Firewall blocks everything

franzenobody · Feb 12, 2013, 7:26 PM

Hey,
a new problem aroused on my way to the captive portal: firewall rules. As a start, I want only to pass port 80. But it blocks everything, no matter how I try. I installed squid and squidguard but both is inactive. Furthermore, on floating I have a Layer7-rule, blocking all P2P and Gaming.

What mistake did I make?

Thx!!!

johnpoz · Feb 12, 2013, 7:52 PM

you have a wan rule blocking everything! Why would you have that - the default rule would take care of that.

What traffic do you think would be coming in on port 80 as dest port on your wan?

Your lan looks right where you allow 80, but your block rule should be any if you don't want to allow anything out from lan

Remove your floating rule, remove your wan rules.. Then leave your allow lan rule for http, and then your block rule on lan change that to dest port any and you should be good.

Once you have that working you can tweak your other rules.. But not sure what you think the floating rule is suppose to do, if your only allowing outbound on 80 p2p is not going to work.

franzenobody · Feb 12, 2013, 8:12 PM

Ok, I did what you say:

Delete all Floating (no rule left)
Delete all WAN (no rule left)
And left LAN at Port 80 (I don't know what you mean by change dest to any, because I thought it was already on any).

=> Didn't work!

Then I set up a rule on WAN: Allow everything (only "*" everywhere, no queue)
And the same on LAN.

=> Still didn't work!

What I mean with didn't work is that the URL takes years to load and finally I get a timeout. In all these configs, I could not ping the Router on 192.168.1.1 (Request timeout for icmp_seq 0) from the LAN interface (from the WAN it works, so I guess something is wrong with the LAN Rules?

=> As soon as I deactive all packet filtering, everything works fine again.

johnpoz · Feb 12, 2013, 8:35 PM

What are you using for dns? Are you trying to use external dns?

You don't have a rule that allows you to ping the lan IP - so no your not going to be able to ping it ;)

Oh - and for that matter you don't have a rule in place to allow you to ask pfsense for dns either.. Duh, kicking myself for not catching that right off!

Your going to have to allow your lan to talk to pfsense on 53 udp and tcp if using that for dns, or if using external then your going to have to allow 53 udp and tcp to any or whatever your using for dns.

And if your going to want to be able to ping pfsense your going to have to allow that rule as well.

So clear wan and floating and on lan

allow icmp to lan address
allow dns udp and tcp to lan address
allow http any
block any – no 81-50901 is not any. Any would be listed as *, there is any in the dropdown list.

franzenobody · Feb 12, 2013, 8:41 PM

You hero nailed it, thanks a lot! :)
(sorry, I thought the "internal communication" would be handled automatically)

johnpoz · Feb 12, 2013, 8:48 PM

well in the default config it is with the default lan rule.. But you turned that off so your going to have to allow what you want. I didn't catch it right away because in my setup I also limit a IP to port, but its a PROXY – which the proxy does the dns for the client. So it doesn't ask pfsense or anything else, etc.

franzenobody · Feb 13, 2013, 7:46 AM

Thanks again for making that clear!

One last question (even if it is a bit OT) for understanding firewalls: As I didnt turn on a WAN rule, in my sense the whole downstream must be blocked. Apparentely it isn't, so am I right by saying that answers on requests from the LAN are allowed to pass automatically? That means, that I have to set up a WAN rule if I want to use the VPN Server, right?

Thanks again!

cmb · Feb 13, 2013, 8:02 AM

that's answered in:
http://doc.pfsense.org/index.php/Firewall_Rule_Basics

and/or do some general reading up on how all stateful firewalls work. Reply traffic never is evaluated by rules.

johnpoz · Feb 13, 2013, 3:25 PM

"in my sense the whole downstream must be blocked. Apparentely it isn't"

Your just not seeing the default rule - by default ALL unsolicited inbound traffic to the wan is blocked. Only connections that have an existing state that is in answer to traffic started by clients behind the firewall will be allowed.

Now yes if you want to allow some unsolicited inbound traffic to your wan, be it to something behind pfsense with a port forward (nat) or to the wan interface itself like a VPN connection to pfsense.. Then yes you would have to create a wan rule to allow that. I am pretty sure the openvpn wizard will autocreate the wan rule for you. example

IPv4 TCP * * WAN address 443 (HTTPS) * none OpenVPN pfsense wizard

And by default when you create a port forward, it will auto create wan rule you need to allow for that as well. Unless when creating the port forward you uncheck the autocreate wan rule checkbox.

But in general you don't need any rules on the wan, unless you want to allow something that is not in answer to your requests. Like for example if you want to allow icmp to your public IP on the wan. You would need a rule to allow that.

IPv4+6 ICMP * * WAN address * * none Allow Ping

I would highly suggest you read the doc that cmb linked too.