Transparent Firewall Passing All traffic from WAN -> LAN?!?



  • Hello all,

    My transparent firewall is acting very strange. It appears, to a grc.com scan from a machine behind the pfSense bridge, and a nmap scan from my wifi on a different network, that my pfSense filtering bridge is passing all traffic from WAN -> LAN.

    I've created all my rules on the WAN tab and I even created a block all rule at the very bottom, but grc and nmap still show almost all ports as opened.

    I created a rule at the top on the LAN tab to block port 135 as a test, to/from all, but it is still showing as open to the outside world.

    What is going on?



  • Could you show screenshots of your rules?

    It's kind of hard to imagine what rule is where doing what.
    Also: what are you trying to achieve? (rest of the network around?)



  • Sure, there are a lot of them though. They are all pretty basic.

    The firewall is acting very weird. A grc scan showed everything as stealth, then running it again shows certain ports as open (like the MS RPC) … like the firewall is selectively filtering traffic.

    http://fw-test.alphatheory.com/fw1.png
    http://fw-test.alphatheory.com/fw2.png

    Thanks.

    I have the pfSense box configured as a bridging filter for our rack of network servers. The line coming from our provider is connected to the WAN and then the LAN is connected to a switch. All my servers are connected to the switch.

    I just need to open Web/FTP/SSH/PPTP ports to the servers, but all the servers need to keep public IP addresses, which is why I configured the pfSense box as a filtering bridge. I want all outbound traffic allowed, but only certain inbound traffic allowed.



  • I removed the GRE and PPTP rules and the firewall is now blocking traffic properly.

    So, how do I make my MS PPTP server operate behind the pfSense box?



  • The PPTP rule at http://fw-test.alphatheory.com/fw2.png has any as destination port. For PPTP you only need TCP 1723 (and the GRE protocol), not any. Any opened it up completely (at least for TCP traffic).



  • @hoba:

    The PPTP rule at http://fw-test.alphatheory.com/fw2.png has any as destination port. For PPTP you only need TCP 1723 (and the GRE protocol), not any. Any opened it up completely (at least for TCP traffic).

    Thanks. I can't believe I fat fingered that. I re-created the rules and re-tested and I apparently created them right this time because VPN traffic is working and the GRC scan is showing everything like it should.

    Whew, I was worried for a bit.

    Thanks everyone!


Log in to reply