Allow port 110 and 587 to some client and block rest

  • hi.
    this is my first post to forum. here is my problem if you can help me.

    i ve 10 pc on my local network. what i wanna do is  allow 587 - 110 ports for 5 pc, and 80-443 for 2 pc and rest  block for 587-110-80-443 ports.

    Proto       Source                   Port                                 Destination   Port
    tcp/udp    5 pc ip(Aliases)            587-110                                any                    any    PASS
    tcp/udp    2 pc ip(Aliases)            80-443-587-110(Aliases)        any                    any      PASS
    tcp/udp    3 pc ip(Aliases)            any                                        any                  any    BLOCK

    i couldnt do it, i ve read many topics on forum, but still doesnt work. may be it is simple for you but i m gonna get mad soon.

    i m using 2.2-RELEASE (i386)

  • Your problem is that you're specifying those ports as Source ports.  They're Destination ports.  Your LAN clients attempt to communicate with the remote server with a random high source port and a destination port specified by the protocol definition.  Change your rules so they look like this:

    Proto          Source                    Port                                  Destination      Port
    tcp/udp    5 pc ip(Aliases)          Any                                  Any                110, 587                    PASS
    tcp/udp    2 pc ip(Aliases)          Any                                  Any                80,110,443,587        PASS
    tcp/udp    3 pc ip(Aliases)          Any                                  Any                Any                            BLOCK

  • LAYER 8 Global Moderator

    Also keep in mind that the default lan rule is allow any any.  Have you removed this rule?

    If not you do understand that your first and second rules are kind of meaningless if machine does not trigger your 3 rule, it would just go to the next rule which if the default would allow anything.  So one of the 5 pcs ip might not be able to get to 80 with rule 1 or 2, but 3 would not block it so if you have the default any any rule after that it would be able to go out on any port it wants.

  • Hi johnpoz, i did what have you said, remove default and choose destination ports but nothing changed none of the clients goes online and outlook doesn't work too. I did try other combinations too , like allow 110-587 for any client any source port as rule1 and block any client any ports 443-80 as rule2 Just to understand if  outlook works but didn't work too. Only thing works if i block or allow any client any port. Thanks again

  • LAYER 8 Netgate

    Look at the firewall logs, find out what's being blocked, and pass that too.  You need to pass the ports you need to pass or your stuff won't work.

  • Thanks for help people. but i couldnt make it work. i checked logs everything looks normal.. Today i m gonna reinstall pfsense and try.
    i hope it works..

  • Just reinstalling on a hope isn't going to solve your problem.  Post what your exact problem is.  Post a screenshot of your rules.  Post a screenshot of your firewall log.  This isn't magic.  There is a definite reason why it isn't working as you expect.

  • LAYER 8 Global Moderator

    "i johnpoz, i did what have you said, remove default and choose destination ports but nothing changed none of the clients goes online"

    And where is your rule that allows DNS for example.. Kind of hard to lookup the IP address for say when you don't allow them to go outbound on 53 for dns.  Or even ask pfsense for it.  Where is your rule that allows the clients to talk to pfsense lan IP for dns for example?

    First thing, when you install pfsense leave the default any any rule.  Does it work then?  Then after that is working then you can start playing with locking down your access.  Please post your lan rules and plenty of people here to help you see what your doing wrong.  As KOM stated this is pretty basic stuff.

    If you want say a client to only do http, keep in mind it has to lookup what IP that http site is on.  Same goes for sending or grabbing email.  Unless your putting in the IP address of where your wanting to go your going to need dns.

    For example my wlan guest is really locked down.. I don't even let them query pfsense for dns, I only allow it to ping pfsense to be able to check connectivity is actually working.  I allow it to talk to a specific share I have running on pogo with a usb stick in it on my lan segment, in case I want get some files to wlan guest.

    Other than that they can go anywhere they want on the internet, as long as they are "not" (that is what the ! means) trying to talk to any other local networks, ie my lan or my wlan or my dmz.  The dhcp server for that segment hands out public dns for them to use.  Which that last rule allows them to get to because its not a local network of mine.

    To be honest many trying to lock down is maybe down the road a bit for you, understanding some basics like source port and dest port, knowing what the difference is between udp and tcp for example.  Where are you clients going to be going that 80 http, and 443 https would be udp for example..

  • Don't forget, PfSnese is a stateful firewall. Best practices would be to reset states after creating rules/nat mappings, so that states must be reestablished based on your restrictions or lack there of.

Log in to reply