Block outgoing - except the few necessities…



  • Hi,

    I have browsed the faqs, and forums but I haven't found an example of an elegant way (except writing a bunch of separate rules) to block all outgoing traffic but the common ones, http(s), POP, SMTP, FTP, DNS, NTP, NNTP etc…  Do I need to write a rule for every one of these protocols?  Does it exist an example of how to correctly set all the different web GUI fields for, say, allowing LAN clients to use POP3 outbound..?

    I have understood that pfSense does not support time based rules as of now.  Using the captive portal with w2003 radius time based rules is suggested as an alternative.  However, if we go for the latter, what happens to clients already logged in the the time changes from allowed to denied.  Will those be thrown off or are the radius rules just for the login process (i.e. if you have logged in before midnight then you can continue to surf as long as you want) ..?

    regards

    Tor



  • Create a port Alias, then add all the ports you need (25,80,443,…) to it. After that just create ONE rule:
    Pass LAN source LAN subnet, sourceport any, destination IP an, destinationport <your alias="">Done. Simple, eh?  ;)

    The CP will check against radius from time to time if this feature is enabled. There are options at the CP page:


    If reauthentication is enabled, Access-Requests will be sent to the RADIUS server for each user that is logged in every minute. If an Access-Reject is received for a user, that user is disconnected from the captive portal immediately.</your>



  • @hoba:

    Create a port Alias, then add all the ports you need (25,80,443,…) to it. After that just create ONE rule:
    Pass LAN source LAN subnet, sourceport any, destination IP an, destinationport <your alias="">Done. Simple, eh?  ;)</your>

    I tried to do what you described, however I get a scrolling text in the webgui with the following text:

    Acknowledge All    .:.    03-27-06 12:19:55 - [filter_load]There were error(s) loading the rules:
    /tmp/rules.debug:112: syntax errorpfctl: Syntax error in config file:
    pf rules not loaded The line in question reads [112]:
    pass in quick on $lan proto tcp from 192.168.33.0/24 to any port $AllowedOutTraffic flags S/SA
    keep state label USER_RULE: Outgoing traffc to ports present in AllowOutPorts    .:.

    What puzzles me is that the web ui can create rules with syntax errors.  What do I look for here?
    The created port alias with all allowed outgoing ports is called AllowedOutTraffic.

    regards  Tor



  • Dont use a alias on the port.  I am close to ripping that option out since its not creating the rule correctly.



  • I cannot duplicate this here.  Please email me your config.xml file to sullrich@gmail.com so I can duplicate this problem and fix it.

    Thanks!



  • Hi,

    I just wonder if someone have a clue here.  I tried to create a multi-port alias as Scott suggested. 
    Screenshot of the alias list web screen is here: www.kuntigi.net/download/aliases.jpg
    I'm a bit curious of what the /32 after each port number in multiport aliases mean, can someone explain that?

    I also tried to create the rule as suggested by Scott.  Screenshot is here: www.kuntigi.net/download/rule.jpg
    Please advise if I have misunderstood Scott's suggestion.  I put the name of the multiport alias (the one called AllowedOutTraffic) in the "Destination port range From" field, but the alias was automatically copied to the 'To' field as well.

    The actual error message is:
    .:.   
    04-02-06 15:48:55 - [filter_load]
    There were error(s) loading the rules: /tmp/rules.debug:112:
    syntax error pfctl: Syntax error in config file: pf rules not loaded
    The line in question reads [112]:
    pass in quick on $lan proto tcp from 192.168.33.0/24 to 192.168.80.100
    port $AllowedOutTraffic flags S/SA keep state label
    USER_RULE: Outgoing traffc to ports listed in AllowedOutTraffic   
    .:.

    The offending line (112) is:
    pass in quick on $lan proto tcp from 192.168.33.0/24 to 192.168.80.100 port $AllowedOutTraffic flags S/SA keep state  label "USER_RULE: Outgoing traffc to ports listed in AllowedOutTraffic"

    Link to /tmp/rules.debug is here: www.kuntigi.net/download/rules.debug.txt

    It seems to me that it has something to do with the multiport alias.  What have I done wrong?  Can I solve my need to block all outgoing traffic but a dozen 'necessary' ports another elegant way?

    I also remarked that it took several minutes from I clicked the Apply rules button to the rules actually changed.  Is this normal?  Shouldn't fw rules take action seconds after clicking the apply rules button..?

    Thanks a lot for comments on these issues

    regards  Tor



  • Did you email the config.xml file to Scott? I also can't replicate this here. please post config.xml file.



  • Yes, I emailed the xml file to Scott.

    Just after I posted I saw that he had posted above an advice to not use named aliases.  I thought that posts always displayed in cronological order so I didn't see that post before it was too late…

    So my only solution is to make a pile of rules to allow one port each..?

    regards

    Tor



  • Not, not quite.  I am not able to reproduce the problem on a fresh ruleset.  Then again, I havent had time to test your ruleset.


  • LAYER 8 Moderator

    Argl, perhaps I may be of service here, 'cause it suffers from the problem from my other post.

    @bushtor: You have to edit your port alias. As you stated right:

    I'm a bit curious of what the /32 after each port number in multiport aliases mean, can someone explain that?

    That isn't correct and PF is very upset about it ;) So only your first port that was entered without the /32 is interpreted right, the others throw errors. The /32 is for IPs only and describes a single IP Adress (Subnet 255.255.255.255). So edit your port-alias and after every port you entered go to the pulldown with "32" and change it to the empty selection "". Save it again and it should now list your ports correctly without any further additions, just like the first one.

    The line from your debug-file:

    AllowedOutTraffic = "{ 21 25/32 80/32 110/32 119/32 143/32 443/32 20/32 123/32 53/32 1863/32 }"
    

    should afterwards read like

    AllowedOutTraffic = "{ 21 25 80 110 119 143 443 20 123 53 1863 }"
    

    @scott: Please do not rip that thing out, I just love aliases in PF for every use. If I may be of service for a bit debugging let me know :)

    Greets
    Grey



  • Scott, has anything been done with the aliases problem in beta 3?

    I will test the /32 removal tip from the post above and report back later tonight

    Tor


  • LAYER 8 Moderator

    Yep it has. The releases after beta-2 had that bug in the webgui removed. If you choose the "port" option in the alias menu, now every single lines second dropdown with the bitmask is greyed out - not only the first one as it was in beta-2. So (as far as I see) it is truly and finally fixed :)


Log in to reply