Review rules



  • Hi,

    I'm trying to follow a "deny by default" policy but I have some questions.

    My services are:

    • HTTP/HTTPS (80,443)

    • SSH (22)

    • DNS

    • ICMP

    • Torrent

    • VPN PPTP

    Rules in "LAN interface":

    *Last rule is for testing

    So my questions are:

    • Why I can select as source "DMZ net" or "WAN net" if these rules are for LAN interface? traffic is only filtered on the interface where the traffic is initiated, right?

    • I don't need explicit block/reject rules because all traffic is blocked by default if it does not exist a "pass rule"?

    • What is the differnce between LAN address and Lan net?

    • Now my VPN is working because of last rule… but why is it not working with the "vpn rule"?

    Some advices or books about firewalling?.

    Thanks a lot!



  • Why I can select as source "DMZ net" or "WAN net" if these rules are for LAN interface? traffic is only filtered on the interface where the traffic is initiated, right?

    The interface just lists aliases. These are convenience interfaces. And making assumptions of how the network is designed and only showing certain aliases based on which interface would cause someone somewhere to have issues with it.

    I don't need explicit block/reject rules because all traffic is blocked by default if it does not exist a "pass rule"?

    Correct. Only the LAN interface has a default pass all.

    What is the differnce between LAN address and Lan net?

    LAN address is the IP address of PFSense on said interface and LAN net is the subnet of that network.

    Now my VPN is working because of last rule… but why is it not working with the "vpn rule"?

    Your list is empty



  • Thanks  ;)

    @Harvy66:

    Why I can select as source "DMZ net" or "WAN net" if these rules are for LAN interface? traffic is only filtered on the interface where the traffic is initiated, right?

    Now my VPN is working because of last rule… but why is it not working with the "vpn rule"?

    Your list is empty

    What do you mean? I want to establish connection with a VPN in Amazon. So, I added a rule for PPTP port (destination) but It is not working. Also I added a rule for GRE…

    Another question: With the last rule (allow all) I have utorrent working perfectly: download and upload, but when I added the rule for torrent (and disable allow all rule) the donwload is going well but the upload is like 10-30kbps. Why? I read about port forwarding and so on but I don't understand why If with "pass all rule" is working for both, download and upload, with the new rule for torrent I have to open ports for upload...



  • Any charitable soul to help me?



  • For upload to happen, you need to discover new peers.  For that to happen, the peers need to be able to talk to you unsolicited, and that's likely where your problem is.  Are you using a static port for your torrent app?



  • Yes, I'm using 17738 port. So I need two rules for torrent:

    • Allow Download: FW > Rules -> From "Lan Net and torrent port" to *

    • Allow upload: FW > Nat > Port forward -> With destination my pc and port 17738

    And for a PPTP VLAN? I added a rule with the PPTP port but it is not working.

    Thanks!



  • All I know about PPTP is that it is now considered insecure and you should move off of it if you can.


Log in to reply