I cannot expalin that



  • my LAN rules are :

    protocol |source |  port |destination|         port               |gateway  |description

    ICMP    |    *     |*     |     *     |        *                   |   *        |pass icmp   
    TCP      |    *     |*    |     *     |80 (HTTP)               |    *    |pass http 
    TCP |   *      |*    |     *     |443 (HTTPS)             |    *   |pass https 
    TCP |  *     |*    |     *     |21 (FTP)                |    *     |pass ftp 
    TCP |   *     |*    |     *     |22 (SSH)                |    *     |pass ftp 
    TCP |   *     |*    |     *     |53 (DNS)                |    *     |pass dns 
    TCP |   *     |*    |     *     |110 (POP3)       |    *    |pass dns 
    TCP |   *     |*    |     *     |5000 - 5100       |    *    |pass yahoo 
    TCP |   *     |*    |     *     |995 (POP3/S)      |    *    |pass pop3s 
    TCP |   *     |*    |    *     |465 (SMTP/S)     |    *   |pass pop3s 
    UDP |   *     |*    |    *     |27000 - 27015     |    *   | pass counter strike 
    TCP |   *     |*    |    *     |27030 - 27039     |    *   | pass counter strike 
    UDP |   *     |*    |    *     |1200                 |    *       | pass counter strike 
    TCP |   *     |*    |    *     |113 (IDENT/AUTH)   |    * | pass mIRC Auth-IdentD 
    UDP |   *     |*    |    *     |113 (IDENT/AUTH)   |   * | pass mIRC Auth-IdentD 
    TCP |   *     |*    |    *     |6660 - 6669       |    *    | pass mIRC Chat 
    TCP |   *     |*    |    *     |8010                  |    *       | pass pro fm 
    TCP |   *     |*    |    *     | *                   |     * |  block all

    and with Darkstat i can see traffic on port 26564

    Port  Service  In          Out                 Total      SYNs
    26564 718,674,673 954,927,067 1,673,601,740 4,118

    how it is posible if i have a rule that block all?

    In firewall states i see :

    tcp  LAN IP:26564 <- 85.132.128.2:64620  FIN_WAIT_2:FIN_WAIT_2 
    tcp LAN IP:1433 <- 89.37.235.2:3847 CLOSED:SYN_SENT
    tcp LAN IP:26564 <- 87.250.43.3:2465 FIN_WAIT_2:FIN_WAIT_2
    tcp LAN IP:26564 <- 87.250.43.3:2468 FIN_WAIT_2:FIN_WAIT_2
    tcp LAN IP:26564 <- 99.239.190.3:52496 TIME_WAIT:TIME_WAIT
    tcp LAN IP:26564 <- 99.239.190.3:52497 FIN_WAIT_2:FIN_WAIT_2
    tcp LAN IP:26564 <- 189.71.227.3:1984 ESTABLISHED:ESTABLISHED
    tcp LAN IP:26564 <- 41.221.27.5:40455 FIN_WAIT_2:FIN_WAIT_2
    tcp LAN IP:26564 <- 41.221.27.5:43660 ESTABLISHED:ESTABLISHED
    tcp LAN IP:26564 <- 88.146.140.6:3325 ESTABLISHED:ESTABLISHED
    tcp LAN IP:26564 <- 151.77.172.6:1614 CLOSING:ESTABLISHED
    tcp LAN IP:26564 <- 151.77.172.6:2126 CLOSING:ESTABLISHED
    tcp LAN IP:26564 <- 151.77.172.6:2405 CLOSING:ESTABLISHED
    tcp LAN IP:26564 <- 151.77.172.6:2214 CLOSING:ESTABLISHED
    tcp LAN IP:26564 <- 151.77.172.6:1742 CLOSING:ESTABLISHED
    tcp LAN IP:26564 <- 151.77.172.6:1535 CLOSING:ESTABLISHED
    tcp LAN IP:26564 <- 77.40.197.7:58679 ESTABLISHED:ESTABLISHED
    tcp LAN IP:26564 <- 79.186.95.9:53631 ESTABLISHED:ESTABLISHED
    tcp LAN IP:26564 <- 81.35.199.9:4043 ESTABLISHED:ESTABLISHED
    tcp LAN IP:26564 <- 71.183.210.9:16743 ESTABLISHED:ESTABLISHED

    Is one of the firewall rules wrong???



  • Your "block all" rule is not necessary.
    There is already a "block all" rule invisible below your rules.
    That's why if you remove all rules, per default everything is blocked.

    What rules do you have on WAN?
    Because this
    tcp    89.37.227.103:26564 <- 151.77.172.6:2214    CLOSING:ESTABLISHED
    looks to me alot like 151.77.172.6 established a connection to you machine on LAN and not the other way around.
    The rules you have on LAN affect only the connections comming from LAN.



  • so if i put a rule on lan that is block all access to any ports it will be only on one direction??
    should i put all these rules on wan too?



  • so if i put a rule on lan that is block all access to any ports it will be only on one direction??

    again:
    You dont need a block all rule !
    There is already an INVISIBLE block all rule below your own rules.
    Rules are processed from top to down. If a rule catches the rest of the rules below is no longer considered.
    You created ALLOW rules on the LAN.
    Meaning only connection attempt that have an allow rule are successfull. All other connections attempts should "run" into the invisible block all rule at the bottom.
    If you remove all rules everything gets blocked

    Now to the concept of statefull firewall:
    If a client on LAN attempts a connection, pfSense goes through it's rule-list on the LAN-tab.
    If traffic comes in on the WAN, pfSense goes through it's rules on the WAN-tab.
    If traffic comes in on the OPT1 interface, pfSense goes through it's rules on the OPT1 tab.
    If there is an allow entry above the block entry pfSense will allow the attempt.
    After that a state is being created which defines from where to where a connection is valid.
    If you have an active connection and change your rules to block this connection, the connection will still be active until it times out or the connection gets closed.
    –> pfSense only checks it's rules only on creation of the connection.

    To your state-question:

    The state you showed above
    tcp    89.37.227.103:26564 <- 151.77.172.6:2214    CLOSING:ESTABLISHED

    This is a state of an access TO my webserver:
    tcp  213.196.144.185:62883 -> 10.0.0.12:80  FIN_WAIT_2:FIN_WAIT_2

    This is a state on an access FROM a client on the same subnet to the internet:
    tcp  82.130.70.9:143 <- 10.0.0.196:53360  ESTABLISHED:ESTABLISHED

    You see the arrow indicates the DIRECTION of the connection.
    Could you show us the rules you have on the WAN?
    I suspect you have a rule that allows traffic into your LAN.

    So just remove ALL RULES you ever created on the WAN and everything that tries to connect TO you will get blocked



  • Thx u had right. There was a rule on wan that gives access to lan. That was my problem. Thx again



  • @ginosteel:

    and with Darkstat i can see traffic on port 26564
    Port  Service  In          Out                Total      SYNs
    26564 718,674,673 954,927,067 1,673,601,740 4,118

    I'd say you sent out alot of your data to unknown drains already. Usually only CIA does that. SCNR



  • hey!

    what abreviation is SCNR?





  • @ginosteel:

    what abreviation is SCNR?

    http://en.wiktionary.org/wiki/SCNR



  • :D


Log in to reply