Pfsense 2.2.4 absolute nightmare with firewall rules



  • Hi,

    I am upgraded to 2.2.4 for some time and I realized that firewall rules are not working as expected.

    I have a simple set of rules to stop minecraft servers in an defined interval ( because kids are ignoring school homework ):

    • one rule it allow the traffic to minecraft ports on that interval and after that the rule become inactive

    • next rule will cut the traffic on minecraft ports all the time.

    • after that the rule to cut the traffic to private LANs ( just to be sure )

    • and another rule to pass traffic if is not going to private LANs.

    Now I start realized that on 2.2.4 my firewall rules are not working as expected… only if I apply manual states reset when pass rule is not active.
    I even have old cron commands to cut the traffic from old version 2.1.5 ( known for having a bug not cutting connections after pass rules are expired ).

    /sbin/pfctl -k 192.168.222.106

    Any idea what can be wrong here and how to fix it ?
    I tried a lot of changes but no full success, I did not wanted to move rules in Floating to keep things clear...

    thank you.
    ![2015-09-20 18.30.25.jpg](/public/imported_attachments/1/2015-09-20 18.30.25.jpg)
    ![2015-09-20 18.30.25.jpg_thumb](/public/imported_attachments/1/2015-09-20 18.30.25.jpg_thumb)
    ![2015-09-20 18.29.46.jpg](/public/imported_attachments/1/2015-09-20 18.29.46.jpg)
    ![2015-09-20 18.29.46.jpg_thumb](/public/imported_attachments/1/2015-09-20 18.29.46.jpg_thumb)


  • LAYER 8 Global Moderator

    Those are you lan rules?  Why would you be blocking bogon your lan?  Where is your antilock out rules if that is your lan?

    Those really make no sense.. Where is your printer?  Is it on a different segment?  If on same segment as Lucia comp that printer rule makes no sense. Why would guests net be on same network as Lucia comp?  Why would you allow it to private nets and then after try and block to everything but private lans with that ! rule.  The ! rule to everything but private lans would block access to private nets so no need for both of those rules.

    Since when do minecraft servers only run on ports 6k to 65k?  I think the standard port is like 25566, but it can listen on any port the server oper wants it to listen on.



  • I have pfsense on an old computer with 5 LAN interfaces with this setup

    WAN  - static IPv4
    LAN1 net 192.168.A.1/24 - wired - part of "private LAN".
    LAN2 net 192.168.B.1/24 - wired - part of "private LAN".
    LAN3 net 192.168.C.1/24 - wired to AP for WIFI devices, including printer - "part of private LAN".
    GUESTS net 192.168.D.1/24 - wired to another AP for GUESTS on WIFI devices, that do not need to access private LANs.

    I defined Private_LANs alias with networks:
    192.168.A.0/24
    192.168.B.0/24
    192.168.C.0/24

    and for DNS redirection alias Local_Interfaces defined as hosts:
    192.168.A.1/32
    192.168.B.1/32
    192.168.C.1/32
    192.168.D.1/32
    127.0.0.1/32 for Loopback

    I do NOT have any more defined a PRIVATE LAN interface group with LAN1- LAN2 - LAN3 joined.

    Block private networks
    When set, this option blocks traffic from IP addresses that are reserved for private networks as per RFC 1918 (10/8, 172.16/12, 192.168/16) as well as loopback addresses (127/8).  You should generally leave this option turned on, unless your WAN network lies in such a private address space, too.

    Block bogon networks
    When set, this option blocks traffic from IP addresses that are reserved (but not RFC 1918) or not yet assigned by IANA.  Bogons are prefixes that should never appear in the Internet routing table, and obviously should not appear as the source address in any packets you receive.

    as I seen:
    bogon networks are not the same as private networks so why do I need any lockout rule for that ?
    No private devices will generate this traffic, so I block it just to be sure will not be generate by some intruders.
    I have this setup from the beginning so I had no problem, if it is not correct and will cause trouble I can disable bogon no problem but that will not explain why L. comp still go to Minecraft ports range after time expired and rules are not respected.

    Printer is on LAN3 so rule for access it is required.

    I add block to Private LAN in front of ! rule recently rule because strange that I found that GUESTS can still access Private LANs even I had only ! rule.

    At this point I don't have any idea why this simple rules are not working as supposed… last night I reinstalled pfsense v 2.2.4 and restored backup just to be sure pfsense files are not tampered.

    This port range 6000:65000 will cover Mincraft servers that listen on different ports, server used by L. at this moment, it is easier to block traffic to any non "critical" ports that to block destination name-ip.

    Can I / Do I need to change this setup to a better-secure one ?

    thank you.


  • LAYER 8 Global Moderator

    Dude I stopped reading here..

    WAN  - static IPv4
    LAN1 net 192.168.A.1/24 - wired - part of "private LAN".
    LAN2 net 192.168.B.1/24 - wired - part of "private LAN".
    LAN3 net 192.168.C.1/24 - wired to AP for WIFI devices, including printer - "part of private LAN".

    And you didn't even answer my simple question - what interface are those rules placed on?

    Anyone that thinks they need to hide rfc1918 space doesn't understand even the basics so would just be wasting my time trying to explain to you what your doing wrong..

    "At this point I don't have any idea why this simple rules are not working as supposed.."

    Because they are all JUNK!!  Lets see the rules on your other interfaces..  IF you think 6k to 65k is going to block a minecraft server - what if they run it on 80, which many do.. What if they run it on 5999, etc..

    How exactly would blocking bogon stop intruders on your private network?  Do you even know what bogon's are?  Blocking them on your lan is going to cause you problems because of the entries they have in there..



  • I really don't understand what is your problem.
    If you can help and want to help then post something that help, post any links you think will help, post link to known/suspected pfsense bug related to this problem, post a new configuration for me to try… and remember I did not had this strange problems on 2.1.5.

    Blocking me traffic from bogon network will not cause this problems at worst will cut traffic from/to new allocated internet IP ( IP previous not allocated, but used by malware servers )
    https://www.team-cymru.org/bogon-reference.html

    It is not about hiding; it is clear that it is a private LAN IP and can be any nr 1-255 the idea is that A-B-C-D are not the same and easy to type-understand.

    The rules on other LAN 1-2-3 interface are simple:
    Allow all traffic from that LAN interface to any, no restrictions, yes this include traffic to GUESTS.

    I know that servers can listen on any port so I already check that servers used by L are in that range only.

    I already mentioned that if I clear firewall states manually when schedule rule is not active then L comp can't establish connection to Minecraft servers any more; so port used by that servers is in that blocked range.

    I can see few problems here:

    • pfsense 2.2.4 not clear firewall states when rule expired ( this was old pfsense bug not solved in 2.1.5 )… if anybody ca confirm that this bug is still present in 2.2.4 then problem solved.
    • latest cron fail to run some commands… if anybody ca confirm that this bug is present in 2.2.4 then problem solved.
    • pfsense 2.2.4 have strange problems in some configurations with executing firewall rules and in this case it fail to be used as a firewall… I don't think anybody will ever want to admit this…. this is a >50.000$ bug not to be disclosed.

    edit:
    this rules we are talking are of course on GUESTS interface… sorry if I forgot to mention explicitly, I assume it is clear as I also try to block traffic to private LANs from here.


  • Banned

    I'll re-iterate it. Stop introducing restrictive rules onto your local interfaces until you have basic understanding of

    • simple networking basics (like, understanding that "obfuscating" RFC1918 address space just hinders getting useful help and does NOTHING for your security)
    • traffic flow between boxes on the same interface/subnet (these do NOT go via the firewall, you cannot restrict or block the communication there)
    • which interface they belong on
    • order in which they get applied

    Most of the things you have configured are either

    • needlessly duplicated
    • wrong order
    • result of not understanding #2 above
    • or outright broken (such as the bogons thing) breaking required packets flow


  • here you have:

    ![2015-09-21 15.23.09.jpg](/public/imported_attachments/1/2015-09-21 15.23.09.jpg)
    ![2015-09-21 15.23.09.jpg_thumb](/public/imported_attachments/1/2015-09-21 15.23.09.jpg_thumb)
    ![2015-09-21 15.23.18.jpg](/public/imported_attachments/1/2015-09-21 15.23.18.jpg)
    ![2015-09-21 15.23.18.jpg_thumb](/public/imported_attachments/1/2015-09-21 15.23.18.jpg_thumb)
    ![2015-09-21 15.23.33.jpg](/public/imported_attachments/1/2015-09-21 15.23.33.jpg)
    ![2015-09-21 15.23.33.jpg_thumb](/public/imported_attachments/1/2015-09-21 15.23.33.jpg_thumb)
    ![2015-09-21 15.23.37.jpg](/public/imported_attachments/1/2015-09-21 15.23.37.jpg)
    ![2015-09-21 15.23.37.jpg_thumb](/public/imported_attachments/1/2015-09-21 15.23.37.jpg_thumb)
    ![2015-09-21 15.23.40.jpg](/public/imported_attachments/1/2015-09-21 15.23.40.jpg)
    ![2015-09-21 15.23.40.jpg_thumb](/public/imported_attachments/1/2015-09-21 15.23.40.jpg_thumb)


  • LAYER 8 Global Moderator

    so just looking at that mess this jumps out right away

    Which is it you have a floating rule that blocks access to pfsense ports alias, but then in your lan rule you have a specific allow rule.  And then you have a lan rule that allows anything anyway.  ???




  • Nothing wrong with that "mess"…

    • That floating rule on WAN is to protect pfsense interface from WAN and GUESTS access to pfsense admin ports.
    • The allow to pfsense on LAN is anti-lockout rule to pfsense admin port from LAN.

    I need that anti-lockout rule on LAN 1+2 because sometime I make tests and allow traffic out only for www_out ports ( browsing - now disabled as you can see)...

    ![2015-09-21 17.17.09.jpg](/public/imported_attachments/1/2015-09-21 17.17.09.jpg)
    ![2015-09-21 17.17.09.jpg_thumb](/public/imported_attachments/1/2015-09-21 17.17.09.jpg_thumb)
    ![2015-09-21 17.17.15.jpg](/public/imported_attachments/1/2015-09-21 17.17.15.jpg)
    ![2015-09-21 17.17.15.jpg_thumb](/public/imported_attachments/1/2015-09-21 17.17.15.jpg_thumb)
    ![2015-09-21 17.14.11.jpg](/public/imported_attachments/1/2015-09-21 17.14.11.jpg)
    ![2015-09-21 17.14.11.jpg_thumb](/public/imported_attachments/1/2015-09-21 17.14.11.jpg_thumb)
    ![2015-09-21 17.14.19.jpg](/public/imported_attachments/1/2015-09-21 17.14.19.jpg)
    ![2015-09-21 17.14.19.jpg_thumb](/public/imported_attachments/1/2015-09-21 17.14.19.jpg_thumb)


  • Banned

    @n3by:

    Nothing wrong with that "mess"…

    Well, you apparently know better than everyone else here, so… I guess everything is working perfectly, there are no nightmares and you can just move on with whatever you doing there.

    Have a nice day.


  • LAYER 8 Global Moderator

    Floating rules are normally applied to all interfaces, if you want it only on the wan why are you putting it in floating?  Why would your pfsense ports even be allowed on wan anyway and need a specific floating rule to supersede it?



  • I just implemented the extra security for pfsense admin ports from jflsakfja post ( I am not using pfsense admin default ports):
    https://forum.pfsense.org/index.php?topic=78062.0

    It is not correct ?
    What problem can this cause in my implementation ?
    what are suggestions to fix it if wrong ?


  • LAYER 8 Global Moderator

    Well I stopped reading that thread because of all the mistakes in the first post. He clearly states right up front to do this on floating

    Next up Floating tab:
    Set up a rule but make these changes:
    Action  Block
    Quick  TICKED!!!
    Interface  Hold CTRL and click on all interfaces EXCEPT LAN(admin) and SYNC
    Direction  any
    Source  any
    Destination  any

    While is says to not have it apply to lan.. And even if you read clarification later in the thread its only suppose to be for pfsense ports.  You just blocked your own access to any of those ports on the internet your using for admin or any of your other interfaces.

    While I believe the intentions where all the best.. Unless you fully understand what your doing trying to follow such a thread going to cause most users nothing but problems.

    For starters why are you blocking both inbound and outbound on all interfaces? Wan blocks all inbound out of the box, and any other interface you bring up will block everything inbound as well.  Only out of the box interface that allows all is lan.  And the only reason this is because if they didn't do that most users wouldn't be able to get pfsense even up and running.

    Foating rules are looked at first!!  So with such a rule what if you want to access a port on machine X in lan 1 from machine in lan 2 on one of those ports your using for the admin of pfsense, even though in his first post he says ANY as dest not your alias.  This is a HUGE mistake that could break your connectivity to anything..

    https://doc.pfsense.org/index.php/What_are_Floating_Rules
    Floating Rules are parsed before rules on other interfaces. Thus, if a packet matches a floating rule and the Quick option is active on that rule, pfSense will not attempt to filter that packet against any rule on any other group or interface tab.

    So right out of the gate he is setting you up to crash and burn.. You can put any rules you want on another interface - floating is looked at first! and would block your access.  And the way that first post is created with dest ANY you just blocked access to everything!! in and out! except for lan interface.  But lets say using port 2222 for ssh as he suggest not using the standard ports so you can get some security through obscurity – which is not true, there is no such thing as security through obscurity plain and simple.  You might use it to help keep noise out of your logs - but obscurity is not a valid security principle!!

    So back to our example of say 2222 was your admin port, what if user on lan2 wants to access something on this port on the internet?  And you you allow any any on lan2 to the internet.  Well you just blocked it with that floating rule..  Dos not matter what rule you put on lan 2, since your floating blocks access to those ports.  And the way its written in the first post you just broke access to EVERYTHING with that rule!!

    And he makes it clear that rule should always be on TOP of the floating tab, thought you were following that as your setup guide?  Why do you have the rule on the bottom?

    What I would suggest is you go back to BASIC rules of pfsense out of the box, and then work on the things you want to block 1 at a time fully understanding the rule your putting in place.  If you have questions on how to block something specific then ask.  But asking what is wrong with your setup with showing such a hodge podge of rules is not going to get you much help - sorry!


  • Banned

    @johnpoz:

    Well I stopped reading that thread because of all the mistakes in the first post. He clearly states right up front to do this on floating

    That post has already confused about zillion users because the logic there makes you head spin…

    To block access to WebGUI/SSH ports:

    • Set up a ports alias (which you seem to have already done)
    • Create a block rule on top of all other rules on each interface you want to restrict, with destination set as "This Firewall" and "Destination port range" being that alias. Make sure you do NOT block this at least on your trusted LAN (or any other management interface of your choice). And/or, tick the "Anti-lockout" checkbox.

    This way, you can immediately see what's configured where. The floating rule, even if set correctly, is confusing like hell. Unless you have a zillion of interfaces, avoid it.


  • LAYER 8 Global Moderator

    ^ exactly!!  I have exactly 1 rule in my floating tab, only on the wan interface and only outbound to block the netbios ports 137-129 since Windows boxes like to send queries to to public internet IPs on this port for only logic MS would understand..  So that such noise doesn't leak out to my internet connection being the nice guy that I am vs any sort of tinfoil hat reason.. Why send unwarranted traffic to the internet when you don't need too is what I always say.



  • edit:
    –-----------------------------------------------------------------------------------------------------------
    First for some long time I had exactly that setup on each LAN interface only specific computer access to pfsense admin, but I changed according to jflsakfja post.... any way now I deleted jflsakfja implementation and reverting to my old setup so that floating rule has gone from my setup ( except pfblocker rules ).
    the rule did not stay on top because of pfblocker always put his rules on top.

    Please clarify if this behavior it is normal, because here I think I see a problem:

    on LAN1 I have a computer (192.168.22.16) as file server ( 137-139, 445 ) only for LANs, it is also web server. ( from www to web server only a port redirected to him pure NAT 1:1 ).

    • If I try to access the shares (192.168.22.16) (137-139, 445 ) from GUESTS net ( 192.168.222.1/24) it fail - so firewall rules are working OK.

    • If I try to access from GUESTS network the web server with internal LAN1 IP (192.168.22.16:80) it work ??
      ( I don't think it is normal to work ) and on web server log the access is from LAN 1 interface IP, from GUESTS I can't access other any services on different ports on the same computer LAN IP

    Any idea ( is this going to the DNS port because of DNS Resolver ?

    see the logs:

    ![2015-09-21 18.37.15.jpg](/public/imported_attachments/1/2015-09-21 18.37.15.jpg)
    ![2015-09-21 18.29.46.jpg_thumb](/public/imported_attachments/1/2015-09-21 18.29.46.jpg_thumb)
    ![2015-09-21 18.29.46.jpg](/public/imported_attachments/1/2015-09-21 18.29.46.jpg)
    ![2015-09-21 18.37.15.jpg_thumb](/public/imported_attachments/1/2015-09-21 18.37.15.jpg_thumb)
    ![2015-09-21 18.37.21.jpg](/public/imported_attachments/1/2015-09-21 18.37.21.jpg)
    ![2015-09-21 18.37.21.jpg_thumb](/public/imported_attachments/1/2015-09-21 18.37.21.jpg_thumb)
    ![2015-09-21 18.37.24.jpg](/public/imported_attachments/1/2015-09-21 18.37.24.jpg)
    ![2015-09-21 18.37.24.jpg_thumb](/public/imported_attachments/1/2015-09-21 18.37.24.jpg_thumb)
    ![2015-09-21 18.37.27.jpg](/public/imported_attachments/1/2015-09-21 18.37.27.jpg)
    ![2015-09-21 18.37.27.jpg_thumb](/public/imported_attachments/1/2015-09-21 18.37.27.jpg_thumb)
    ![2015-09-21 18.38.05.jpg](/public/imported_attachments/1/2015-09-21 18.38.05.jpg)
    ![2015-09-21 18.38.05.jpg_thumb](/public/imported_attachments/1/2015-09-21 18.38.05.jpg_thumb)


  • LAYER 8 Global Moderator

    "from www to web server only a port redirected to him pure NAT 1:1"

    So your doing nat reflection to access this webserver?

    Where in your logs are you seeing this traffic from your guests network to 192.168.22.16:80

    I notice traffic to 3128, so your also running proxy package?

    I see on your webserver a get from 192.168.23.22 to 22.16:6030..

    What specific source IP to what specific dest IP and port?  And guessing your going through proxy.. So if using a proxy you would have to tell proxy to block that traffic not the firewall.  If your allowing guest network to access the proxy.



  • LAN 1 192.168.22.1/24 - for wired only, file server, web server … on 192.168.22.16

    LAN 2 192.168.23.1/24 - for wired only, from here ( 192.168.23.22 ) I monitor the connection to web server on port 6030 so is normal to appear in web server log ( first pic )

    LAN 3 192.168.24.1/24 - for wifi devices

    Guests 192.168.222.1/24 - test access from device 192.168.222.114
    and as you can see guests are restricted to Private LANs ( 1-2-3)

    I am using NAT to access from www ( I can access from LAN 1-2-3 with internal IP as default )
    yes I am using SQUID transparent on 3128 for filtering sites on all interfaces.

    ok so proxy is causing this problems here and messing firewall rules ?
    I will look into it, after that I will see about cleared states when allow rule expire.

    edit:

    OK proxy solved now.


  • LAYER 8 Global Moderator

    for your future reference 192.168.24.1/24 would be host address not a network.  When calling out a network you would use the wire/subnet address, not a host in the network.  192.168.24.0/24 would be the network, with 192.168.24.1/24 your calling out a specific host address in the 192.168.24.0/24 network.

    For example if you gave an address of 192.168.24.128/25 that would be a network address while 192.168.24.129/25 would be host address in the 192.168.24.128/25 network/subnet.

    Yes the use of proxies can be confusing in firewall rules all the time.  So in future when asking for help with firewall rules always make sure you mention if using, and also when you use a lot of aliases please make sure you post up the entries in the aliases..  Or it can be very difficult to evaluate the rules just looking at them not knowing the details of the aliases and or if other packages are being used like snort or suricata or pfblocker (especially if having it do auto rules vs just using it with alias lists in your own rules).



  • yes, you are right, my mistake.

    thank you for correcting me.


Log in to reply