Firewall Rules



  • Hi All,

    I need your expertise in creating rules on pfsense.

    Default Lan Rule comes "Lan to Any" and I am trying to find out how secure is this rule? Leaving the "Lan rule to Any" means opening all the ports to public ?

    If the answer is YES, that means as I understand, it acts as router more than a firewall and permits all connections to pass.
    If the answer is NO, how Pfsense acts to let right connections pass or threat connections reject.

    and since security is the matter Should I disable the default rule and create bunch of rules such as

    Allow TCP 80 (HTTP) from LAN subnet to anywhere

    Allow TCP 443 (HTTPS) from LAN subnet to anywhere

    .Allow TCP 21 (FTP) from LAN subnet to anywhere

    Allow TCP 25 (SMTP) from LAN subnet to anywhere

    Allow TCP 110 (POP3) from LAN subnet to anywhere

    Allow TCP 143 (IMAP) from LAN subnet to anywhere

    …..so on

    Thank you so much in advance for your time.



  • Default Lan Rule comes "Lan to Any" and I am trying to find out how secure is this rule? Leaving the "Lan rule to Any" means opening all the ports to public ?

    Leaving the "Lan rule to Any" means opening all the outbound ports to public.

    Inbound rules (or lack of) block the unsolicited public from getting through into your stuff.

    If you want something coming in you have to allow it.



  • My rules on LAN esp. the ports are exactly the same. No worries about that. Just be mindful what ports to open.

    jigp



  • As soon As I disable " Lan to any" and instead Put those rules below, There is no Internet, i can't even ping Pfsense Web Interface.

    Allow TCP 80 (HTTP) from LAN subnet to anywhere
    Allow TCP 443 (HTTPS) from LAN subnet to anywhere
    Allow TCP 21 (FTP) from LAN subnet to anywhere
    Allow TCP 25 (SMTP) from LAN subnet to anywhere
    Allow TCP 110 (POP3) from LAN subnet to anywhere
    Allow TCP 143 (IMAP) from LAN subnet to anywhere

    Any Idea ? I appreciate in advance



  • @Malesefx:

    As soon As I disable " Lan to any" and instead Put those rules below, There is no Internet, i can't even ping Pfsense Web Interface.

    Allow TCP 80 (HTTP) from LAN subnet to anywhere
    Allow TCP 443 (HTTPS) from LAN subnet to anywhere
    Allow TCP 21 (FTP) from LAN subnet to anywhere
    Allow TCP 25 (SMTP) from LAN subnet to anywhere
    Allow TCP 110 (POP3) from LAN subnet to anywhere
    Allow TCP 143 (IMAP) from LAN subnet to anywhere

    Any Idea ? I appreciate in advance

    The problem is that your client machines don't always instigate the connection for (say web browsing) from port 80.  You need to allow any for source and 80 for destination (instead of anywhere)


  • Netgate Administrator

    You don't have a rule to allow DNS on port 53 tcp and udp.

    Steve



  • and ping is ICMP echo request, allowing only TCP will block pings.


Log in to reply