How to Block all Ports, except 80, 21, 22, 443

  • I want to block traffic on all Ports except on selected ports like 80, 21, 22, 443 from LAN to WAN or vice-versa. Please suggest how to achieve that. I created an alias 'PortsOK' for these ports but do not know where to use this alias to block all traffic for the ports  NOT PortsOK.

    thanks in advance


  • Banned

    No need. Just don't allow them.

  • ;D ;D ;D

    I am serious… how to do it in pfSense

  • Banned

    Yeah, I am serious as well.

  • LAYER 8 Netgate

  • Dear Derelict,

    I have already gone through all the links you posted. But I am not able to figure out how to implement what i said earlier in the post. I just need some assistance.


  • LAYER 8 Netgate

    Pass the traffic you want passed then block everything else.

    There is a default deny rule, which is what @doktornotor was referring to.  If you don't pass it, it is blocked by default.  So the "block everything else" instructions above are redundant.

    If the only rules on an interface pass traffic to 80, 21, 22, 443, everything else will be blocked and you will be done.

    Chances are you also want pass rules to some DNS servers somewhere.

  • how can i block the port level traffic on some interface.

  • LAYER 8 Netgate


    ![Screen Shot 2015-07-25 at 4.18.49 AM.png](/public/imported_attachments/1/Screen Shot 2015-07-25 at 4.18.49 AM.png)
    ![Screen Shot 2015-07-25 at 4.18.49 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-07-25 at 4.18.49 AM.png_thumb)

  • Banned


    But I am not able to figure out how to implement what i said earlier in the post. I just need some assistance.

    For goddamn sake. When you ONLY allow the PortsOK ports, then everything else will be BLOCKED by default!

  • LAYER 8 Global Moderator

    Dude really if you can not figure this out - maybe you shouldn't be using something like pfsense.  Whatever your isp gave you prob better suited for your skill set.

    It really is stupid simple.. As clearly stated if not allowed it is blocked.  So if you created an alias called ports ok, then put that in the dest ports.. See attached screenshots.

    Keep in mind if that is your only rule, you won't even be allowed to ping or talk to pfsense other than the lockout rule allow you access to pfsense gui..  How are you going to get dns?  You might want to add 53 into your ports rule.  And make sure you allow udp for 53, you could just use any as the protocol vs tcp only.

    Also I feel your going to have issues with such a rule.. The default lan rule is any any for a reason - users that can not figure out basics like this, once you start blocking stuff and break stuff on the internet.. For example my dns point.  Your not going to have a good time with pfsense..  While you have the basic ports allowed.. For example 21 for ftp…  How exactly do you think the data channel is going to work??

    Active sure would not work because WAN is block all by default and you don't have any forward setup and there is no ftp helper or proxy any more.  And if your trying to use passive where your client would talk to the data port the ftp server gives you - you have all ports blocked, your sure not going to talk to ftp server data channel on 22, 80 or 443..

    If you implement this sort of rule, I am quite sure you will be back with XYZ doesn't work, etc..

  • Thanks guys, for your support.

    I am a novice in case of pfSense and started using it about a month ago.

    I have pfSense 2.2.3 64bit with Squid3, SquidGuard and Snort running successfully. I want to to block torrent downloads for LAN users. As torrent clients use random ports, therefore, I want to open only certain known ports (portsOK) and block all others. I will be adding more and more ports to portsOK as per requirement.

  • LAYER 8 Global Moderator

    So you do understand torrent clients can use proxies right..  If you had snort working - it could be set to block p2p traffic.

Log in to reply