Just upgraded now only https works not http



  • Greetings, just did an upgrade to the latest version and now have lost http, only https works.  I can't see anything in the forums and I didn't change any of the rules nor can I see anything out of the ordinary in the rules.  Anyone else?


  • Netgate Administrator

    You mean accessing the pfSense webgui or accessing any external website?
    More details of your setup please. Hardware, WAN connection, packages etc.

    Steve



  • Thanks, only https connections now work, so can access pfsense gui, etc., gmail, pfsense.org anything that is https.  Any non https sites only show as a connection problem.  Verified this on a few machines behind the firewall.  I suspect it must be a rule but I cannot see anything in the rules that would suggest this nor anything in the pfsense logs and I never changed anything.  I am running Clam and Pfblocker.


  • Netgate Administrator

    So nothing in the firewall logs? You have Squid installed to run Clam? It seems it's not functioning correctly. Nothing in the logs?

    Steve



  • Thanks, not running squid, nothing in the logs that show a problem.  Unfortunately I can't easily do a screen capture on this machine to show the logs, but will try on another one.



  • attached is some log entries from the firewall.

    ![2015-01-25 16_25_49-pfSense.localdomain - Status_ System logs_ Firewall.png](/public/imported_attachments/1/2015-01-25 16_25_49-pfSense.localdomain - Status_ System logs_ Firewall.png)
    ![2015-01-25 16_25_49-pfSense.localdomain - Status_ System logs_ Firewall.png_thumb](/public/imported_attachments/1/2015-01-25 16_25_49-pfSense.localdomain - Status_ System logs_ Firewall.png_thumb)



  • and some of the firewall rules and the error from the browser

    ![2015-01-25 16_32_08-pfSense.localdomain - Firewall_ Rules.png](/public/imported_attachments/1/2015-01-25 16_32_08-pfSense.localdomain - Firewall_ Rules.png)
    ![2015-01-25 16_32_08-pfSense.localdomain - Firewall_ Rules.png_thumb](/public/imported_attachments/1/2015-01-25 16_32_08-pfSense.localdomain - Firewall_ Rules.png_thumb)
    ![2015-01-25 16_35_35-Problem loading page.png](/public/imported_attachments/1/2015-01-25 16_35_35-Problem loading page.png)
    ![2015-01-25 16_35_35-Problem loading page.png_thumb](/public/imported_attachments/1/2015-01-25 16_35_35-Problem loading page.png_thumb)


  • Netgate Administrator

    Er, you have a pass all IPv4 TCP traffic on your WAN. What's that all about?  Many of those rules can never do anything.  :o

    The LAN rules are where I would expect to find something blocking or allowing http traffic out. Possibly a floating rule but unlikely unless you added it yourself.
    Nothing in your logs showing http traffic blocked.

    Steve



  • Pass All from anywhere to anywhere on the WAN is mildly discouraged…
    It would be firmly discouraged, but most people would never do it anyway, so mild is enough for most.



  • Thanks for the notes, not sure about that setting, I believe it was set as a default when I originally put this together. Nothing in the Floating Firewall Rules, traceroute and TestPort in PfSense all show a connection to a non-https location, just nothing gets returned.


  • Netgate Administrator

    What are your LAN rules?

    Steve



  • attached is a screen shot and thanks.

    ![2015-01-25 19_39_21-pfSense.localdomain - Firewall_ Rules.png](/public/imported_attachments/1/2015-01-25 19_39_21-pfSense.localdomain - Firewall_ Rules.png)
    ![2015-01-25 19_39_21-pfSense.localdomain - Firewall_ Rules.png_thumb](/public/imported_attachments/1/2015-01-25 19_39_21-pfSense.localdomain - Firewall_ Rules.png_thumb)



  • You have a couple of rules at the top that allow anything on the LAN net to pass to anywhere….

    Followed by specific rules to pass from one IP on the LAN to some other IP somewhere else....

    The specific rules will never matter with a general "pass to anywhere" rule at the top of the list and no block rules anywhere.



  • It does seem odd with a general pass through rule that http is blocked but not https….?
    D.



  • Well - Since we have now established that pretty much all of your WAN and LAN firewall entries as well as who knows what else is broken, I'd recommend scraping it, reinstalling 2.2 (not upgrade) and re-enter proper setting that you actually need.

    Its really super important that you get a firm grasp of what allow and block rules do, and the order they should be entered before you customize.

    Your current setting are very not secure.  A vanilla default setup would be much better.



  • thanks and I appreciate the advice.  To be honest, I haven't checked these settings for some time and did use the defaults it came.  Will do a re-build and see what happens.


  • Netgate Administrator

    Starting from a fresh install seems like a good call here. It looks like you have a web proxy of some sort installed and it's no longer passing http requests correctly. The only other thing you might have ClamAV inatalled for is mail scanning.

    Steve



  • The main reason I would start from a fresh install is because you are passing everything on the WAN and I don't know how long its been that way.  Also don't have any idea how strong your username/passwd combo is and I have a fear that you have been wide open to a hack.  Its possible that in the time you have been running like this someone could have gained access to your system and done something naughty.  For this reason, I wouldn't trust anything except wipe and fresh install.

    Maybe my fears are unfounded.  I'm just paranoid that way.  I always assume that if someone has had a chance to do something evil to my system they probably have.


  • Netgate Administrator

    Agree. When you have firewall rules on there that serve no purpose and you didn't put in you aren't in control. Who knows what else might be going on. Start from a known good config.

    Steve


Log in to reply