Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Allow specific URLs

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 2 Posters 896 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      ddr
      last edited by

      hi all,
      i have to allow only pop and smtp of gmail over the firewall rule to all LAN users. I created two aliases as mail_hosts and  mail_ports. how to add this aliases?

      1 Reply Last reply Reply Quote 0
      • A
        almabes
        last edited by

        https://doc.pfsense.org/index.php/Firewall_Rule_Basics

        1 Reply Last reply Reply Quote 0
        • D
          ddr
          last edited by

          thanks for the reply.. now i added like this.. but its not ping pop.gmail.com from client machine.. is that correct?

          Capture.JPG
          Capture.JPG_thumb

          1 Reply Last reply Reply Quote 0
          • A
            almabes
            last edited by

            Get rid of the useless LAN NET to LAN NET rule.  It does nothing.  That traffic never traverses the firewall, it only goes through your switch.

            TCP is not ICMP.  You haven't allowed pings out, except from IPs in your Full_access alias.

            Try to telnet to one of the allowed host port combinations from one of the PCs not in the full_access alias.

            Edit:  Clarified to try an allowed IP and port.

            1 Reply Last reply Reply Quote 0
            • D
              ddr
              last edited by

              @almabes:

              Get rid of the useless LAN NET to LAN NET rule.  It does nothing.  That traffic never traverses the firewall, it only goes through your switch.

              TCP is not ICMP.  You haven't allowed pings out, except from IPs in your Full_access alias.

              Try to telnet to one of the allowed ports from one of the PCs not in the full_access alias.

              if i disabled LAN NET to LAN NET my client PC not connected to squid Proxy. i used telnet to check the 995 port of pop.gmail.com i got error "connection Failed". that PC is not a member of "Full_access" alias.

              1 Reply Last reply Reply Quote 0
              • A
                almabes
                last edited by

                Ok.
                Rewrite that lan net to lan net rule to be more specific. 
                Lan net to lan address tcp port 3128 (or whatever you have squid set to).  Otherwise anyone on your LAN can hit SSH, and webConfigurator on the firewall.

                You may want to allow LAN net access to lan address UDP 53, unless you have a DNS server on your LAN that is not your firewall. Which is what I suspect is contributing to the connection failed problem.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.