Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Outbound rules?

    Firewalling
    2
    5
    1640
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      motodude last edited by

      I'm new to pfSense.  I did search the forum but didn't find anything pertinent to my question within the last 4 years (and in that time something may have changed).  So I'll ask….   :)

      I have a transparently bridged firewall (no IPs on the interfaces).

      In the OpenBSD world, I would write a rule like the following:
        pass out quick on $ext_if inet proto { tcp, udp } from any to any port 53 keep state

      That rule says to allow any computer on my network to access any external DNS server (port 53).  You can write a rule like that because it specifies the direction (out = outbound).

      How do I do this in pfSense?  Its recommended that all rules be put on one interface (WAN) and not to write any rules for the opposite (LAN) interface.

      If I make a pfSense rule on my WAN interface:

      TCP/UDP * * * 53 * none

      That essentially says to allow inbound (and outbound) access to port 53 on every single server, not just my servers that run DNS.  I don't want that.   I only want to open the inbound port to my dns server that needs it open because it has a dns server on it.  On the other hand, I need all of my internal machines to access DNS on any external server.

      This lack of direction on the rules seems to be a problem.  I assume I must be missing (not aware of) something?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • M
        motodude last edited by

        I may have figured it out.

        TCP LAN net * * DNS_Port * none

        Presumably that says to allow my LAN network to access any external DNS?

        1 Reply Last reply Reply Quote 0
        • M
          motodude last edited by

          Nope.  With this rule:

          TCP    LAN net    *    *    DNS_Port    *    none

          in place I cannot access DNS servers outside of the firewall.  That tells me that its the same issue I ran into on the WAN side of things.  When you're configured with a transparent bridge and no IPs on the interfaces – you can't use WAN or LAN in any of the rules.

          So in order to create outbound rules, I assume I'll have to go to firewall > Aliases and create an alias comprising the IPs of everything on my network and then use that alias in the rule in place of "LAN Net", correct?  Or is there another, cleaner option?

          1 Reply Last reply Reply Quote 0
          • C
            cmb last edited by

            1. DNS is TCP and UDP, DNS will not work just allowing TCP
            2. If you have no IPs set on your LAN, then "LAN network" is equal to nothing. you want any instead there.
            1 Reply Last reply Reply Quote 0
            • M
              motodude last edited by

              CMB,

              Thanks.  I had TCP/UDP on the inbound but only had TCP on the outbound.  Its working now.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post