Rules: Allow certain ports over firewall



  • I assume I need some sort of floating rules to do this. Here's the scenario.

    pfSense 2 (release - been using it since the betas)
    IP Blocklist (blocking ap2p orgs, bad peers and proxies)
    Pentium D 2.8 GHz

    • 2 GB RAM
    • ~160 GB HDD
    • Integrated NIC (opt1)
    • Dual Intel Pro 1000 NIC (wan and lan)
      Snort and various other stats packages

    I've got a 10.1.1.0 on lan and 10.1.10.0 opt1. I'm wanting to allow all HTTP and HTTPS traffic from my clients to get past the blocklist bits so we can all surf freely. I thought something like this would work.

    pass in on $LAN proto tcp from any port = 80 to any label "http 1"
    pass out on $LAN proto tcp from any to any port = 80 label "http 2"
    

    The problem with that is I have no idea where to put something like that. I tried the rules.debug file, but it gets regenerated on a filter refresh. I'd like to know where the file is I should add rules manually. I assume there is one.

    The rules that got put in when I tried some floating rules through the gui are.

    pass out quick on { em0 em1 } proto tcp from 10.1.1.0/24 to any port 80 flags S/SA keep state label "USER_RULE"
    pass in quick on { em0 em1 } proto tcp from any port 80 to 10.1.1.0/24 flags S/SA keep state label "USER_RULE"
    

    That didn't work to get passed the blocklists. One thing I fancied doing was using Squid to bypass all of the firewall business, but I'm not sure what direction to go with that either. I thought it was working sometimes, but apparently, the rules were being refreshed after I applied things and it was all open for a brief amount of time.

    Any suggestions or input would be appreciated. I'm mainly looking for some direction, but some spot-on solutions would be great too!



  • You can manually edit ipblocklist.inc file and add your rules before package includes black list.



  • @marcelloc:

    You can manually edit ipblocklist.inc file and add your rules before package includes black list.

    That's not a solution. ipblocklist.inc is just the additional package installation and package installation file and has nothing to do with the rule creation in rules.debug. If you're going to manually edit the rules to include your ports then you will have to modify /usr/local/www/packages/ipblocklist/convert-execute.sh

    Take a look at lines 104 through 115. This is what modifies rules.debug. This is where you can add your pass rule or modify the block rule to exclude port 80. Modifying the block rule to exclude port 80 is ideal and the best solution.

    Don't forget I have already committed to adding this feature in the next release of ipblocklist.



  • Sorry for that.
    At my packages i put all 'engine' at inc.



  • @tommyboy180:

    Don't forget I have already committed to adding this feature in the next release of ipblocklist.

    I was anxiously curious how to go about it. I work with a lot of CentOS and Ubuntu servers, but I've never toyed with a pfsense box. It's very different having only managed a freebsd box once. Thanks for the suggestion though. Anything helps my journey to get into hacking with pfsense. :) Thanks, a lot. I really enjoy your pfsense stuff.


Log in to reply