Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Rules: Allow certain ports over firewall

    Firewalling
    3
    5
    2073
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Q
      Quinn1981 last edited by

      I assume I need some sort of floating rules to do this. Here's the scenario.

      pfSense 2 (release - been using it since the betas)
      IP Blocklist (blocking ap2p orgs, bad peers and proxies)
      Pentium D 2.8 GHz

      • 2 GB RAM
      • ~160 GB HDD
      • Integrated NIC (opt1)
      • Dual Intel Pro 1000 NIC (wan and lan)
        Snort and various other stats packages

      I've got a 10.1.1.0 on lan and 10.1.10.0 opt1. I'm wanting to allow all HTTP and HTTPS traffic from my clients to get past the blocklist bits so we can all surf freely. I thought something like this would work.

      pass in on $LAN proto tcp from any port = 80 to any label "http 1"
      pass out on $LAN proto tcp from any to any port = 80 label "http 2"
      

      The problem with that is I have no idea where to put something like that. I tried the rules.debug file, but it gets regenerated on a filter refresh. I'd like to know where the file is I should add rules manually. I assume there is one.

      The rules that got put in when I tried some floating rules through the gui are.

      pass out quick on { em0 em1 } proto tcp from 10.1.1.0/24 to any port 80 flags S/SA keep state label "USER_RULE"
      pass in quick on { em0 em1 } proto tcp from any port 80 to 10.1.1.0/24 flags S/SA keep state label "USER_RULE"
      

      That didn't work to get passed the blocklists. One thing I fancied doing was using Squid to bypass all of the firewall business, but I'm not sure what direction to go with that either. I thought it was working sometimes, but apparently, the rules were being refreshed after I applied things and it was all open for a brief amount of time.

      Any suggestions or input would be appreciated. I'm mainly looking for some direction, but some spot-on solutions would be great too!

      1 Reply Last reply Reply Quote 0
      • marcelloc
        marcelloc last edited by

        You can manually edit ipblocklist.inc file and add your rules before package includes black list.

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • T
          tommyboy180 last edited by

          @marcelloc:

          You can manually edit ipblocklist.inc file and add your rules before package includes black list.

          That's not a solution. ipblocklist.inc is just the additional package installation and package installation file and has nothing to do with the rule creation in rules.debug. If you're going to manually edit the rules to include your ports then you will have to modify /usr/local/www/packages/ipblocklist/convert-execute.sh

          Take a look at lines 104 through 115. This is what modifies rules.debug. This is where you can add your pass rule or modify the block rule to exclude port 80. Modifying the block rule to exclude port 80 is ideal and the best solution.

          Don't forget I have already committed to adding this feature in the next release of ipblocklist.

          -Tom Schaefer
          SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

          Please support pfBlocker | File Browser | Strikeback

          1 Reply Last reply Reply Quote 0
          • marcelloc
            marcelloc last edited by

            Sorry for that.
            At my packages i put all 'engine' at inc.

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • Q
              Quinn1981 last edited by

              @tommyboy180:

              Don't forget I have already committed to adding this feature in the next release of ipblocklist.

              I was anxiously curious how to go about it. I work with a lot of CentOS and Ubuntu servers, but I've never toyed with a pfsense box. It's very different having only managed a freebsd box once. Thanks for the suggestion though. Anything helps my journey to get into hacking with pfsense. :) Thanks, a lot. I really enjoy your pfsense stuff.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post