Firewall blocks port that is allowed in the rules list

aeropilot

Hi.

I'm trying to let MS RDP-traffic through the firewall, so I have created both a NAT-rule to route the traffic, and the corresponding firewall rule is also created.

Internally I can connect to the MS RDP service

When I connect from outside I can see that the package is being dropped in the System Logs - Firewall tab, and when i click the cross it says:

The rule that triggered the action is:
@275 block drop in log quick all label "Default block all just to be sure"

In my firewall rules list I only have one blocking rule (the one for blocking bogus networks), and have tried to disable it with no luck. I have a bunch of other rules to allow normal server traffic ports to pass (25, 80, etc.) and they all work.

Can anyone point me in the direction of what/why there apparently is a rule that I cannot find or disable?

Best regards
Klaus

sh_man

The default rule is not "visible" - it is just that - a default rule.

On the WAN interface there is a default rule that blocks all traffic - you then let only the traffic through that you need.

What exactly was the rule that you created on the WAN interface to let the RDP through?

aeropilot

Hi again.

I have uploaded 2 screenshots of my rules. Hopes this helps

All my rules:

The specific rule for 3389:

sh_man

The rule looks OK.

Can you take a screen dump of the log line with the blocked traffic in (not the popup when you click the red X)

jahonix

Did you port forward 3389 to your internal IP by NATting as well?

This way you have to connect to your external IP on port 12345 to reach your 10.10.0.10:3389

hoba

Yes, please show us the firewall block log and your nat-rule as well.

aeropilot

Hi All.

Sorry for the delay. I did a new install of PfSense 1.2 and recreated all my rules, and now it works.

My guess is that somehow the firewall rule was not loaded, since it was blocked by the default rule.

Thanks for your quick responses.
Best regards
Klaus

hoba

My suspicion is that you had "any" in your nat rule instead of "interface IP". This is a common error that some people make when setting up NAT the first time. I guess you just did it right the second time but I guess we'll never know now. Glad you got it working though :-)

aeropilot

Hi.

Sorry about that - I was just too eager to fix it :-\

Just for the record I tried to change the NAT-rule on the new installation to 'any' and reset states. I could still connect from the outside. But then again its not the original rule, and there is a great probability that I might have messed something up ;)

markab

Hi

I have really a similar issue.

I try to forward my SIP traffic from Port 5060 to my internal Asterisk Server but pfsens block all my sip traffic

The rule that triggered the action is:
@702 block drop in log quick all label "Default block all just to be sure"

I also upgrade to Pfsense 1.2 but i don't help, I don't create all my config new I do a restore.

thanx for your help

Mike

hoba

You have to show us the nat rule and the firewallrule or we can't help you.

markab

What is the best way? A Printscreen or the config files?

thx mike

markab

here are the xml part form the NAT Section

<nat><ipsecpassthru>- <rule><protocol>tcp</protocol>
<external-port>22</external-port>
<target>192.168.1.16</target>
<local-port>22</local-port>
<interface>wan</interface>
<descr>SSH Server Enif</descr></rule>
<rule><protocol>tcp</protocol>
<external-port>80</external-port>
<target>192.168.20.14</target>
<local-port>80</local-port>
<interface>wan</interface>
<descr>Web Server Scutum</descr></rule>
<rule><protocol>udp</protocol>
<external-port>5060-5062</external-port>
<target>192.168.1.15</target>
<local-port>5060</local-port>
<interface>wan</interface>
<descr>SIP</descr></rule>
<rule><protocol>udp</protocol>
<external-port>10000-10200</external-port>
<target>192.168.1.15</target>
<local-port>10000</local-port>
<interface>wan</interface>
<descr>RTP</descr></rule>
<advancedoutbound>- <rule>- <source>
<network>192.168.1.0/24</network>

<destination><any></any></destination>
<natport></natport></target></sourceport></rule>
<rule>- <source>
<network>192.168.30.0/24</network>

<destination><any></any></destination>
<natport></natport></target></sourceport></rule>
<rule>- <source>
<network>192.168.20.0/24</network>

<destination><any></any></destination>
<natport></natport></target></sourceport></rule>
<enable></enable></advancedoutbound></ipsecpassthru></nat>

and rules:

<filter>- <rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><max-src-conn-rate>1</max-src-conn-rate>
<max-src-conn-rates>10</max-src-conn-rates>
<protocol>tcp</protocol>
<source>
<any>- <destination><address>192.168.1.16</address>

<port>22</port></destination>
<log><descr>NAT SSH Server Enif</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule>

<rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<any>- <destination><any><port>443</port></any></destination>
<log><descr>OpenVPN Server ( spez. inport https )</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<any>- <destination><address>192.168.20.14</address>

<port>80</port></destination>
<descr>NAT Web Server Scutum</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>

<**rule>
<type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>udp</protocol>
<source>
<network>wanip</network>
<destination><address>192.168.1.15</address>

<port>5060-5062</port></destination>
<log><descr>NAT SIP</descr></log></os></statetimeout></max-src-states></max-src-nodes>**

<rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<network>wanip</network>
<destination><network>opt2</network></destination></os></statetimeout></max-src-states></max-src-nodes></rule>
**<rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>udp</protocol>
<source>
<any>- <destination><address>192.168.1.15</address>

<port>10000-10200</port></destination>
<log><descr>NAT RTP</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule>**

<rule><type>pass</type>
<interface>opt2</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os>- <source>
<network>opt2</network>
<destination><network>lan</network></destination></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>opt1</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os>- <source>
<network>opt1</network>
<destination><network>wanip</network></destination></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>opt1</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp/udp</protocol>
<source>
<network>opt1</network>
<port>22</port>
<destination><network>lan</network>
<port>22</port></destination></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<descr>Default LAN -> any</descr>
<interface>lan</interface>
<source>
<network>lan</network>
<destination><any></any></destination></rule>
<rule><interface>enc0</interface>
<type>pass</type>
<source>
<any>- <destination><any></any></destination>
<descr>Permit IPSEC traffic.</descr>
<statetype>keep state</statetype></any></rule></filter>

thx mike

hoba

You should forward and allow tcp for the 506x ports too. The higher ports should be udp only but depending on the implementation it might need tcp there too ( http://en.wikipedia.org/wiki/Session_Initiation_Protocol ).

markab

Ok

I change this, but for me total unclear is why pfsense block my traffic that I want to pass?

thx mike

hoba

Show us the exact line of the block that you thin that should be a pass. Your firewallrules are somehow wrong. There is no other reason why it should block traffic besides of that.

markab

hi

that's the Bold on's in the previous post, here only this on:

NAT:

Rules:

<rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>udp</protocol>

<source>
<network>wanip</network>
<destination><address>192.168.1.15</address>

thx mike

hoba

I was able to read the bold text the first time already ;)

I wanted to see the exact line of the block from status>systemlogs, firewall.

markab

sorry

here the line:

"Mar 17 20:35:36 WAN 62.65.128.62:5060 192.168.1.15:5060 UDP"

mike

hoba

On the portforward, do you happen to have external adress set to "any" instead of the interface IP?

markab

I try it, but nothing changed:

WAN TCP/UDP 5060 - 5069 192.168.1.15 (ext.: any) 5060 - 5069 SIP

Mar 17 21:34:34 WAN 62.65.128.62:5060 192.168.1.15:5060 UDP

mike

hoba

external interface has to be the interface IP. "any" is for rather special needs and should not be used usually. I'm out of clues ::)

Firewall blocks port that is allowed in the rules list

Products

Applications

Support

Services

News

Resources

Company

Our Mission

Subscribe to our Newsletter