Need 2 Open Ports but not Port Forward..



  • I'm wanting to close all ports except certain ports that are required ie to allow Windows to update, games, etc.

    The issue I'm trying to figure out is how to open ports without port forwarding as port forwarding only opens a port for one machine where I have multiple ones needing access to the same ports.

    It just came to me that perhaps those ports could be forwarded to the router then it'd work for any computer connected the the LAN?

    Any help would be great, I'm new to this!

    Thank you  ;D



  • Are you talking for outbound access or for outside resources to LAN resources. Cause if you are talking about internal resouces being able to go outbound, then the stock configuration will allow that. Port forward is mainly for external resources to map to an internal source.
    Perhaps you could clarify a little bit.


  • LAYER 8 Global Moderator

    "ie to allow Windows to update, games, etc."

    You clearly do not need inbound ports for windows to update - but if your wanting to say host a game server or something.  Then yeah you might be talking about inbound.

    "those ports could be forwarded to the router"

    This make is sound like your behind a double nat?

    Why don't you clearly state what you need, and then we can try and help you.  Currently I'm with podilarius not sure what your after actually.  But you can not port forward inbound traffic to more than 1 internal machine - just not possible.  Unless you have more than 1 public IP address.



  • Yes, I understand that's not possible as I stated already.

    It's a very simple setup for my home and is exactly in this order:

    Modem > Firewall (pfSense) > Wireless Router > local machines

    Again, I'm wanting to close all ports except the ones need like Windows Update.

    There is no server that requires outside access so it's not a situation to where I have Server 2012 updating all of my machines in which case I would port forward to that machine - they're all doing their own updates.

    My goal is to open those ports only, I can't port forward the same port to multiple machines so I'm not sure what to do.

    Hopefully that clears it up a bit more.


  • LAYER 8 Global Moderator

    There are NO INBOUND ports required for windows update, by default ALL INBOUND ports are blocked.. The firewall only allows answers to something a client behind the firewall has requested.

    From your layout - I personally would guess you have triple nat setup to be honest.  So your wireless router is just being used a Accesspoint, or is it natting?  As to your modem - guessing its not just a modem but a gateway that does nat.

    Do you mean you want to block OUTBOUND access to everything other than windows update?  Windows update does not use special ports.. It uses the normal http/https and your client requests the download..  There are no special rules that you would need to create for pfsense to allow this.



  • @johnpoz:

    There are NO INBOUND ports required for windows update, by default ALL INBOUND ports are blocked.. The firewall only allows answers to something a client behind the firewall has requested.

    From your layout - I personally would guess you have triple nat setup to be honest.  So your wireless router is just being used a Accesspoint, or is it natting?  As to your modem - guessing its not just a modem but a gateway that does nat.

    Do you mean you want to block OUTBOUND access to everything other than windows update?  Windows update does not use special ports.. It uses the normal http/https and your client requests the download..  There are no special rules that you would need to create for pfsense to allow this.

    My new router broke (Cisco grr) so I've reverted back to a router that doesn't handle AP so it does have NAT turned on however it's set to allow all traffic so PFsense can handle the open / closed port issue. It's a double nat network for now to clarify - the modem is a modem - it's not a gateway.

    Yes, I'm wanting to block all outbound ports except for services that require access to the internet. I have several programs outside of Windows that need access to certain ports as well that are on more than one machine thus making port forwarding unusable for this setup.

    This is confusing me a lot because I thought a firewall could have all ports closed except those specified which could simply be open for all computers requesting to use that port… I didn't think it was a big deal or anything unusual...

    My goal is to make it where a hacker can't drop a packet then it call home. If I eliminate that then I would have enhanced the security a lot against script kiddies at the very least.

    I've read a lot about how firewalls should have ports closed both inbound and outbound so I'm trying to harden the security.


  • LAYER 8 Global Moderator

    "My goal is to make it where a hacker can't drop a packet then it call home"

    So your not going to use the internet any any of your computers other than KNOWN sites?  Since why would this hacker not just phone home on http or https.. 80 and 443  So your going to setup rules that allow say ONLY pfsense.org port 80??

    If you want to lock down your OUTBOUND traffic to known ports, then you would need to allow 80 and 443..  This is a simple LAN rule, and has nothing at all to do with port forwarding what so ever.

    Port forwarding is a way of allowing unrequested traffic into a private address.. For example say you were running a web server on on 192.168.1.100 and you want people on the internet to be able to access this web server - then you would need to forward http or port 80 tcp to 192.168.1.100..  This would include 2 rules, the NAT that performs that function when its sees traffic to port 80 on your WAN interfaces lets call this public IP 1.2.3.4 and the WAN firewall that permits the traffic

    If you want to harden your security - I would suggest you read up on how stuff works on the internet before you go blocking stuff ;)

    If want to block OUTBOUND traffic other than known ports then create a LAN rule that blocks everything, then above that rule allow the ports you want to allow, either to everything - or to only specific IPs or aliases you have created.  Just do not forget to allow traffic to pfsense lan interface, or you will not be able to do dns for example and get anywhere..

    so delete the default rule that allows all outbound.

    Then create a rule that allows your lan to access pfsense lan address on all ports.
    Then create a rule that allows http
    then create a rule that allows https
    then create a BLOCK all rule.. There you go hardened and locked down.. You would allow the ports and destinations you want to allow above the block rule..  Again this is on the LAN interface..

    See this doc item for locking down outbound
    https://doc.pfsense.org/index.php/Example_basic_configuration#Example_of_a_basic_lock_down_of_the_LAN_and_DMZ_out_going_rules

    But I would REALLY suggest you understand what your doing before go putting in rules that block stuff outbound – or your going to most likely break stuff.  And back to your hacker idea -- if your machine has become compromised you have already LOST and your firewall is not going to stop anything -- why would a hacker say want to talk home on say port 42007 when they could just call home on the standard http or https ports..



  • :o I appreciate your help but seriously I asked in the same manor on another forum that has nothing to do with pfSense and was able to get an answer in less than 20 minutes. The person actually read my posts so I didn't need to explain the same things several times over.  ;)

    "So your not going to use the internet any any of your computers other than KNOWN sites?  Since why would this hacker not just phone home on http or https.. 80 and 443  So your going to setup rules that allow say ONLY pfsense.org port 80??"

    I never said I'm not going to use the computers other than known sites. I said I don't want any unkown services to access the internet other than the ones I pick.

    "If you want to lock down your OUTBOUND traffic to known ports, then you would need to allow 80 and 443..  This is a simple LAN rule, and has nothing at all to do with port forwarding what so ever."

    I know it has nothing to do with port forwarding if you would have read what I originally posted. :) I also know about port 80 / 443 which I had already agreed was necessary. This is why I posted here instead of a different part of the forum.

    Again, I appreciate your help and the bottom part of what you said is essentially what I was after but please skim better so there's less confusion of whats going on such as the home network setup - I stated the hardware as is as well as knowing port forward is not what is needed here.

    Thanks!


  • LAYER 8 Global Moderator

    Skim better??  Dude what your asking for has NOTHING to do with port forwarding..  How about you actually write a subject that has something to do with what your after.

    "Need 2 Open Ports but not Port Forward"

    "The issue I'm trying to figure out is how to open ports without port forwarding as port forwarding only opens a port for one machine where I have multiple ones needing access to the same ports."

    Clearly you have no clue to what a port forward is if your actually wanting to block outbound traffic.

    Where is this link to this other post - I want to see what you wrote and what they answered – because if someone figured out that you were talking about blocking outbound traffic from the gibberish you wrote they are freaking mind reader!

    edit:  And this sounds like your going to run into even more issues trying to block outbound from clients - because they are all behind a nat

    "I've reverted back to a router that doesn't handle AP so it does have NAT turned on however it's set to allow all traffic so PFsense can handle the open / closed port issue"

    Dude ANY wireless router, I mean ANY can be used as just an access point..  You turn off it's dhcp server and connect it to your network via one of its lan ports = shazam AP.  If you are natting behind pfsense and you try and control outbound traffic you will have to use the same rules for every client - because they will all have the IP of the wan interface of your wireless router in your drawing.  So it will be impossible to say allow 192.168.1.101 to go out on port 21, while blocking others from doing so, etc.


Log in to reply