Having Trouble Blocking All But HTTP/HTTPS



  • Hello, all!

    I am needing to block all but network traffic on one of our VLANs so as to only allow network traffic, and hopefully block most, if not all, P2P traffic… However, for some reason, I am having difficulty figuring out how.

    I've looked for a while, and people just say "Just add a rule with port 80 and 443, and that's it." The problem is, I'm not sure whether that should be inbound or outbound, whether I should have the local subnet set as inbound or outbound (I would've thought that both of those would need to be outbound, but based on what I've read I'm not 100% certain), which protocol to use (I had been thinking just TCP, but am now wondering if I should do TCP/UDP because when I ran a Packet Capture while browsing to a page, it used UDP as well), and whether I should use ports 80/443 or 3128/3129 (since that's what Squid3-dev redirects to for the proxy).

    Because of all these variables, and not having a 100% understanding of how it works, I am having quite a bit of difficulty with this... In order to simplify things, I have disabled all other firewall rules for the interface, so those shouldn't have been interfering at all.

    Thanks!



  • You are wanting to block traffic that originates from the VLAN (lets call it VLAN42), so the filter rule goes on VLAN42 interface. Pass all protocols, source VLAN42net, destination any IP, port 80+443 (make a port alias for these ports). Then a block everything rule after that.
    You can probably also put just protocol TCP+UDP - that should be all that normal mortals need for browsing the web.
    Note that lots of other things will try and use port 80 or 443 for non-web-browsing traffic, to get around firewalls. So this system is not fully effective.



  • @phil.davis:

    You are wanting to block traffic that originates from the VLAN (lets call it VLAN42), so the filter rule goes on VLAN42 interface. Pass all protocols, source VLAN42net, destination any IP, port 80+443 (make a port alias for these ports). Then a block everything rule after that.
    You can probably also put just protocol TCP+UDP - that should be all that normal mortals need for browsing the web.
    Note that lots of other things will try and use port 80 or 443 for non-web-browsing traffic, to get around firewalls. So this system is not fully effective.

    Thank you for the reply!

    That was actually the first thing i tried yesterday… I tried it again today, but still no success.

    I then tried it on the computer I am using (was trying on a computer lab computer), and it worked. I messed around with different things for a while, and remembered someone mentioning to unblock port 53 for DNS. I had previously ignored this, since I have the DNS Forwarder enabled, but figured I'd try anyway.

    And what do you know... It worked! Even though the DNS server of the other computer is set to the gateway (the DNS Forwarder), it was blocking it for some reason... Dunno why, but it works now.



  • Good point - when you enable DHCP, extra rules get added for you to allow the DHCP request/reply protocol, so you don't have to think about it for DHCP.
    But that is not done for DNS Forwarder, since people may or may not want to restrict access to the pfSense DNS Forwarder for particular interfaces / subnets / IP addresses.



  • Hi, mmm can you explain more?
    i block all the trafic
    action: Reject
    interface:vlan if
    tcp version ipv4 (also for ipv6)
    source any – dest any

    This way i block all the traffic, so for dhcp you should put some rule for the 67 and 68 udp port and so on! remember permit first then block!



  • When you enable DHCP on an interface, some pass rules for port 67 and 68 are added automatically - you do not see those in the Firewall Rules GUI. But you can look in /tmp/rules.debug and see these rules that are generated and given to pf.


Log in to reply