PF Firewall Rules
-
Hello all expert network administrator, i totally a newbie to pf firewall.
Therefore, i need your advise to set them up.
Rules:
block in log all keep state
pass out log all keep stateI need to keep state the udp connection.
Since, i have all the connection from outside world. Therefore, i need to open some services such port 80(web browser), msn and ftp(21)
What is ftp-proxy and how i can enable them ?
I really do not understand the documentation.
Thanks for your help.
Your help is greatly appreciated by me and others. -
can you plase explain what you mean with:
Rules:
block in log all keep state
pass out log all keep statewhat exactly do you want with your pfSense?
Since, i have all the connection from outside world. Therefore, i need to open some services such port 80(web browser), msn and ftp(21)
the normal approach is to have a rule that allows everything outbound and thus would include the ports you mention above.
if you're talking about inbound…i i kinda dont believe that you want to run a MSN server :)
but then you would need to NAT the ports in question to your Server. -
can you plase explain what you mean with:….
When one postes lines like
@Peter_APIIT:…I need to keep state the udp connection.
Since, i have all the connection from outside world. Therefore, i need to open some services such port 80(web browser), msn and ftp(21)and
@Peter_APIIT:What is ftp-proxy and how i can enable them ?
I really do not understand the documentation.Like throwing in Google the words ftp-proxy doesn't yield any usefull info…. ???
Ok, let's have a look around - the Candit Camera must be some where, hidden, to make a public fool out of us ;D
Peter_APIIT, first, start reading manuals about all these concepts - and then you touch the equipement.
Some back ground knowledge is needed - and all this pfSense stuff isn't difficult, but:
"One needs to know what a plane is before even think about flying one". -
I have a Linksys-p334WT router but still cannot prevent someone to hack my Linux box.
I experience this before.
I want allow MSN and skype connection.
Thanks for your help.
-
You're approaching this the wrong way. Try the following steps:
- Identify how your box was "hacked"
- Fix that problem
If you're forwarding, say, port 80 and you've got a terribly insecure Apache configuration then changing the firewall won't help.
-
I have no idea how my box was hacked but i only allow the port 80(In & Out) and IRC software.
I also need to monitor the port 53(UDP) and add a syn proxy to this port.
Before this, i using iptables from Fedora 7 but still get hacked.
Thanks for your help.
Your help is greatly appreciated by me and others.
-
I have no idea how my box was hacked but i only allow the port 80(In & Out) and IRC software.
I also need to monitor the port 53(UDP) and add a syn proxy to this port.
Before this, i using iptables from Fedora 7 but still get hacked.
Thanks for your help.
Your help is greatly appreciated by me and others.
-
I have no idea how my box was hacked but i only allow the port 80(In & Out) and IRC software.
I also need to monitor the port 53(UDP) and add a syn proxy to this port.
Before this, i using iptables from Fedora 7 but still get hacked.
I learn iptables by example. Therefore, i really hope you can guide me.
Thanks for your help.
Your help is greatly appreciated by me and others.
-
… allow the port 80(In & Out) and IRC software....
.... i using iptables from Fedora 7 ...
.... i learn learn iptables ....
....and before : Linksys Router (Linux based device)...All these issues aren't really related to pfsense, now aren't they ?
pfsense should be your router/firewall/gateway/dhcp server. It works well if you don't take it out of it's default setup.Ask yourself the question : WHY is your system being hacked ?
Log incoming connection (simple iptables rule on your Fedora box - you could do the same on your pfsense box).
You know who it is - and soon : why. -
I have no idea how my box was hacked but i only allow the port 80(In & Out) and IRC software.
You still haven't said what was done, but I'm guessing you had a vulnerability in either your web server of a CGI script. Changing firewall won't help there.
-
I don't have any Web Server or CGI script.
How to log the incoming connection in pfSense ? This is a home network.
-
I don't have any Web Server or CGI script.
Hmmm, earlier you said:
I have no idea how my box was hacked but i only allow the port 80(In & Out) and IRC software.
So, if you don't run a web server why were you allowing 80 inbound?
As for how to log connections - tick the box in the firewall rule you want to log.
-
Thanks. I just want to surfing internet and msn, skype connection only other than that block in.
Keep state the udp 53 connection. If not established, block it.
source tracking as well.Please can you give me the rules, i want to learn from examples. I am a IT student from Malaysia.
A billion thanks to you.
Thanks.
Thanks.
Thanks.
Thanks.
Thanks.
Thanks.
Thanks.
Thanks.
Thanks.
Thanks.
Thanks.
Thanks.
Thanks.
Thanks.
Thanks.
Thanks.
Thanks.
Thanks.
Thanks.
Thanks. -
All modern firewalls, such as the one pfSense uses, are stateful. This means you only have to allow the traffic in one direction.
So, leave the default block rule on the WAN alone and create rules on the LAN side allowing outbound traffic (or leave the default pass-all rule alone). The documentation for pf (the firewall software used in pfSense) can be found http://www.openbsd.org/faq/pf/.
