Firewall rules

maverick_slo · Aug 27, 2013, 5:49 PM

Hi guys!

I don`t know where the problem is…
I have 2 networks LAN and PUBLIC. LAN is 10.10.0.0/24 and PUBLIC is 172.16.16.0/24
Check attached image...
How the hell can someone from 172.16.16.XXX access my webserver on 10.10.0.XXX on port 80??!
It is strictly blocked or am I doing it wrong?
From public to LAN I allow only DNS and ping...
Should I create rules differently?

Thanks!

labasus · Aug 27, 2013, 9:39 PM

You should use NAT port forwarding - http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

kathampy · Aug 28, 2013, 4:53 AM

Your rules look badly designed and redundant. Only allow what you need and refrain from using * except for Internet access rules. Everything else gets blocked.

maverick_slo · Aug 28, 2013, 6:30 AM

OK, so I have deleted redundant rules…
But still...
I want to DISallow 172.16.16.0/24 to access 10.10.0.0/24 except for DNS and ping.
172.16.16.0/24 should have full internet access.

So how do I do that?

Now I allowed ping everywhere and DNS everywhere...
I now need to allow internet access but I cannot allow port 80 on 10.10.0.0/24 network to be reached by 172.16.16.0/24 network.

Thanks!

kathampy · Aug 28, 2013, 6:45 AM

Don't set the source for rules on the PUBLIC interface. The rules already apply only to traffic coming in from the PUBLIC interface. Don't try to mix ICMP and DNS for LAN and Internet into one rule. It will become confusing later.

Make the source * and set the destination to "LAN subnet" for the ICMP and DNS rules. This will explicitly allow ICMP and DNS from PUBLIC to LAN only.

For Internet access on the PUBLIC interface, create a rule from * to "not LAN subnet". This will allow full Internet access from PUBLIC (including ICMP and DNS to Internet servers) but not allow any access to LAN.

maverick_slo · Aug 28, 2013, 6:47 AM

OK, I have it like in attachment…

I can access my lan on port 80 from 172.16.16.15 ?

Again:
LAN (10.10.0.0/24)
PUBLIC (172.16.16.0/24)

So, what now?
I cannot add share, but I can access webserver?!

kathampy · Aug 28, 2013, 6:53 AM

There's some other problem. Enable logging on all the rules and see which rule is allowing the traffic to LAN on port 80.

maverick_slo · Aug 28, 2013, 7:02 AM

I did, this is output…

And other screenshot where I want to add share nad FW blocks access which is absolutely correct...

kathampy · Aug 28, 2013, 7:02 AM

Give the rules descriptions! And isolate the log entry where port 80 is allowed.

maverick_slo · Aug 28, 2013, 7:03 AM

I have to add log options to EVERY rule on ALL interfaces??

Strange is, when I accessed port 80 there was no firewall entry for this port?

maverick_slo · Aug 28, 2013, 7:06 AM

Ahhhhh ohhhh crap :)
Found reason…

I have HAVP antivirus package installed :)
That explains everything now, I disabled it and rules are working OK :)

doktornotor · Aug 28, 2013, 8:39 AM

No matter how crappy the HAVP thing is… I'd still strongly recommend to clean up the rules mess, whole lot of good notes above, incl. the rules descriptions.

maverick_slo · Aug 28, 2013, 8:42 AM

Ummm this is my home network…

On public I have 4 rules and on lan I have 2 rules...

What mess do I have I don`t understand :)

johnpoz · Aug 28, 2013, 5:35 PM

"What mess do I have I don`t understand"

What is suppose to be the point of the 3rd allow rule for !lan net (not lan net) in your firewall pic http://forum.pfsense.org/index.php?action=dlattach;topic=65903.0;attach=35278

If that is on the wan (public) inteface.. Where else would the traffic be going? It would seem to allow anything to hit the wan inteface since the destination would be the public (wan) interface IP.

If that is on your lan network.. Then none of them make any sense.

BTW are you natting.. You have a private IP on your wan (public) interface - so if your just wanting to control traffic on your internal network natting would not make any sense. But this is default setup, so curious if you turned it off or not?

maverick_slo · Aug 29, 2013, 8:02 AM

LOL, read again my friend…

I have WAN - pppoe

1. LAN: 10.10.0.0/24
2. PUBLIC: 172.16.16.0/24

PUBLIC is ment to be the second lan for guests and 3rd rule allows users on 172.16.16.0/24 to access everything BUT my LAN subnet which is private to me...
PUBLIC is just a name I gave, maybe GUEST would be better to understand :)

And BTW, on pfsense rules tab, WAN is NEVER marked as PUBLIC but always as WAN 8) , see screenshot again.

As far as I`m concerned these rules make perfect sense, are not redundant etc...

kejianshi · Aug 29, 2013, 12:02 PM

Rules make sense, but yeah - GUEST is less confusing.

I could label my WAN as LAN and my LAN as WAN and all would work fine but it would confuse the hell out of everyone but me.

Anyway - This is a language thing I think and you already seem to have figured that out.

johnpoz · Aug 29, 2013, 1:20 PM

Or how about Lan2? This makes it really clear its a "lan" interface ;)

Public to me means INTERNET.. I would love to see a survey of network IT guys given the term public - is that a lan or wan type network and see what the responses are ;)

maverick_slo · Aug 29, 2013, 3:06 PM

OK, I`m glad we solved it out :)

I even renamed the damn thing haha :)