "USER_RULE"
                      pass in log quick on vr0 inet from 192.168.1.0/24 to ! <bogons_out>flags S/SA keep state label "USER_RULE"
                      Packet with SYN flags match to rule and it's blocked.
                      But the rest of traffic (ICMP) is not going to the default block rule! - and it escapes from WAN int

                      00:00:00.000000 AF IPv4 (2), length 64: my.public.ip > 10.1.1.1: ICMP echo request, id 62842, seq 8458, length 40
                      00:00:05.499144 AF IPv4 (2), length 64: my.public.ip > 10.1.1.1: ICMP echo request, id 62842, seq 8970, length 40
                      00:00:05.499085 AF IPv4 (2), length 64: my.public.ip > 10.1.1.1: ICMP echo request, id 62842, seq 9482, length 40
                      00:00:05.499103 AF IPv4 (2), length 64: my.public.ip > 10.1.1.1: ICMP echo request, id 62842, seq 9994, length 40
                      00:00:05.499114 AF IPv4 (2), length 64: my.public.ip > 10.1.1.1: ICMP echo request, id 62842, seq 10506, length 40

                      hmnnn any idea ?</bogons_out></private_networks_out></bogons>

                      1 Reply Last reply Reply Quote 0
                      • C
                        cmb last edited by

                        the flags only apply to TCP traffic, that rule will match ICMP also. Any traffic initiated from the firewall itself will not hit the default deny rule.

                        1 Reply Last reply Reply Quote 0
                        • P
                          pfsense_user_123 last edited by

                          I know that.

                          But the ping was initiated from machine in NAT'ed network.

                          Tcpdump runs on WAN int (and the output you see is NATed packet on WAN int)

                          1 Reply Last reply Reply Quote 0
                          • C
                            cmb last edited by

                            The ICMP is matching some other rule that's passing it then. If it's passed before it hits that 'block out', that won't apply.

                            1 Reply Last reply Reply Quote 0
                            • P
                              pfsense_user_123 last edited by

                              That was first I checked.

                              There are no ICMP rules.

                              #pfctl -s rules
                              scrub in on pppoe0 all no-df random-id fragment reassemble
                              scrub in on vr0 all no-df random-id fragment reassemble
                              anchor "relayd/" all
                              block drop in log all label "Default deny rule"
                              block drop out log all label "Default deny rule"
                              block drop in quick inet6 all
                              block drop out quick inet6 all
                              block drop quick proto tcp from any port = 0 to any
                              block drop quick proto tcp from any to any port = 0
                              block drop quick proto udp from any port = 0 to any
                              block drop quick proto udp from any to any port = 0
                              block drop quick from <snort2c>to any label "Block snort2c hosts"
                              block drop quick from any to <snort2c>label "Block snort2c hosts"
                              block drop quick from <pfsnortsamout>to any label "Block pfSnortSamOut hosts"
                              block drop quick from any to <pfsnortsamin>label "Block pfSnortSamIn hosts"
                              block drop in log quick proto tcp from <sshlockout>to any port = ssh label "sshlockout"
                              block drop in log quick proto tcp from <webconfiguratorlockout>to any port = https label "webConfiguratorlockout"
                              block drop in quick from <virusprot>to any label "virusprot overload table"
                              block drop in log quick on pppoe0 from <bogons>to any label "block bogon networks from WAN"
                              block drop in on ! pppoe0 inet from my.public.ip to any
                              block drop in inet from my.public.ip to any
                              block drop in on pppoe0 inet6 from fe80::20d:b9ff:fe21:a5cc to any
                              block drop in log quick on pppoe0 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
                              block drop in log quick on pppoe0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
                              block drop in log quick on pppoe0 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
                              block drop in log quick on pppoe0 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
                              block drop in on ! vr0 inet from 192.168.1.0/24 to any
                              block drop in inet from 192.168.1.1 to any
                              block drop in on vr0 inet6 from fe80::20d:b9ff:fe21:a5cc to any
                              pass in on vr0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
                              pass in on vr0 inet proto udp from any port = bootpc to 192.168.1.1 port = bootps keep state label "allow access to DHCP server"
                              pass out on vr0 inet proto udp from 192.168.1.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
                              pass in on lo0 all flags S/SA keep state label "pass loopback"
                              pass out on lo0 all flags S/SA keep state label "pass loopback"
                              pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself"
                              pass out route-to (pppoe0 my.public.gateway) inet from my.public.ip to ! my.public.ip flags S/SA keep state allow-opts label "let out anything from firewall host itself"
                              pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"
                              pass in quick on vr0 proto tcp from any to (vr0) port = http flags S/SA keep state label "anti-lockout rule"
                              pass in quick on vr0 proto tcp from any to (vr0) port = https flags S/SA keep state label "anti-lockout rule"
                              pass in quick on vr0 proto tcp from any to (vr0) port = ssh flags S/SA keep state label "anti-lockout rule"
                              anchor "userrules/
                              " all
                              pass in quick on pppoe0 inet from 83.238.181.5 to my.public.ip flags S/SA keep state label "USER_RULE: PASS ZRE" queue(qGames, qACK)
                              pass in quick on pppoe0 inet proto tcp from any to my.public.ip port = https flags S/SA keep state label "USER_RULE"
                              pass in quick on vr0 inet from 192.168.1.0/24 to 192.168.1.1 flags S/SA keep state label "USER_RULE"
                              pass in log quick on vr0 inet from 192.168.1.0/24 to ! <bogons_out>flags S/SA keep state label "USER_RULE"
                              pass in log quick on vr0 inet from 192.168.1.0/24 to ! <private_networks_out>flags S/SA keep state label "USER_RULE"
                              pass in quick on enc0 all flags S/SA keep state label "USER_RULE"
                              pass in quick on openvpn all flags S/SA keep state label "USER_RULE"
                              pass out on pppoe0 route-to (pppoe0 my.public.gateway) inet proto udp from any to any port = isakmp keep state label "IPsec: any - outbound isakmp"
                              pass in on pppoe0 reply-to (pppoe0 my.public.gateway) inet proto udp from any to any port = isakmp keep state label "IPsec: any - inbound isakmp"
                              pass out on pppoe0 route-to (pppoe0 my.public.gateway) inet proto udp from any to any port = sae-urn keep state label "IPsec: any - outbound nat-t"
                              pass in on pppoe0 reply-to (pppoe0 my.public.gateway) inet proto udp from any to any port = sae-urn keep state label "IPsec: any - inbound nat-t"
                              pass out on pppoe0 route-to (pppoe0 my.public.gateway) inet proto esp all keep state label "IPsec: any - outbound esp proto"
                              pass in on pppoe0 reply-to (pppoe0 my.public.gateway) inet proto esp all keep state label "IPsec: any - inbound esp proto"
                              anchor "tftp-proxy/*" all

                              #pfctl -s nat
                              nat-anchor "natearly/" all
                              nat-anchor "natrules/
                              " all
                              nat on pppoe0 inet from 192.168.1.0/24 port = isakmp to any port = isakmp -> my.public.ip port 500
                              nat on pppoe0 inet from 192.168.33.0/24 port = isakmp to any port = isakmp ->my.public.ip port 500
                              nat on pppoe0 inet from 192.168.254.0/24 port = isakmp to any port = isakmp -> my.public.ip port 500
                              nat on pppoe0 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> my.public.ip port 500
                              nat on pppoe0 inet from 192.168.1.0/24 to any -> my.public.ip port 1024:65535
                              nat on pppoe0 inet from 192.168.33.0/24 to any -> my.public.ip port 1024:65535
                              nat on pppoe0 inet from 192.168.254.0/24 to any -> my.public.ip port 1024:65535
                              nat on pppoe0 inet from 127.0.0.0/8 to any -> my.public.ip port 1024:65535
                              nat on pppoe0 inet from 127.0.0.1 to any -> my.public.ip port 1024:65535
                              rdr-anchor "relayd/" all
                              rdr-anchor "tftp-proxy/
                              " all
                              rdr pass on pppoe0 inet proto udp from any to my.public.ip port = tftp -> 127.0.0.1 port 69
                              rdr-anchor "miniupnpd" all

                              #ftp 10.1.1.1
                              #tcpdump -n -e -ttt -i pflog0 host 10.1.1.1
                              tcpdump: WARNING: pflog0: no IPv4 address assigned
                              tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
                              listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
                              00:00:00.000000 rule 42/0(match): pass in on vr0: 192.168.1.2.3663 > 10.1.1.1.21:  tcp 28 [bad hdr length 0 - too short, < 20]

                              #ping 10.1.1.1
                              #tcpdump -n -e -ttt -i pppoe0 host 10.1.1.1
                              tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
                              listening on pppoe0, link-type NULL (BSD loopback), capture size 96 bytes
                              00:00:00.000000 AF IPv4 (2), length 64: my.public.ip > 10.1.1.1: ICMP echo request, id 22837, seq 49676, length 40</private_networks_out></bogons_out></bogons></virusprot></webconfiguratorlockout></sshlockout></pfsnortsamin></pfsnortsamout></snort2c></snort2c>

                              1 Reply Last reply Reply Quote 0
                              • P
                                pfsense_user_123 last edited by

                                OK,
                                where can I found this rule in web-gui-configurator

                                pass out route-to (pppoe0 my.public.gateway) inet from my.public.ip to ! my.public.ip flags S/SA keep state allow-opts label "let out anything from firewall host itself"
                                ???

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post