Firewall problem … or maybe it's just me ;)



  • Hi
    I've been using pfsense for some time, but i still have an issue i haven't realy figured yet, and since there is still no documentation on this, i must ask.
    I use pfsense to allow internet acces to 3 different subnets, all public ip's. I enabled outbound nat for these ip's, and it all works, the routed ip's are visible to the internet, etc. I can't seem to make any firewall rule work tough, and there are no rules created in the firewall section. I figure it's an issue with my enabling outbound nat for these ip's but i can't stop anything. I would like to be able to block some ip's in these subnets and block some ports. Where am i going wrong about this?
    Any help would be appreciated.
    P.S.
    Please bare in mind, i worked a very long time with windows servers, probably my mind is still locked in their patterns - that means i'm stupip enough, and someone would have to be patient with me.
    I've seen on the forum that it's not yet possible to implement a blacklist for ip's… any time frame for that?
    Thank you for your patience.



  • Thank you, after the upgrade to the latest stable release, it works now.



  • Hm… and yet...
    If i only enable outbound nat, without any rules, like in the faq, the opt lan's work, but not the main lan.
    If i enable routes in the outbound nat, the firewall rules do not apply.
    the blacklist would come in handy in this situation, but i still can't block ports.
    I'm lost.
    Anyone, take pity in my suffering, and please try to explain a poor retard what to do. ;)



  • Can you give us some more insight in your install and what exactly you are trying to do?
    Some information on your subnets and IPs at the interfaces would be helpful. Also what you want to block or pass from where to where. It's easier to explain with your real life setup than have a guess at a config that might be understood wrong by the person that tries to explain it.

    Concerning the blacklist IP feature that might be a feature for the 1.1 alias system but as 1.0 is not out yet we can't comment on the timeframe. I would suggest using an IP or network Alias and add all the blacklisted IPs there. Depending on what you are trying to do blocking all and allowing just some whitelist IP aliases might be less work to configure but that's again a guess. Details please…  ;)



  • ok, the situation is like this:
    I have an ip given by my isp aa.aaa.aa.aaa/29
    this is set on my wan. It connects on a gateway aa.aaa.aa.aax/29
    and 2 dns
    i bought 3 p[ublic ip classes, bb.bbb.bb.bbb/27, cc.ccc.cc.ccc/27 and dd.ddd.dd.ddd/26 and i use this machine to route them
    i have 3 nics (except wan), and i set them like this:
    wan:  aa.aaa.aa.aaa/29
    lan:    dd.ddd.dd.dd1/26
    opt1:  cc.ccc.cc.cc1/27
    opt2:  bb.bbb.bb.bb1/27,
    that is the firs available ip of the class on every nic.
    This configuration worked like this on various machines, including an older version of pfsense
    So i must have public ip's out on the internet from my lan's, so i enable outbound nat. Bare in mind that in an older version of pfsense, same thing worked for all ip's. For some reason, now it just does nat. I got it working with a rule in the outbound nat, like wan - source any - destination any - port any
    same thinf did on every nic in firewall. The thing is that when i try to add blocking rules (in the correct order - blocking rules in front of the allowing rules) they don't work. I have a few ip's that i must block from time to time, and also some ports - 137 - 139, 445, etc I do not use dhcp, and my stations use the isp'a dns
    I figure there are too many allowing all rules, but where do i block now?
    here is how my config file looks - i edited the ip's for obvious reasons

    • <pfsense><version>2.2</version>
        <lastchange><theme>metallic</theme>
    • <system><optimization>normal</optimization>
        <hostname>pfsense</hostname>
        <domain>local</domain>
        <username>admin</username>
        <password>$1$USdYG6sA$IihiTqFDk7V0aEd3X.3NK0</password>
        <timezone>Europe/Bucharest</timezone>
        <time-update-interval>300</time-update-interval>
        <timeservers>pool.ntp.org</timeservers>
    • <webgui><protocol>http</protocol></webgui>
        <dnsserver>dns.dns.dns.dn1</dnsserver>
        <dnsserver>dns.dns.dns.dn2</dnsserver></system>
    • <interfaces>- <lan><if>fxp1</if>
        <ipaddr>dd.ddd.dd.dd1</ipaddr>
        <subnet>26</subnet>
        <media><mediaopt><bandwidth>100</bandwidth>
        <bandwidthtype>Mb</bandwidthtype>
        <bridge>wan</bridge>
        <disableftpproxy></disableftpproxy></mediaopt></media></lan>
    • <wan><if>fxp0</if>
        <mtu><blockpriv><media><mediaopt><bandwidth>100</bandwidth>
        <bandwidthtype>Mb</bandwidthtype>
        <disableftpproxy><ipaddr>aa.aaa.aa.aaa</ipaddr>
        <subnet>29</subnet>
        <gateway>aa.aaa.aa.aax</gateway>
        <spoofmac></spoofmac></disableftpproxy></mediaopt></media></blockpriv></mtu></wan>
    • <opt1><if>rl0</if>
        <descr>OPT1</descr>
        <bridge><enable><ipaddr>bb.bbb.bb.bb1</ipaddr>
        <subnet>27</subnet>
        <gateway><spoofmac></spoofmac></gateway></enable></bridge></opt1>
    • <opt2><if>rl1</if>
        <descr>OPT2</descr>
        <bridge><ipaddr>cc.ccc.cc.cc1</ipaddr>
        <subnet>27</subnet>
        <gateway><spoofmac><mtu><enable></enable></mtu></spoofmac></gateway></bridge></opt2></interfaces>
        <staticroutes><pppoe><pptp><bigpond>- <dyndns><type>dyndns</type>
        <username><password></password></username></dyndns>
    • <dhcpd>- <lan>- <range><from>192.168.1.100</from>
        <to>192.168.1.199</to></range></lan></dhcpd>
    • <pptpd><mode><redir><localip></localip></redir></mode></pptpd>
        <ovpn>- <dnsmasq><enable></enable></dnsmasq>
    • <snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd>
    • <diag>- <ipv6nat><ipaddr></ipaddr></ipv6nat></diag>
        <bridge><syslog>- <nat><ipsecpassthru>- <advancedoutbound><enable>- <rule>- <source>
        <network>any</network>

    <sourceport><descr>Auto created rule for LAN</descr>
      <target><interface>wan</interface>
      <nonat>- <destination><any></any></destination>
      <natport></natport></nonat></target></sourceport></rule></enable></advancedoutbound></ipsecpassthru></nat>

    • <filter>- <rule><type>pass</type>
        <interface>wan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os>- <source>
        <any>- <destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    • <rule><type>pass</type>
        <interface>opt2</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os>- <source>
        <any>- <destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    • <rule><type>pass</type>
        <interface>opt1</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os>- <source>
        <any>- <destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    • <rule><type>pass</type>
        <interface>lan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os>- <source>
        <any>- <destination><any></any></destination>
        <descr>Default LAN -> any</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule></filter>
        <shaper>- <ipsec><preferredoldsa></preferredoldsa></ipsec>
        <aliases><proxyarp><wol>- <installedpackages>- <package><name>ntop</name>
        <website>http://www.ntop.org/</website>
        <descr>ntop is a network probe that shows network usage in a way similar to what top does for processes. In interactive mode, it displays the network status on the user's terminal. In Web mode it acts as a Web server, creating an HTML dump of the network status. It sports a NetFlow/sFlow emitter/collector, an HTTP-based client interface for creating ntop-centric monitoring applications, and RRD for persistently storing traffic statistics.</descr>
        <category>Network Management</category>
        <depends_on_package_base_url>http://www.pfsense.org/packages/All/</depends_on_package_base_url>
        <depends_on_package>ntop-3.2_1.tbz</depends_on_package>
        <version>3.2_1</version>
        <status>BETA</status>
        <config_file>http://www.pfsense.com/packages/config/ntop.xml</config_file>
        <configurationfile>ntop.xml</configurationfile></package>

    <menu>
      <name>ntop Settings</name>
      <tooltiptext>Set ntop settings such as password and port.</tooltiptext>
     Diagnostics
      <url>/pkg_edit.php?xml=ntop.xml&id=0</url>
     </menu>

    <menu>
      <name>ntop</name>
      <tooltiptext>Access ntop</tooltiptext>
      <url>http://:3000$myurl</url>
     Diagnostics
      <depends_on_service>ntop</depends_on_service>
     </menu>

    • <service><name>ntop</name>
        <rcfile>ntop.sh</rcfile>
        <executable>ntop</executable></service></installedpackages>
    • <revision><description>Installed ntop package.</description>
        <time>1139860575</time></revision>
        <virtualip></virtualip></wol></proxyarp></aliases></shaper></syslog></bridge></ovpn></bigpond></pptp></pppoe></staticroutes></lastchange></pfsense>

    Thank you for your help and patience.



  • you have to make blocking rules for every interface
    like:
    action block interface lan protocol tcp source any source port range any any desenation any  desenation port range from other 137 to other 139
    action block interface opt1 protocol tcp source any source port range any any desenation any  desenation port range from other 137 to other 139 
    action block interface opt2 protocol tcp source any source port range any any desenation any  desenation port range from other 137 to other 139

    for blocking 137 till 139 on lan,opt1 and opt2



  • Just keep in mind: You always have to block Incoming traffic at an Interface, so if you want to block traffic from LAN to Opt1 your rule has to be applied to the LAN Interface.
    In your scenario I would use some Aliases to get your blacklist function and to keep number of rules low to have a better overview:

    at all Interfaces:

    block proto any source-ip "blacklistip" source-port any destination-ip any destination-port any
    block proto tcp/udp source-ip any sourceport any destination-ip any destination-port "blacklistports"
    pass proto any source-ip <interface>subnet sourceport any destination-ip any destination-port any

    Needed Aliases for this:

    blacklistip -  hosts alias with all blocked IPs
    blacklistports - ports alias with blocked ports

    This way you can simply add your IPs to the blackistip alias or ports to the blacklistports (at least if you want to handle them all the same way). For special needs you can combine ports and hosts aliases or invent more aliases. Try to use the alias system as much as you can. It can simplify things a lot.</interface>


Locked