Blocking the outside world



  • I have been working on my firewall rules and was hoping one of you guru's would double check my settings.

    I am in error please advise me what I have set wrong.
    ![Screen Shot 2014-02-19 at 9.08.31 AM.png](/public/imported_attachments/1/Screen Shot 2014-02-19 at 9.08.31 AM.png)
    ![Screen Shot 2014-02-19 at 9.08.31 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-02-19 at 9.08.31 AM.png_thumb)



  • I guess that 66.118.82.* are your public IP addresses, and that you have servers internally that are on 10.10.60.* and you are forwarding port 80 to them. In that case, Source is anywhere on the internet (the public clients accessing your web server) and port any (the client connects will come from a random port on the client). Because NAT is applied before the firewall rules are evaluated, destination is 10.10.60.* - which you have right.
    But it is easier to choose "Add associated filter rule" when you are adding the NAT Port Forward - then it makes a firewall rule for you.
    The last "reject" rule - I would make it a block on WAN. There is no need to be nice to hackers and send them any response at all, even a reject. On LAN, a reject is friendly so that the LAN client (hopefully friendly machines) gets a quick negative response rather than waiting for a timeout.



  • What I was trying to setup was so that when someone on the outside tried to access my webserver (10.10.60.4) the firewall would only pass traffic from 66.118.82.126 on the http port 80, so if they tried to SSH or FTP on the outside IP the firewall would stop it.

    As well, I could allow FTP traffic on the same outside address, say 66.118.82.125 on the FTP port sending it to a different server 10.10.60.99.

    Just trying to restrict how the outside can access the inside of my network. As I only want web traffic coming from 66.118.82.126 to go to the web port 80 of server 10.10.60.4 with no way for anyone to get in with other than http port 80 traffic and once it is inside it can only go to where I specify it to go to.

    I know this may seem a little bit overly strict but this is testing/development network and I want it to be secure as I am having enough trouble building & setting up new things without some bonehead messing around for the fun of it.


  • Netgate Administrator

    It does not seem overly strict at all. Why would you open any ports to any machines that don't need to be open?

    By default pfSense will block all traffic on every interface. To allow any traffic you have to add fire wall rules. The only exception to this is that the LAN interface has a default rule that allows you to access the webgui and get out to the internet.

    As Phil said, the source port is almost certainly not port 80 but some random high port so use 'any' there.

    We would need to see your port forward rules also to offer further comment I think.

    Steve



  • If 66.118.82.125 and 66.118.82.126 are the public IP addresses of remote clients from which you are willing to accept connections, then using that as source on your rules is good. But yes, the source port from which connections come from those clients will not be port 80 - the source ports will be "random" ephemeral port numbers. Practically you will need to allow source port any.



  • Ok, thank you for the responses as I will make those changes shortly as I am waiting for my ISP to bring me my new modem as I found my current modem is DEAD!

    Thanks again