Allow port 110 and 587 to some client and block rest
-
hi.
this is my first post to forum. here is my problem if you can help me.i ve 10 pc on my local network. what i wanna do is allow 587 - 110 ports for 5 pc, and 80-443 for 2 pc and rest block for 587-110-80-443 ports.
Proto Source Port Destination Port
tcp/udp 5 pc ip(Aliases) 587-110 any any PASS
tcp/udp 2 pc ip(Aliases) 80-443-587-110(Aliases) any any PASS
tcp/udp 3 pc ip(Aliases) any any any BLOCKi couldnt do it, i ve read many topics on forum, but still doesnt work. may be it is simple for you but i m gonna get mad soon.
i m using 2.2-RELEASE (i386)
-
Your problem is that you're specifying those ports as Source ports. They're Destination ports. Your LAN clients attempt to communicate with the remote server with a random high source port and a destination port specified by the protocol definition. Change your rules so they look like this:
Proto Source Port Destination Port
tcp/udp 5 pc ip(Aliases) Any Any 110, 587 PASS
tcp/udp 2 pc ip(Aliases) Any Any 80,110,443,587 PASS
tcp/udp 3 pc ip(Aliases) Any Any Any BLOCK -
Also keep in mind that the default lan rule is allow any any. Have you removed this rule?
If not you do understand that your first and second rules are kind of meaningless if machine does not trigger your 3 rule, it would just go to the next rule which if the default would allow anything. So one of the 5 pcs ip might not be able to get to 80 with rule 1 or 2, but 3 would not block it so if you have the default any any rule after that it would be able to go out on any port it wants.
-
Hi johnpoz, i did what have you said, remove default and choose destination ports but nothing changed none of the clients goes online and outlook doesn't work too. I did try other combinations too , like allow 110-587 for any client any source port as rule1 and block any client any ports 443-80 as rule2 Just to understand if outlook works but didn't work too. Only thing works if i block or allow any client any port. Thanks again
-
Look at the firewall logs, find out what's being blocked, and pass that too. You need to pass the ports you need to pass or your stuff won't work.
-
Thanks for help people. but i couldnt make it work. i checked logs everything looks normal.. Today i m gonna reinstall pfsense and try.
i hope it works.. -
Just reinstalling on a hope isn't going to solve your problem. Post what your exact problem is. Post a screenshot of your rules. Post a screenshot of your firewall log. This isn't magic. There is a definite reason why it isn't working as you expect.
-
"i johnpoz, i did what have you said, remove default and choose destination ports but nothing changed none of the clients goes online"
And where is your rule that allows DNS for example.. Kind of hard to lookup the IP address for say www.google.com when you don't allow them to go outbound on 53 for dns. Or even ask pfsense for it. Where is your rule that allows the clients to talk to pfsense lan IP for dns for example?
First thing, when you install pfsense leave the default any any rule. Does it work then? Then after that is working then you can start playing with locking down your access. Please post your lan rules and plenty of people here to help you see what your doing wrong. As KOM stated this is pretty basic stuff.
If you want say a client to only do http, keep in mind it has to lookup what IP that http site is on. Same goes for sending or grabbing email. Unless your putting in the IP address of where your wanting to go your going to need dns.
For example my wlan guest is really locked down.. I don't even let them query pfsense for dns, I only allow it to ping pfsense to be able to check connectivity is actually working. I allow it to talk to a specific share I have running on pogo with a usb stick in it on my lan segment, in case I want get some files to wlan guest.
Other than that they can go anywhere they want on the internet, as long as they are "not" (that is what the ! means) trying to talk to any other local networks, ie my lan or my wlan or my dmz. The dhcp server for that segment hands out public dns for them to use. Which that last rule allows them to get to because its not a local network of mine.
To be honest many trying to lock down is maybe down the road a bit for you, understanding some basics like source port and dest port, knowing what the difference is between udp and tcp for example. Where are you clients going to be going that 80 http, and 443 https would be udp for example..
-
Don't forget, PfSnese is a stateful firewall. Best practices would be to reset states after creating rules/nat mappings, so that states must be reestablished based on your restrictions or lack there of.