Solved

firewall

Posted on 2014-12-22
10
173 Views
Last Modified: 2014-12-23
I am using pfsense running on an old pc as my home firewall. It seems to be very customizable. I have been playing with the firewall rules, and got it so that I am allowing only one ip address through the firewall, but it allows all ports. I basically want the opposite of that and allow about 5 ip addresses through the firewall but allow only something like port 80.
So does anyone use pfsense and if so, got ideas how I could accomplish this?
0
Comment
Question by:JeffBeall
  • 5
  • 5
10 Comments
 
LVL 17

Expert Comment

by:bigeven2002
Comment Utility
Hello,

Just to clarify, are you wanting to allow incoming connections to port 80 from 5 outside IP addresses or are these internal IP addresses you are allowing to surf the Internet?
0
 
LVL 17

Accepted Solution

by:
bigeven2002 earned 500 total points
Comment Utility
This assumes you are using pfSense 2.1.5 and the adapters have their default names of WAN and LAN.  This is a mock setup so be sure to test it fully to ensure it works as desired.

If it is 5 outside IP addresses allowing access to your network port 80 (Repeat this for each IP address):

1.

Go to Firewall > Rules

2.

Interface:  WAN

3.

Protocol:  TCP

4.

Source:  leave "not" unchecked;  Type:  Single host or alias;  Address: (outside IP address)

5.

Source port range:  from:  HTTP;  to:  HTTP

6.

Destination:  leave "not" unchecked;  Type:  LAN net (or single host or alias if just needing to reach one device, complete Address if so)

7.

Destination port range:  from:  HTTP;  to:  HTTP

8.

Click Save
After adding all 5, then click Apply changes.

If it is 5 internal IP addresses you want to allow outbound port 80 to Internet (Repeat this for each IP address):

1.

Go to Firewall > Rules

2.

Interface:  LAN

3.

Protocol:  TCP

4.

Source:  leave "not" unchecked;  Type:  Single host or alias;  Address: (internal IP address)

5.

Source port range:  from:  HTTP;  to:  HTTP

6.

Destination:  leave "not" unchecked;  Type:  WAN net

7.

Destination port range:  from:  HTTP;  to:  HTTP

8.

Click Save
0
 
LVL 1

Author Comment

by:JeffBeall
Comment Utility
sorry bigeven2002, I wasn't clear, but it is the second scenario

"If it is 5 internal IP addresses you want to allow outbound port 80 to Internet"

5 internal ip's to make requests on port 80 to the "outside" world.
Thank you for the step by step. That is very helpful.
Being new to settting up firewalls and rules, I haven't seemed to figure it out yet. Last night I thought I was close, but I still could only get to things like yahoo if I was allowing any from the lan and wan
I'm at work, but will try the settings tonight.
0
 
LVL 17

Expert Comment

by:bigeven2002
Comment Utility
No worries, thanks for the update.  You might also need to create rules for these IP addresses to access https as well.  Additionally, the rule protocol may need to be changed to be TCP/UDP.
0
 
LVL 1

Author Comment

by:JeffBeall
Comment Utility
that works!! thank you so much for the help. I love pfsense because it blocks everything incoming and outgoing if you do the rules right. I tried ipcop, but it trusted everything coming out of the green interface, which, if your computer is compromised could be malware traffic.
So if you don't mind, I have one more question.
I see that I have to repeat the rules for each IP address, but I was wondering, is there a way to make the rules for a range of IP's. For instance for 192.168.1.70 to 192.168.1.75?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 1

Author Comment

by:JeffBeall
Comment Utility
I'm sorry, I have another question. If it should be a new question that is fine.
Now that it's working I LOVE looking at the logs to see what is blocked. Have you ever seen a lot of traffic to port 123?
I googled it and couldn't tell what it is? Although I think it might be network time protocol?
0
 
LVL 1

Author Comment

by:JeffBeall
Comment Utility
you know what, never mind about the 123, I don't want to "wear out my welcome" on this question. I'm so excited that it's working!!!
but I think I have a better question, Is there a way to have pfsense be the firewall for my wireless?
0
 
LVL 17

Expert Comment

by:bigeven2002
Comment Utility
Glad to hear it is working!  Don't worry about the Port 123 question, I can answer that.

Port 123 is for NTP which is network time protocol.  By default, pfSense will try to query a time server on the Internet to keep accurate time for your logs.  It will usually try from pool.ntp.org so that may be where your port 123 traffic is going.  As for internal traffic going to port 123, if you have modern windows OS machines, they will try to query a time server by default as well, usually either time.windows.com or time.nist.gov.  If your PCs depend on that to keep accurate time, you might create a rule for port 123 outbound as well.

As for creating a rule for a range of IPs, you can do this by creating an Alias.  Under Firewall, choose Aliases and create a new one.  Define the type as host(s) and add each IP address then save and apply.  Now when you create a rule, you can refer to the alias instead of individual IP if the source is set to single host or alias.
0
 
LVL 1

Author Closing Comment

by:JeffBeall
Comment Utility
I'm going to close this before someone else jumps in because you deserve all the points for all the work you did

thanks so much for the help
I realized something about the outgoing traffic from my lan. I will probably always have to use "any" for the port because the ports would be random. If I request a website, the request would be on a random port because my pc would assign that specific request something random to keep it separated from other requests.
I thought it would be great to only allow specific ports outgoing and incoming, but I guess it's only practical to specify incoming ( from the "outside world" ) ports
0
 
LVL 17

Expert Comment

by:bigeven2002
Comment Utility
Sure thing, glad I could help.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now