Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Allow port 110 and 587 to some client and block rest

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 5 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dontaskme
      last edited by

      hi.
      this is my first post to forum. here is my problem if you can help me.

      i ve 10 pc on my local network. what i wanna do is  allow 587 - 110 ports for 5 pc, and 80-443 for 2 pc and rest  block for 587-110-80-443 ports.

      Proto       Source                   Port                                 Destination   Port
      tcp/udp    5 pc ip(Aliases)            587-110                                any                    any    PASS
      tcp/udp    2 pc ip(Aliases)            80-443-587-110(Aliases)        any                    any      PASS
      tcp/udp    3 pc ip(Aliases)            any                                        any                  any    BLOCK

      i couldnt do it, i ve read many topics on forum, but still doesnt work. may be it is simple for you but i m gonna get mad soon.

      i m using 2.2-RELEASE (i386)

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Your problem is that you're specifying those ports as Source ports.  They're Destination ports.  Your LAN clients attempt to communicate with the remote server with a random high source port and a destination port specified by the protocol definition.  Change your rules so they look like this:

        Proto          Source                    Port                                  Destination      Port
        tcp/udp    5 pc ip(Aliases)          Any                                  Any                110, 587                    PASS
        tcp/udp    2 pc ip(Aliases)          Any                                  Any                80,110,443,587        PASS
        tcp/udp    3 pc ip(Aliases)          Any                                  Any                Any                            BLOCK

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Also keep in mind that the default lan rule is allow any any.  Have you removed this rule?

          If not you do understand that your first and second rules are kind of meaningless if machine does not trigger your 3 rule, it would just go to the next rule which if the default would allow anything.  So one of the 5 pcs ip might not be able to get to 80 with rule 1 or 2, but 3 would not block it so if you have the default any any rule after that it would be able to go out on any port it wants.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • D
            dontaskme
            last edited by

            Hi johnpoz, i did what have you said, remove default and choose destination ports but nothing changed none of the clients goes online and outlook doesn't work too. I did try other combinations too , like allow 110-587 for any client any source port as rule1 and block any client any ports 443-80 as rule2 Just to understand if  outlook works but didn't work too. Only thing works if i block or allow any client any port. Thanks again

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Look at the firewall logs, find out what's being blocked, and pass that too.  You need to pass the ports you need to pass or your stuff won't work.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • D
                dontaskme
                last edited by

                Thanks for help people. but i couldnt make it work. i checked logs everything looks normal.. Today i m gonna reinstall pfsense and try.
                i hope it works..

                1 Reply Last reply Reply Quote 0
                • KOMK
                  KOM
                  last edited by

                  Just reinstalling on a hope isn't going to solve your problem.  Post what your exact problem is.  Post a screenshot of your rules.  Post a screenshot of your firewall log.  This isn't magic.  There is a definite reason why it isn't working as you expect.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    "i johnpoz, i did what have you said, remove default and choose destination ports but nothing changed none of the clients goes online"

                    And where is your rule that allows DNS for example.. Kind of hard to lookup the IP address for say www.google.com when you don't allow them to go outbound on 53 for dns.  Or even ask pfsense for it.  Where is your rule that allows the clients to talk to pfsense lan IP for dns for example?

                    First thing, when you install pfsense leave the default any any rule.  Does it work then?  Then after that is working then you can start playing with locking down your access.  Please post your lan rules and plenty of people here to help you see what your doing wrong.  As KOM stated this is pretty basic stuff.

                    If you want say a client to only do http, keep in mind it has to lookup what IP that http site is on.  Same goes for sending or grabbing email.  Unless your putting in the IP address of where your wanting to go your going to need dns.

                    For example my wlan guest is really locked down.. I don't even let them query pfsense for dns, I only allow it to ping pfsense to be able to check connectivity is actually working.  I allow it to talk to a specific share I have running on pogo with a usb stick in it on my lan segment, in case I want get some files to wlan guest.

                    Other than that they can go anywhere they want on the internet, as long as they are "not" (that is what the ! means) trying to talk to any other local networks, ie my lan or my wlan or my dmz.  The dhcp server for that segment hands out public dns for them to use.  Which that last rule allows them to get to because its not a local network of mine.

                    To be honest many trying to lock down is maybe down the road a bit for you, understanding some basics like source port and dest port, knowing what the difference is between udp and tcp for example.  Where are you clients going to be going that 80 http, and 443 https would be udp for example..

                    lockedrules.png
                    lockedrules.png_thumb

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • J
                      jgraham5481
                      last edited by

                      Don't forget, PfSnese is a stateful firewall. Best practices would be to reset states after creating rules/nat mappings, so that states must be reestablished based on your restrictions or lack there of.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.