Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

firewall

Posted on 2014-12-22
10
Medium Priority
?
191 Views
Last Modified: 2014-12-23
I am using pfsense running on an old pc as my home firewall. It seems to be very customizable. I have been playing with the firewall rules, and got it so that I am allowing only one ip address through the firewall, but it allows all ports. I basically want the opposite of that and allow about 5 ip addresses through the firewall but allow only something like port 80.
So does anyone use pfsense and if so, got ideas how I could accomplish this?
0
Comment
Question by:JeffBeall
  • 5
  • 5
10 Comments
 
LVL 17

Expert Comment

by:bigeven2002
ID: 40514338
Hello,

Just to clarify, are you wanting to allow incoming connections to port 80 from 5 outside IP addresses or are these internal IP addresses you are allowing to surf the Internet?
0
 
LVL 17

Accepted Solution

by:
bigeven2002 earned 2000 total points
ID: 40514403
This assumes you are using pfSense 2.1.5 and the adapters have their default names of WAN and LAN.  This is a mock setup so be sure to test it fully to ensure it works as desired.

If it is 5 outside IP addresses allowing access to your network port 80 (Repeat this for each IP address):

1.

Go to Firewall > Rules

2.

Interface:  WAN

3.

Protocol:  TCP

4.

Source:  leave "not" unchecked;  Type:  Single host or alias;  Address: (outside IP address)

5.

Source port range:  from:  HTTP;  to:  HTTP

6.

Destination:  leave "not" unchecked;  Type:  LAN net (or single host or alias if just needing to reach one device, complete Address if so)

7.

Destination port range:  from:  HTTP;  to:  HTTP

8.

Click Save
After adding all 5, then click Apply changes.

If it is 5 internal IP addresses you want to allow outbound port 80 to Internet (Repeat this for each IP address):

1.

Go to Firewall > Rules

2.

Interface:  LAN

3.

Protocol:  TCP

4.

Source:  leave "not" unchecked;  Type:  Single host or alias;  Address: (internal IP address)

5.

Source port range:  from:  HTTP;  to:  HTTP

6.

Destination:  leave "not" unchecked;  Type:  WAN net

7.

Destination port range:  from:  HTTP;  to:  HTTP

8.

Click Save
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 40514919
sorry bigeven2002, I wasn't clear, but it is the second scenario

"If it is 5 internal IP addresses you want to allow outbound port 80 to Internet"

5 internal ip's to make requests on port 80 to the "outside" world.
Thank you for the step by step. That is very helpful.
Being new to settting up firewalls and rules, I haven't seemed to figure it out yet. Last night I thought I was close, but I still could only get to things like yahoo if I was allowing any from the lan and wan
I'm at work, but will try the settings tonight.
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 17

Expert Comment

by:bigeven2002
ID: 40515355
No worries, thanks for the update.  You might also need to create rules for these IP addresses to access https as well.  Additionally, the rule protocol may need to be changed to be TCP/UDP.
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 40515898
that works!! thank you so much for the help. I love pfsense because it blocks everything incoming and outgoing if you do the rules right. I tried ipcop, but it trusted everything coming out of the green interface, which, if your computer is compromised could be malware traffic.
So if you don't mind, I have one more question.
I see that I have to repeat the rules for each IP address, but I was wondering, is there a way to make the rules for a range of IP's. For instance for 192.168.1.70 to 192.168.1.75?
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 40515903
I'm sorry, I have another question. If it should be a new question that is fine.
Now that it's working I LOVE looking at the logs to see what is blocked. Have you ever seen a lot of traffic to port 123?
I googled it and couldn't tell what it is? Although I think it might be network time protocol?
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 40515906
you know what, never mind about the 123, I don't want to "wear out my welcome" on this question. I'm so excited that it's working!!!
but I think I have a better question, Is there a way to have pfsense be the firewall for my wireless?
0
 
LVL 17

Expert Comment

by:bigeven2002
ID: 40515923
Glad to hear it is working!  Don't worry about the Port 123 question, I can answer that.

Port 123 is for NTP which is network time protocol.  By default, pfSense will try to query a time server on the Internet to keep accurate time for your logs.  It will usually try from pool.ntp.org so that may be where your port 123 traffic is going.  As for internal traffic going to port 123, if you have modern windows OS machines, they will try to query a time server by default as well, usually either time.windows.com or time.nist.gov.  If your PCs depend on that to keep accurate time, you might create a rule for port 123 outbound as well.

As for creating a rule for a range of IPs, you can do this by creating an Alias.  Under Firewall, choose Aliases and create a new one.  Define the type as host(s) and add each IP address then save and apply.  Now when you create a rule, you can refer to the alias instead of individual IP if the source is set to single host or alias.
0
 
LVL 1

Author Closing Comment

by:JeffBeall
ID: 40515939
I'm going to close this before someone else jumps in because you deserve all the points for all the work you did

thanks so much for the help
I realized something about the outgoing traffic from my lan. I will probably always have to use "any" for the port because the ports would be random. If I request a website, the request would be on a random port because my pc would assign that specific request something random to keep it separated from other requests.
I thought it would be great to only allow specific ports outgoing and incoming, but I guess it's only practical to specify incoming ( from the "outside world" ) ports
0
 
LVL 17

Expert Comment

by:bigeven2002
ID: 40515945
Sure thing, glad I could help.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question