Solved

firewall

Posted on 2014-12-22
10
178 Views
Last Modified: 2014-12-23
I am using pfsense running on an old pc as my home firewall. It seems to be very customizable. I have been playing with the firewall rules, and got it so that I am allowing only one ip address through the firewall, but it allows all ports. I basically want the opposite of that and allow about 5 ip addresses through the firewall but allow only something like port 80.
So does anyone use pfsense and if so, got ideas how I could accomplish this?
0
Comment
Question by:JeffBeall
  • 5
  • 5
10 Comments
 
LVL 17

Expert Comment

by:bigeven2002
ID: 40514338
Hello,

Just to clarify, are you wanting to allow incoming connections to port 80 from 5 outside IP addresses or are these internal IP addresses you are allowing to surf the Internet?
0
 
LVL 17

Accepted Solution

by:
bigeven2002 earned 500 total points
ID: 40514403
This assumes you are using pfSense 2.1.5 and the adapters have their default names of WAN and LAN.  This is a mock setup so be sure to test it fully to ensure it works as desired.

If it is 5 outside IP addresses allowing access to your network port 80 (Repeat this for each IP address):

1.

Go to Firewall > Rules

2.

Interface:  WAN

3.

Protocol:  TCP

4.

Source:  leave "not" unchecked;  Type:  Single host or alias;  Address: (outside IP address)

5.

Source port range:  from:  HTTP;  to:  HTTP

6.

Destination:  leave "not" unchecked;  Type:  LAN net (or single host or alias if just needing to reach one device, complete Address if so)

7.

Destination port range:  from:  HTTP;  to:  HTTP

8.

Click Save
After adding all 5, then click Apply changes.

If it is 5 internal IP addresses you want to allow outbound port 80 to Internet (Repeat this for each IP address):

1.

Go to Firewall > Rules

2.

Interface:  LAN

3.

Protocol:  TCP

4.

Source:  leave "not" unchecked;  Type:  Single host or alias;  Address: (internal IP address)

5.

Source port range:  from:  HTTP;  to:  HTTP

6.

Destination:  leave "not" unchecked;  Type:  WAN net

7.

Destination port range:  from:  HTTP;  to:  HTTP

8.

Click Save
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 40514919
sorry bigeven2002, I wasn't clear, but it is the second scenario

"If it is 5 internal IP addresses you want to allow outbound port 80 to Internet"

5 internal ip's to make requests on port 80 to the "outside" world.
Thank you for the step by step. That is very helpful.
Being new to settting up firewalls and rules, I haven't seemed to figure it out yet. Last night I thought I was close, but I still could only get to things like yahoo if I was allowing any from the lan and wan
I'm at work, but will try the settings tonight.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 17

Expert Comment

by:bigeven2002
ID: 40515355
No worries, thanks for the update.  You might also need to create rules for these IP addresses to access https as well.  Additionally, the rule protocol may need to be changed to be TCP/UDP.
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 40515898
that works!! thank you so much for the help. I love pfsense because it blocks everything incoming and outgoing if you do the rules right. I tried ipcop, but it trusted everything coming out of the green interface, which, if your computer is compromised could be malware traffic.
So if you don't mind, I have one more question.
I see that I have to repeat the rules for each IP address, but I was wondering, is there a way to make the rules for a range of IP's. For instance for 192.168.1.70 to 192.168.1.75?
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 40515903
I'm sorry, I have another question. If it should be a new question that is fine.
Now that it's working I LOVE looking at the logs to see what is blocked. Have you ever seen a lot of traffic to port 123?
I googled it and couldn't tell what it is? Although I think it might be network time protocol?
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 40515906
you know what, never mind about the 123, I don't want to "wear out my welcome" on this question. I'm so excited that it's working!!!
but I think I have a better question, Is there a way to have pfsense be the firewall for my wireless?
0
 
LVL 17

Expert Comment

by:bigeven2002
ID: 40515923
Glad to hear it is working!  Don't worry about the Port 123 question, I can answer that.

Port 123 is for NTP which is network time protocol.  By default, pfSense will try to query a time server on the Internet to keep accurate time for your logs.  It will usually try from pool.ntp.org so that may be where your port 123 traffic is going.  As for internal traffic going to port 123, if you have modern windows OS machines, they will try to query a time server by default as well, usually either time.windows.com or time.nist.gov.  If your PCs depend on that to keep accurate time, you might create a rule for port 123 outbound as well.

As for creating a rule for a range of IPs, you can do this by creating an Alias.  Under Firewall, choose Aliases and create a new one.  Define the type as host(s) and add each IP address then save and apply.  Now when you create a rule, you can refer to the alias instead of individual IP if the source is set to single host or alias.
0
 
LVL 1

Author Closing Comment

by:JeffBeall
ID: 40515939
I'm going to close this before someone else jumps in because you deserve all the points for all the work you did

thanks so much for the help
I realized something about the outgoing traffic from my lan. I will probably always have to use "any" for the port because the ports would be random. If I request a website, the request would be on a random port because my pc would assign that specific request something random to keep it separated from other requests.
I thought it would be great to only allow specific ports outgoing and incoming, but I guess it's only practical to specify incoming ( from the "outside world" ) ports
0
 
LVL 17

Expert Comment

by:bigeven2002
ID: 40515945
Sure thing, glad I could help.
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s list some of the technologies that enable smooth teleworking. 
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now