Transparent Firewall or isolate pfsense from internet



  • Hi to everybody.

    I have installed pfsense 2.1.2-RELEASE (i386).
    I have WAN, LAN and OPT1 interfaces on this box, and a web server on OPT1. Almost everything is working great and thank you for all the people put efforts on this great firewall.

    If I open port 80 on the WAN interface and forward to the OPT1 interface, everything works great. My website can be accessed from internet, but also good for prying eyes.

    What I need is to close the port 80 and still the web server be accessed. I guess this is called as transparent firewall(?). I did some search, but the info I found did not help me.

    I used pfsense 1.x before, it was easy to make my firewall transparent. But with pfsense 2.x, it seems that transparenting (if this is the right name to call)  is more difficult.

    How can I make my firewall stealth? or is there a good article/info that I can use?

    Thank you.



  • What do you mean by "good for prying eyes"? A port is either open, closed or stealthed.  You have to keep the inbound port 80 open on the WAN interface, otherwise no one can access your webserver.

    Edit: A transparent firewall, if you mean a one where two interfaces are bridged together, is not any more "stealthy" by default. It depends on what kind of address you set on the interface you'll be using for connecting to the webgui of pfSense. A private range address would be of course invisible to the internet, is that what you meant?



  • What are you trying to accomplish? Who should or shouldn't see this web server? Should this web server have a public IP, use NAT or be internal only?



  • The web server I have on the DMZ zone (OPT1). WAN has public ip address. Websites on the web server is reachable from the internet as supposed to.
    But I have to open port 80 on the WAN interface in order to webserver be accessed. I did not have to do this when I had pfsense 1.x

    Is there a way in pfsense that I can close (or stealth) the port 80 and websites on the webserver can still be accessed. May be I don't know the right terminology for this but I don't want my pfsense to be visible on the internet. If someone scans the public IP, they should not see any port open.

    Right now, if I scan my public ip on grc.com, the port 80 is the only port open shown.

    I was wondering how you guys do it. or Is there a way in pfsense 2.1.2?

    Thank you for all of your answers.



  • You have some very wrong ideas of how TCP/IP works. If you want to have your website visible to the outside there is absolutely no way around of opening port 80 on the firewall. Stealthing would mean closing all access to the port and obviously that's not what you want to do.

    The grc.com scan is informative but you have to know how to read the results. If it shows that port 80 is open on your IP address then that's exactly what you would expect since you have a publicly accessible web server waiting for connections from the internet.



  • @kpa:

    You have some very wrong ideas of how TCP/IP works.

    exactly that ^

    @hakkatil:

    But I have to open port 80 on the WAN interface in order to webserver be accessed. I did not have to do this when I had pfsense 1.x

    Yes, you did have to do that on 1.x, and you have to do that on every single network device, firewall, router, etc in existence. If you want HTTP to be reachable, port 80 must be open.



  • I guess I did not make myself clear.

    What I am trying to say is make all the ports invisible on the WAN interface not on the webserver or any other device behind the firewall. If someone scans my public IP address, they won't be able to see any ports open. Just I need to know if this is even possible.

    I am prety sure that all the ports were not seen (may be open in pfsense) by outsiders but the webserver was still accessible when I use the pfsense 1.x. At least what grc.com showed all of the ports were stealth.

    Thank you



  • The details of your old set up are still severely lacking but if you did have a bridged set up with WAN and OPT1 bridged together then the webserver would have been on a different public IP address and the grc scan from a LAN host that scans basically the pfSense WAN ports wouldn't show anything open.

    You can create such a bridged set up easily on 2.1.2 but you'll have to do the set up from a host on the LAN so you don't lock yourself out of the webgui if something goes wrong. Go to Interfaces->(Assign). Select the Bridges tab and create a new bridge with WAN and OPT1 as members, save. Allow access to the web server by creating a rule on the WAN rules with the IP address of the web server as the destination address, port 80 for http. Also check on the firewall rules that hosts on the OPT1 network can get out, you should for starters allow all inbound traffic on OPT1, tighten the rules later.

    Hope this helps.



  • @hakkatil:

    I guess I did not make myself clear.

    What I am trying to say is make all the ports invisible on the WAN interface not on the webserver or any other device behind the firewall. If someone scans my public IP address, they won't be able to see any ports open. Just I need to know if this is even possible.

    I am prety sure that all the ports were not seen (may be open in pfsense) by outsiders but the webserver was still accessible when I use the pfsense 1.x. At least what grc.com showed all of the ports were stealth.

    Thank you

    Unless your WAN IP is different for your web server, there is no way to both make port 80 invisible to a scan and allow HTTP to work.

    Now if you had one IP for your firewall and one IP for your web server, you could have your firewall be all stealth and your web server would show up on a port scan as having port 80 open.

    What it comes down to is, what ever public IP address your web server is using, you will see port 80 opened, unless you block it, which will make HTTP not work.