Firewall blocks port that is allowed in the rules list



  • Hi.

    I'm trying to let MS RDP-traffic through the firewall, so I have created both a NAT-rule to route the traffic, and the corresponding firewall rule is also created.

    Internally I can connect to the MS RDP service

    When I connect from outside I can see that the package is being dropped in the System Logs - Firewall tab, and when i click the cross it says:

    The rule that triggered the action is:
    @275 block drop in log quick all label "Default block all just to be sure"

    In my firewall rules list I only have one blocking rule (the one for blocking bogus networks), and have tried to disable it with no luck. I have a bunch of other rules to allow normal server traffic ports to pass (25, 80, etc.) and they all work.

    Can anyone point me in the direction of what/why there apparently is a rule that I cannot find or disable?

    Best regards
    Klaus



  • The default rule is not "visible" - it is just that - a default rule.

    On the WAN interface there is a default rule that blocks all traffic - you then let only the traffic through that you need.

    What exactly was the rule that you created on the WAN interface to let the RDP through?



  • Hi again.

    I have uploaded 2 screenshots of my rules. Hopes this helps

    All my rules:

    The specific rule for 3389:



  • The rule looks OK.

    Can you take a screen dump of the log line with the blocked traffic in (not the popup when you click the red X)



  • Did you port forward 3389 to your internal IP by NATting as well?

    Something like:
    WAN  |  TCP  |  ext.port (12345)  |  10.10.0.10  |  3389 (MS RDP)  |  RDP -> MS-machine

    This way you have to connect to your external IP on port 12345 to reach your 10.10.0.10:3389



  • Yes, please show us the firewall block log and your nat-rule as well.



  • Hi All.

    Sorry for the delay. I did a new install of PfSense 1.2 and recreated all my rules, and now it works.

    My guess is that somehow the firewall rule was not loaded, since it was blocked by the default rule.

    Thanks for your quick responses.
    Best regards
    Klaus



  • My suspicion is that you had "any" in your nat rule instead of "interface IP". This is a common error that some people make when setting up NAT the first time. I guess you just did it right the second time but I guess we'll never know now. Glad you got it working though :-)



  • Hi.

    Sorry about that  - I was just too eager to fix it :-\

    Just for the record I tried to change the NAT-rule on the new installation to 'any' and reset states. I could still connect from the outside. But then again its not the original rule, and there is a great probability that I might have messed something up ;)



  • Hi

    I have really a similar issue.

    I try to forward my SIP traffic from Port 5060 to my internal Asterisk Server but pfsens block all my sip traffic

    The rule that triggered the action is:
    @702 block drop in log quick all label "Default block all just to be sure"

    I also upgrade to Pfsense 1.2 but i don't help, I don't create all my config new I do a restore.

    thanx for your help

    Mike



  • You have to show us the nat rule and the firewallrule or we can't help you.



  • What is the best way? A Printscreen or the config files?

    thx mike



  • here are the xml part form the NAT Section

    • <nat><ipsecpassthru>- <rule><protocol>tcp</protocol>
        <external-port>22</external-port>
        <target>192.168.1.16</target>
        <local-port>22</local-port>
        <interface>wan</interface>
        <descr>SSH Server Enif</descr></rule>
    • <rule><protocol>tcp</protocol>
        <external-port>80</external-port>
        <target>192.168.20.14</target>
        <local-port>80</local-port>
        <interface>wan</interface>
        <descr>Web Server Scutum</descr></rule>
    • <rule><protocol>udp</protocol>
        <external-port>5060-5062</external-port>
        <target>192.168.1.15</target>
        <local-port>5060</local-port>
        <interface>wan</interface>
        <descr>SIP</descr></rule>
    • <rule><protocol>udp</protocol>
        <external-port>10000-10200</external-port>
        <target>192.168.1.15</target>
        <local-port>10000</local-port>
        <interface>wan</interface>
        <descr>RTP</descr></rule>
    • <advancedoutbound>- <rule>- <source>
        <network>192.168.1.0/24</network>

    <sourceport><descr>LAN –> WAN</descr>
      <target><interface>wan</interface>

    • <destination><any></any></destination>
        <natport></natport></target></sourceport></rule>
    • <rule>- <source>
        <network>192.168.30.0/24</network>

    <sourceport><descr>WLAN --> WAN</descr>
      <target><interface>wan</interface>

    • <destination><any></any></destination>
        <natport></natport></target></sourceport></rule>
    • <rule>- <source>
        <network>192.168.20.0/24</network>

    <sourceport><descr>DMZ --> WAN</descr>
      <target><interface>wan</interface>

    • <destination><any></any></destination>
        <natport></natport></target></sourceport></rule>
        <enable></enable></advancedoutbound></ipsecpassthru></nat>

    and rules:

    • <filter>- <rule><type>pass</type>
        <interface>wan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><max-src-conn-rate>1</max-src-conn-rate>
        <max-src-conn-rates>10</max-src-conn-rates>
        <protocol>tcp</protocol>
    • <source>
        <any>- <destination><address>192.168.1.16</address>

    <port>22</port></destination>
      <log><descr>NAT SSH Server Enif</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule>

    • <rule><type>pass</type>
        <interface>wan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp</protocol>
    • <source>
        <any>- <destination><any><port>443</port></any></destination>
        <log><descr>OpenVPN Server ( spez. inport https )</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    • <rule><type>pass</type>
        <interface>wan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp</protocol>
    • <source>
        <any>- <destination><address>192.168.20.14</address>

    <port>80</port></destination>
      <descr>NAT Web Server Scutum</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>

    • <**rule>
        <type>pass</type>
        <interface>wan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>udp</protocol>

    • <source>
        <network>wanip</network>

    • <destination><address>192.168.1.15</address>

    <port>5060-5062</port></destination>
      <log><descr>NAT SIP</descr></log></os></statetimeout></max-src-states></max-src-nodes>**

    • <rule><type>pass</type>
        <interface>wan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp</protocol>

    • <source>
        <network>wanip</network>

    • <destination><network>opt2</network></destination></os></statetimeout></max-src-states></max-src-nodes></rule>

    • **<rule><type>pass</type>
        <interface>wan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>udp</protocol>

    • <source>
        <any>- <destination><address>192.168.1.15</address>

    <port>10000-10200</port></destination>
      <log><descr>NAT RTP</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule>**

    • <rule><type>pass</type>
        <interface>opt2</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os>- <source>
        <network>opt2</network>

    • <destination><network>lan</network></destination></os></statetimeout></max-src-states></max-src-nodes></rule>

    • <rule><type>pass</type>
        <interface>opt1</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os>- <source>
        <network>opt1</network>

    • <destination><network>wanip</network></destination></os></statetimeout></max-src-states></max-src-nodes></rule>

    • <rule><type>pass</type>
        <interface>opt1</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp/udp</protocol>

    • <source>
        <network>opt1</network>
        <port>22</port>

    • <destination><network>lan</network>
        <port>22</port></destination></os></statetimeout></max-src-states></max-src-nodes></rule>

    • <rule><type>pass</type>
        <descr>Default LAN -> any</descr>
        <interface>lan</interface>

    • <source>
        <network>lan</network>

    • <destination><any></any></destination></rule>

    • <rule><interface>enc0</interface>
        <type>pass</type>

    • <source>
        <any>- <destination><any></any></destination>
        <descr>Permit IPSEC traffic.</descr>
        <statetype>keep state</statetype></any></rule></filter>

    thx mike



  • You should forward and allow tcp for the 506x ports too. The higher ports should be udp only but depending on the implementation it might need tcp there too ( http://en.wikipedia.org/wiki/Session_Initiation_Protocol ).



  • Ok

    I change this, but for me total unclear is why pfsense block my traffic that I want to pass?

    thx mike



  • Show us the exact line of the block that you thin that should be a pass. Your firewallrules are somehow wrong. There is no other reason why it should block traffic besides of that.



  • hi

    that's the Bold on's in the previous post, here only this on:

    NAT:

    <rule><protocol>udp</protocol>
      <external-port>5060-5062</external-port>
      <target>192.168.1.15</target>
      <local-port>5060</local-port>
      <interface>wan</interface>
      <descr>SIP</descr></rule>

    Rules:

    <rule><type>pass</type>
      <interface>wan</interface>
      <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
      <os><protocol>udp</protocol>

    • <source>
        <network>wanip</network>

    • <destination><address>192.168.1.15</address>

    <port>5060-5062</port></destination>
      <log><descr>NAT SIP</descr></log></os></statetimeout></max-src-states></max-src-nodes></rule>

    thx mike



  • I was able to read the bold text the first time already  ;)

    I wanted to see the exact line of the block from status>systemlogs, firewall.



  • sorry

    here the line:

    "Mar 17 20:35:36  WAN  62.65.128.62:5060  192.168.1.15:5060  UDP"

    mike



  • On the portforward, do you happen to have external adress set to "any" instead of the interface IP?



  • I try it, but nothing changed:

    WAN  TCP/UDP  5060 - 5069  192.168.1.15 (ext.: any) 5060 - 5069 SIP

    Mar 17 21:34:34  WAN  62.65.128.62:5060  192.168.1.15:5060  UDP

    mike



  • external interface has to be the interface IP. "any" is for rather special needs and should not be used usually. I'm out of clues  ::)


Locked