Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking the outside world

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    6 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jacob.tennant
      last edited by

      I have been working on my firewall rules and was hoping one of you guru's would double check my settings.

      I am in error please advise me what I have set wrong.
      ![Screen Shot 2014-02-19 at 9.08.31 AM.png](/public/imported_attachments/1/Screen Shot 2014-02-19 at 9.08.31 AM.png)
      ![Screen Shot 2014-02-19 at 9.08.31 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-02-19 at 9.08.31 AM.png_thumb)

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        I guess that 66.118.82.* are your public IP addresses, and that you have servers internally that are on 10.10.60.* and you are forwarding port 80 to them. In that case, Source is anywhere on the internet (the public clients accessing your web server) and port any (the client connects will come from a random port on the client). Because NAT is applied before the firewall rules are evaluated, destination is 10.10.60.* - which you have right.
        But it is easier to choose "Add associated filter rule" when you are adding the NAT Port Forward - then it makes a firewall rule for you.
        The last "reject" rule - I would make it a block on WAN. There is no need to be nice to hackers and send them any response at all, even a reject. On LAN, a reject is friendly so that the LAN client (hopefully friendly machines) gets a quick negative response rather than waiting for a timeout.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • J
          jacob.tennant
          last edited by

          What I was trying to setup was so that when someone on the outside tried to access my webserver (10.10.60.4) the firewall would only pass traffic from 66.118.82.126 on the http port 80, so if they tried to SSH or FTP on the outside IP the firewall would stop it.

          As well, I could allow FTP traffic on the same outside address, say 66.118.82.125 on the FTP port sending it to a different server 10.10.60.99.

          Just trying to restrict how the outside can access the inside of my network. As I only want web traffic coming from 66.118.82.126 to go to the web port 80 of server 10.10.60.4 with no way for anyone to get in with other than http port 80 traffic and once it is inside it can only go to where I specify it to go to.

          I know this may seem a little bit overly strict but this is testing/development network and I want it to be secure as I am having enough trouble building & setting up new things without some bonehead messing around for the fun of it.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            It does not seem overly strict at all. Why would you open any ports to any machines that don't need to be open?

            By default pfSense will block all traffic on every interface. To allow any traffic you have to add fire wall rules. The only exception to this is that the LAN interface has a default rule that allows you to access the webgui and get out to the internet.

            As Phil said, the source port is almost certainly not port 80 but some random high port so use 'any' there.

            We would need to see your port forward rules also to offer further comment I think.

            Steve

            1 Reply Last reply Reply Quote 0
            • P
              phil.davis
              last edited by

              If 66.118.82.125 and 66.118.82.126 are the public IP addresses of remote clients from which you are willing to accept connections, then using that as source on your rules is good. But yes, the source port from which connections come from those clients will not be port 80 - the source ports will be "random" ephemeral port numbers. Practically you will need to allow source port any.

              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

              1 Reply Last reply Reply Quote 0
              • J
                jacob.tennant
                last edited by

                Ok, thank you for the responses as I will make those changes shortly as I am waiting for my ISP to bring me my new modem as I found my current modem is DEAD!

                Thanks again

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.