Block TCP 445 in LAN out WAN2



  • I'm struggling today to do something simple.

    I have LAN interface, WAN(Internet), WAN2(MPLS)

    I'm trying to block TCP port 445, SMB outbound traffic from passing thru LAN to WAN2

    I tried creating a Firewall Rule on the LAN Tab with:
    Action:  Block
    Interface LAN
    Version: IPv4
    Protocol: TCP
    Source, Advanced: from: 445 to: 445

    Save

    Then I run my test… copying a file from local (LAN) computer  to system on WAN2 , copy works. (Not The Result I was Looking For)

    My only thought is that maybe the traffic is routing and ignoring the firewall rules, But I'm not sure how to check this?

    Any thoughts?

    Thank You,
    RS


  • LAYER 8 Global Moderator

    source port would be ANY dest port would be 445..  And you need to make sure the rule is above any allow rules.. By default lan rule would be any any.  So your block would need to be above your allow.



  • I tried both ways with no success.

    Firewall Rules Below:

    ID Proto         Source Port Destination Port Gateway Queue Schedule Description
    ALLOW * * * LAN Address 80 22 * *                         Anti-Lockout Rule
    BLOCK IPv4 TCP * 445 (MS DS) * * * none                 Block again
    BLOCK IPv4 TCP * * *                 445 (MS DS) * none Block 445 Out
    ALLOW IPv4 * LAN net * *                 * * none                 Default LAN - an


  • Banned

    1/ Remove the "Block again" nonsense.
    2/ Apply.
    3/ Go to Diagnostics - States - Reset states and blick Reset.



  • Below is packet capture on the WAN2 Interface:

    12:22:00.217546 IP 172.16.0.31.445 > 172.18.2.12.28706: tcp 1460
    12:22:00.217578 IP 172.16.0.31.445 > 172.18.2.12.28706: tcp 1460
    12:22:00.219499 IP 172.18.2.12.28706 > 172.16.0.31.445: tcp 0

    Computer 172.16.0.31 (LAN)  is sending the traffic with source port 445 to WAN2 IP, Right?


  • Banned

    1/ We have no idea what's your LAN and WAN.
    2/ I sincerely hope you do not allow SMB from WAN.  :o ::)



  • I know, I'm trying to paint as clear a picture I can.

    Note: WAN2 is not the internet, it's another network.

    Note: WAN  is the Internet


  • Banned

    pfSense is a stateful firewall. When you let traffic in, corresponding traffic will be let out.

    P.S. Calling something WAN when it's not WAN does not help to get "clear picture". It does the exact opposite.



  • @rsweb99:

    Below is packet capture on the WAN2 Interface:

    12:22:00.217546 IP 172.16.0.31.445 > 172.18.2.12.28706: tcp 1460
    12:22:00.217578 IP 172.16.0.31.445 > 172.18.2.12.28706: tcp 1460
    12:22:00.219499 IP 172.18.2.12.28706 > 172.16.0.31.445: tcp 0

    Computer 172.16.0.31 (LAN)  is sending the traffic with source port 445 to WAN2 IP, Right?

    Was this captured after doing the reset states?  If you didn't do that, any existing connection would probably still work.  If 0.31 is on LAN, 2.12 is on WAN2, it may be that 2.12 initiated the connection, so adding  a block inbound on WAN2 to dst port 445 may also be needed.  The block outbound from LAN to dst port 445 prevents LAN from initiating the connection, but does not prevent a connection from outside of LAN to dst port 445.

    (I think this is what dok means with the emphasis on stateful)


  • Banned

    Yeah when you don't want two networks to talk over SMB you need the block rule on both interfaces, with the opposite subnet as destination.



  • In effort to be more clear, what to a call a "remote network", that is not the internet?

    Diagram:

    PFSENSE
    [LAN] <–------->  /--------------/ <-------> [WAN]
      172.16.0.0      /                  /
                              /–------------/  <-------> [WAN2] 10.10.10.34  <–-> [ROUTER]  <–--> 172.18.0.0/ 22
                                                                                                            10.10.10.36            REMOTE SITE



  • Testing…



  • (WAN2 –> REMOTE SITE interface Rules

    ID     Proto       Source Port         Destination Port Gateway Queue Schedule Description

    BLOCK IPv4 TCP * * *       445 (MS DS) * none Block Inbound Destination 445 From ALL
    ALLOW IPv4              * * *       * *       * none Allow all traffic to and from other

    Still not blocking...


  • Banned

    1/ You need this on BOTH interfaces.
    2/ You need to reset the states (or reboot the firewall box if unabled to find the button to do so).

    If you think it's still not blocked then stick logging on the rules and look at the firewall logs.

    P.S. Learn to produce screenshots instead of broken ASCII art.



  • Will provide screen shots from now on, did not know I could do that.

    I will Reset states again…



  • First of all I want to thank Doktornotor for pointing out the System,States (and the ability to reset them), this was causing me false positives on my earlier testing.

    Second, I want to thank Mer, for putting the stateful blocking logic as it related directly to my situation and helped to see the initial incoming connection.

    After I added the correct rule, above, I did not reset the states, so it did not block.

    Thank You, guys the blocking is working.

    ALSO, There was one thing I did not understand/anticipate with MS SMB, after port 445 was blocked, the workstation decided to change to port 139, so my block worked, but my test failed as the file transfer was still going on.  Once I blocked 445 and 139 TCP, all worked/Blocked which is what I wanted.

    Thank You!


  • Banned

    Honestly, if this Windows NetBIOS/file sharing stuff is undesired, block 135-139 and 445, TCP/UDP.


  • LAYER 8 Global Moderator

    guess I don't get any love for pointing out his rule was backwards.. ;)



  • John, you have to let some of us catch up in karma first :)

    OP:
    Don't forget that all the ports should have a default deny as the first thing (it's there already you don't have to add it).  This makes it really nice:  if everything is blocked by default, then you have a smaller list of "allow this".  It feels backwards (like an old HP RPN calculator) but it makes things a lot easier on you.  On my setup I have 7 TCP services plus 3 UDP allowed,  a lot simpler than "need to block this, block that,crap missed that one".  There may be a few things I could add, but so far noone has complained.


Log in to reply