Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall port numbers

    Scheduled Pinned Locked Moved Firewalling
    15 Posts 6 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Herminator
      last edited by

      As a non ICT person I ve got (maybe!) a silly question !

      under firewall > rules …..specially the rule ¨default allow LAN to any rule¨is one of my concerns !

      Does it make sense to NMAP every device in my lan and make alliasses for its portnumbers ?...so its blocks all the others !

      Or is this complete useless ! (and a lot of work !)

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Huh?

        So do you have other lan segments, ie opt interfaces that you want to firewall traffic between..  Or just out the wan interface to the internet?

        If you want to limit your clients from talking out to the internet on other than standard ports, say http, https, ftp, ssh, etc..  Then sure you can lock that down on your lan tab..  If your wanting to limit traffic between your own network segments..  What would be the point of allowing every port the other devices is listening on?  Might as well just be the any any rule in that case.

        You do understand that if a device is not listening on the port, does not matter if the traffic is allowed on that port.  You would firewall when the the port is being listened on, but you don't want specific clients to get to it.  So doing a nmap to find every port a device is listening on, and the allowing all those ports would be useless yes.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • O
          Ojisang
          last edited by

          Hi @Herminator,

          I think it all depends on whether or not you want to control your users. But it's much better especially for security purposes to list them all. Just my opinion.  :)

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            You do realize that the rule on LAN is one that allows connection FROM LAN HOSTS into the firewall and not TO LAN HOSTS from other locations like WAN, right?
            The only things that will show up in an nmap scan are ports the LAN hosts are listening for inbound connections on. And only TCP at that.

            For the typical home network chasing outgoing ports for every stupid app gets to be a real drag.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • M
              mer
              last edited by

              @Derelict:

              For the typical home network chasing outgoing ports for every stupid app gets to be a real drag.

              It can be a real drag, but the better way is start with a default deny, then open up a few.  For most normal stuff (web, email, vpn, ntpclient)  it's really not that much.  I'll provide what I've got allowed later when I get back home, but it's probably about 12 or so ports, between UDP and TCP.  Various *nix clients, Windows 7 clients on the LAN side.  So far wife hasn't complained about things not working.  Yes, I know I don't need to do this, but it was more an experiment as to "what is really needed" and "it's my network and I can do what I want (know exactly what I'm sending to the world)".

              I was actually suprised a how small the list is.  HTTP/S, DNS, NTP, OPENVPN, SSH covers the bulk of typical home user traffic.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Unless you play games, they are all going to have their own ports.  Agreed, typically its a small list.  You don't need to open ntp, pfsense does the ntp and you sync off pfsense.

                But we are not even sure what the OP is wanting to do.. He talks about scanning his clients.. What does that have to do with their outbound traffic to the internet?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • M
                  mer
                  last edited by

                  @johnpoz:

                  Unless you play games, they are all going to have their own ports.  Agreed, typically its a small list.  You don't need to open ntp, pfsense does the ntp and you sync off pfsense.

                  But we are not even sure what the OP is wanting to do.. He talks about scanning his clients.. What does that have to do with their outbound traffic to the internet?

                  Absolutely nothing  ::)  That's why I directed the response at Derelict.  Agree on the NTP;  the list was from a homebrew I had been using (FreeBSD with pf) before I grabbed a SG2440.

                  I'm guessing the OP may not understand how pfSense works/is intended to be used.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    "I'm guessing the OP may not understand how pfSense works/is intended to be used."

                    Agreed ;)  I think its more than just pfsense and just networking/firewalls in general..

                    But to be honest, in a home setup I really don't buy the lock every port down other than the ports you use/common to the public net.  What does it get you other than grief when someone in the house trying to do something that doesn't work, or you yourself something doesn't work because you blocked outbound traffic on xyz..

                    Do you think that is going to stop viruses from phoning the mothership?

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      @johnpoz:

                      But to be honest, in a home setup I really don't buy the lock every port down other than the ports you use/common to the public net.  What does it get you other than grief when someone in the house trying to do something that doesn't work, or you yourself something doesn't work because you blocked outbound traffic on xyz..

                      Exactly. My mothership would be listening on a common port anyway. It's stupid and a waste of time. I'm not firewalling and segmenting a bunch of PoS terminals.

                      You'd still have to pass NTP to LAN address unless that  is a magic, hidden rule too.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • M
                        mer
                        last edited by

                        @Derelict:

                        @johnpoz:

                        But to be honest, in a home setup I really don't buy the lock every port down other than the ports you use/common to the public net.  What does it get you other than grief when someone in the house trying to do something that doesn't work, or you yourself something doesn't work because you blocked outbound traffic on xyz..

                        Exactly. My mothership would be listening on a common port anyway. It's stupid and a waste of time. I'm not firewalling and segmenting a bunch of PoS terminals.

                        You'd still have to pass NTP to LAN address unless that  is a magic, hidden rule too.

                        Nope, I understand it's not going to stop malware and such (gee, everyone has http open, so lets use that  ;D ).  It was more of a learning experience for me when I went from a dialup to broadband a while ago.  Nothing more than that, just me trying to be aware of the traffic that is on/generated by my machines at home.  I'm sure you've done it, but for anyone that has never sniffed a network with Windows machines may not realize how noisy they are on a network (SMB and related stuff,  multicast DNS things) and trying to figure out how to turn them off took me down "GUI hell".  I just wanted to be aware of what was normal for me.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          That is fine, but curious why did you offer up to a user that clearly doesn't have clue one to how any of it works anyway..

                          "but the better way is start with a default deny,"

                          You know how much grief its going to cause this guy when this doesnt work, that doesn't work, etc. etc..

                          Pfsense uses a default any any on the lan out of the box for a reason… Because if they didn't a vast majority of users wouldn't have a clue how to get it working.. ;)

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • M
                            mer
                            last edited by

                            I keep forgetting the target audience.

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              I do it all the time myself.. You would hope people smart enough to use pfsense would have a basic understanding of the concepts involved with tcp/firewalling/routing, etc.  But the more I read threads here the more I am reminded that a large portion of pfsense users are just completely clueless to any of even the most basic concepts.

                              And sad to say many of them don't even want to learn..  They just want information spoon fed to them, what do they click to get x working without even basic understanding of how x works.

                              But what makes it all worth it is those few people that want to learn, and spreading the love of our psfsense to those new learners ;)

                              I agree with you that a default deny, or even just logging of traffic can be a huge learning experience to what sort of traffic a OS might spew about..  What is needed, what is fluff and nonsense can be a large undertaking for someone new to the concepts for sure.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • 2
                                2chemlud Banned
                                last edited by

                                …jjeeeeeh, same with my car mechanic, always talks about tech stuff, although only thing I want is to DRIVE the car...

                                1 Reply Last reply Reply Quote 0
                                • H
                                  Herminator
                                  last edited by

                                  Can I thank you all for the input !
                                  And yes Johnpoz ! although lots and lots of reading its often quit difficult to understand the basics ! …Ive got to do it all by myself !
                                  Anyway your  answer makes a lot clear to me ! (still much to learn and todo !).....

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.