Blocking and allowing ports



  • I know you experts out there rag on us newbs for asking this question over and over and I've read through almost all of them so I think I've got what I need on my firewall to allow only my selected ports ( 21, 22, 25, 53, 80, 443 ) and block all the others.

    I'm hoping I have it right and I'm hoping for some constructive criticism

    I created an alias for my allowed ports.
    Then put an outbound rule on my NAT for my WAN to use only my allowed ports with my wireless network subnet.
    Interface=WAN; Protocol=any; Source Network=Wifi subnet any port; Destination=any using allowed ports; static port=checked

    Then I have a firewall rule for my wifi subnet
    Pass Interface= Wifi subnet; TCP/IP Ver=IPv4; Protocol=TCP/UDP; Source=Wifi subnet; Destination=any; Destination Port Range=Allowed ports

    Do I have it right?

    Now should I leave the automatically generated NAT rules for the rest of the subnets using the port 500 or should  I also disable those?



  • Are you trying to let a client on your wifi subnet to only send traffic to ports 21,22,25,53,80 &443?  That's what I believe your wifi subnet rule is trying to say.

    I don't you should need any rule on the WAN interface;  typically those are for allowing traffic originating from the outside world in.  By default nothing is allowed in.

    If you have a client on the wifi subnet that is sending to google.com on port 80, that creates state in the firewall tables,  reponse traffic is allowed back in because of that.  NAT makes the packet look like it came from the WAN interface, it will get a different source port, but the destination stays the same.  Traffic coming back gets looked up in NAT and will get rewritten to be destination your wifi client at the original source port.



  • Yes, that is what I'm trying to do.

    Now, from what you are saying about creating a state in the firewall table, that allows the client to surf the web through port 80. Can the internet user download through port 80 or does downloading require another port to be open?

    And from what you said, I don't need the NAT entry because the NAT will only allow traffic back in through the original port the traffic went out on.

    And I don't need an 2nd entry denying ports from the WAN to the Wifi because traffic can only travel out through my specified ports, correct?



  • Can the internet user download through port 80 or does downloading require another port to be open?

    Download is an arbitrary term and it really depends on the protocol being used.  You can download via HTTP, HTTPS, FTP, SFTP/SCP, POP3, IMAP, BitTorrent, etc etc and they all require different ports to be used.



  • By default nothing is allowed in.

    -that isn't solicited from the inside in the first place.



  • I want my clients to access the Internet but I want to limit their access to doing anything else, specifically, using BitTorrent.

    Does the rule I have in place accomplish that?




  • @dhenning:

    Yes, that is what I'm trying to do.

    Now, from what you are saying about creating a state in the firewall table, that allows the client to surf the web through port 80. Can the internet user download through port 80 or does downloading require another port to be open?

    And from what you said, I don't need the NAT entry because the NAT will only allow traffic back in through the original port the traffic went out on.

    And I don't need an 2nd entry denying ports from the WAN to the Wifi because traffic can only travel out through my specified ports, correct?

    The user will see return traffic sourced from port 80 to some random port number on the local system. If the user starts another process that has the destination port of 80, there will be another connection another state in the table.  It may be "downloading" data, but only through destination port 80.

    Yes, NAT will translate on the outbound traffic, match the return traffic and do the right thing.  That's what is designed to do.

    Correct you should not need any rules on the WAN to deny traffic to the WiFi, because that's the default.  Only responses to traffic originated on the "inside" of your pfSense box will come through (client on the WiFi subnet, LAN clients, etc).

    Yes that rule should only allow outbound traffic to those ports.  I can't guarantee that someone won't set up a BitTorrent server listening on port 80 or 443, but that's beyond your control.


Log in to reply