Firewall Rules not working in PFsense

sinister

Good Day Guys,
I had been playing around with my newly installed pfsense and it turn out ok until i found out that firewall rules are not working. I had created several from firewall->rules menu with this:

and save the new firewall rules. to verify if the said rules is working i try to use nmap and found out the result:

the firewall rule did not recognize my created rule. Can anyone help me on this to enlighten me on how will i do it. thanks in advance

mr_bobo

Unless I'm mistaken, your rules are allowing traffic from the LAN to those ports.

Try scanning it from the net, unless you're behind a router.

Nmap-online

It will always show the open ports on your pfSense box when you scan it from the LAN.

sinister

Yes mr_bobo i am allowing those port but still missing when i add a different port still the same nmap result comes out. It would be best if anyone on the group could teach how to do it. :)

podilarius

Well the rules on lan do not block or allow anything on the wan address. You are only doing egress filtering. So those ports will be open to the firewall address. The out put reflects this as it is showing block on all ports except those you are allowing. What exactly are you trying to dool.

mr_bobo

@sinister:

Yes mr_bobo i am allowing those port but still missing when i add a different port still the same nmap result comes out. It would be best if anyone on the group could teach how to do it. :)

If you outline what you're trying to accomplish it would be easier for someone to advise you how to go about it. People here are friendly and ready to help but you have to let them know what you're intentions are.

The LAN rules govern outgoing traffic. Your firewall will allow any outgoing traffic you initiate without having to made a rule to do so.

The green arrows at the side of the rules indicate a rule intended to "pass" traffic. The rules you've made allow outgoing traffic to those ports at any destination.

The pf firewall will block all incoming traffic by default till you make a rule allowing otherwise. If you're trying to make rules to restrict incoming traffic you need to make them on the WAN section, yours is designated GLOBE for some reason.

sinister

Sorry for that mr_bobo
Here's what i want to do:

1. I want to create a rule to allow skype to connect for incoming and outgoing connection.
2. I want to verify the said rule if its workiing or open
3. block all ports aside from the ports that i declare as open

thanks again and hope you coud help me

marcelloc

Your first rules set are fine.

Just remember to reset current states after you change a rule on quick tests.

sinister

Sir marcelloc
I just confuse and want to clarify, when i reset the firewall current state table, that is the only time that firewall rules will take effect?

marcelloc

@sinister:

I just confuse and want to clarify, when i reset the firewall current state table, that is the only time that firewall rules will take effect?

No, after you change rules only new connections will match new rules. The keep state will keep current connections working until it ends or until you reset states.

for example:

you start a ping to 8.8.8.8, then create a rule to block ping.
The result will be a sucesfull ping.
if you reset states, then ping will fail.

att,
Marcello Coutinho