Only same port for LAN



  • sorry my english not good
    I install pf 2.01 64 bit. I want block all for LAN, only open some port, example only surf web (open 80, 443) I create rules:
            prot        sourec        port          des        port              gateway
    pass TCP/UDP  LAN subnet  53              *          53                  *
    pass TCP        LAN subnet  80,443        *        80,443            *
    block *          LAN subnet    *              *          *                  *
    pass  *          LAN subnet    *              *          *                  *

    but I can't access web. If delete rule block i can access web.
    Can you help my.
    Thanks in advance.



  • Yout top two rules have source-ports defined. you almost never want that.
    Set the source-port to any.
    You can also delete your two block-any and allow-any rules.
    There is an invisible block-any rule at the bottom of each rule set.



  • Well, I would like to join this topic because it hits a question that I could not yet anser myself.

    @GruensFroeschli:

    Yout top two rules have source-ports defined. you almost never want that.
    Set the source-port to any.

    As I've understood pf so far rules must be defined on the basis of incoming traffic, e.g. traffic going into the firewall, on the considered device. So considering LAN interface shouldn't it imply that the source part of a LAN rule can only be LAN subnet or LAN address? What would be the difference to using any as source? Could you please clarify this, it would improve my basic understanding of pf rules :).

    Thanks,
    Peter



  • Port refers to the TCP/UDP ports and not to the physical port.

    It is the port from which a connection on a client is initiated.
    Normally this is a random number above 1024 up to the maximum of 65535.
    –> unless you know exactly from which port a program opens a connection (usually because you force it) you don't know the source-port because it's random.



  • @GruensFroeschli

    Thanks for your quick reply and sorry for my confusing and slightly off-topic question. But I mean the "source" (IP, net) field of a rule and not the (source) "port" field. I start a hopefully better attempt:

    Is it true that the "source" field of e.g. a LAN rule can hold only "LAN address" or "LAN subnet" or any host or hosts group (via firewall alias) being member(s) of the LAN subnet?



  • No.
    The source IP fiel can be whatever you define.
    There are no limits to what you can put there, regardless of if it makes sense or not.



  • OK, so does it make sense to use on e.g. the LAN interface as source something different from "LAN address" or "LAN subnet" or any host or hosts group (via firewall alias) being member(s) of the LAN subnet?



  • Source LAN-address doesn't make sense. That would be as source the address of the LAN-interface of the pfSense itself.
    –> The pfSense will never try to send something on an interface out to itself.

    You usually want LAN-subnet.
    If you have a setup where you have other routers attached to the LAN interface routing their traffic to the pfSense, then you will see traffic on the LAN interface with a source different than the LAN-subnet.
    --> You need rules reflecting these additional subnets. (Or just simply switch to "any")



  • @GruensFroeschli:

    Source LAN-address doesn't make sense. That would be as source the address of the LAN-interface of the pfSense itself.
    –> The pfSense will never try to send something on an interface out to itself.

    I agree with you  :)

    @GruensFroeschli:

    You usually want LAN-subnet.
    If you have a setup where you have other routers attached to the LAN interface routing their traffic to the pfSense, then you will see traffic on the LAN interface with a source different than the LAN-subnet.
    –> You need rules reflecting these additional subnets. (Or just simply switch to "any")

    Aaah, that's the point. Thank you very much.


Locked