Solved

firewall

Posted on 2014-12-22
10
183 Views
Last Modified: 2014-12-23
I am using pfsense running on an old pc as my home firewall. It seems to be very customizable. I have been playing with the firewall rules, and got it so that I am allowing only one ip address through the firewall, but it allows all ports. I basically want the opposite of that and allow about 5 ip addresses through the firewall but allow only something like port 80.
So does anyone use pfsense and if so, got ideas how I could accomplish this?
0
Comment
Question by:JeffBeall
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 17

Expert Comment

by:bigeven2002
ID: 40514338
Hello,

Just to clarify, are you wanting to allow incoming connections to port 80 from 5 outside IP addresses or are these internal IP addresses you are allowing to surf the Internet?
0
 
LVL 17

Accepted Solution

by:
bigeven2002 earned 500 total points
ID: 40514403
This assumes you are using pfSense 2.1.5 and the adapters have their default names of WAN and LAN.  This is a mock setup so be sure to test it fully to ensure it works as desired.

If it is 5 outside IP addresses allowing access to your network port 80 (Repeat this for each IP address):

1.

Go to Firewall > Rules

2.

Interface:  WAN

3.

Protocol:  TCP

4.

Source:  leave "not" unchecked;  Type:  Single host or alias;  Address: (outside IP address)

5.

Source port range:  from:  HTTP;  to:  HTTP

6.

Destination:  leave "not" unchecked;  Type:  LAN net (or single host or alias if just needing to reach one device, complete Address if so)

7.

Destination port range:  from:  HTTP;  to:  HTTP

8.

Click Save
After adding all 5, then click Apply changes.

If it is 5 internal IP addresses you want to allow outbound port 80 to Internet (Repeat this for each IP address):

1.

Go to Firewall > Rules

2.

Interface:  LAN

3.

Protocol:  TCP

4.

Source:  leave "not" unchecked;  Type:  Single host or alias;  Address: (internal IP address)

5.

Source port range:  from:  HTTP;  to:  HTTP

6.

Destination:  leave "not" unchecked;  Type:  WAN net

7.

Destination port range:  from:  HTTP;  to:  HTTP

8.

Click Save
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 40514919
sorry bigeven2002, I wasn't clear, but it is the second scenario

"If it is 5 internal IP addresses you want to allow outbound port 80 to Internet"

5 internal ip's to make requests on port 80 to the "outside" world.
Thank you for the step by step. That is very helpful.
Being new to settting up firewalls and rules, I haven't seemed to figure it out yet. Last night I thought I was close, but I still could only get to things like yahoo if I was allowing any from the lan and wan
I'm at work, but will try the settings tonight.
0
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

 
LVL 17

Expert Comment

by:bigeven2002
ID: 40515355
No worries, thanks for the update.  You might also need to create rules for these IP addresses to access https as well.  Additionally, the rule protocol may need to be changed to be TCP/UDP.
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 40515898
that works!! thank you so much for the help. I love pfsense because it blocks everything incoming and outgoing if you do the rules right. I tried ipcop, but it trusted everything coming out of the green interface, which, if your computer is compromised could be malware traffic.
So if you don't mind, I have one more question.
I see that I have to repeat the rules for each IP address, but I was wondering, is there a way to make the rules for a range of IP's. For instance for 192.168.1.70 to 192.168.1.75?
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 40515903
I'm sorry, I have another question. If it should be a new question that is fine.
Now that it's working I LOVE looking at the logs to see what is blocked. Have you ever seen a lot of traffic to port 123?
I googled it and couldn't tell what it is? Although I think it might be network time protocol?
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 40515906
you know what, never mind about the 123, I don't want to "wear out my welcome" on this question. I'm so excited that it's working!!!
but I think I have a better question, Is there a way to have pfsense be the firewall for my wireless?
0
 
LVL 17

Expert Comment

by:bigeven2002
ID: 40515923
Glad to hear it is working!  Don't worry about the Port 123 question, I can answer that.

Port 123 is for NTP which is network time protocol.  By default, pfSense will try to query a time server on the Internet to keep accurate time for your logs.  It will usually try from pool.ntp.org so that may be where your port 123 traffic is going.  As for internal traffic going to port 123, if you have modern windows OS machines, they will try to query a time server by default as well, usually either time.windows.com or time.nist.gov.  If your PCs depend on that to keep accurate time, you might create a rule for port 123 outbound as well.

As for creating a rule for a range of IPs, you can do this by creating an Alias.  Under Firewall, choose Aliases and create a new one.  Define the type as host(s) and add each IP address then save and apply.  Now when you create a rule, you can refer to the alias instead of individual IP if the source is set to single host or alias.
0
 
LVL 1

Author Closing Comment

by:JeffBeall
ID: 40515939
I'm going to close this before someone else jumps in because you deserve all the points for all the work you did

thanks so much for the help
I realized something about the outgoing traffic from my lan. I will probably always have to use "any" for the port because the ports would be random. If I request a website, the request would be on a random port because my pc would assign that specific request something random to keep it separated from other requests.
I thought it would be great to only allow specific ports outgoing and incoming, but I guess it's only practical to specify incoming ( from the "outside world" ) ports
0
 
LVL 17

Expert Comment

by:bigeven2002
ID: 40515945
Sure thing, glad I could help.
0

Featured Post

How to Defend Against the WCry Ransomware Attack

On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 began to infect organizations. Within several hours, over 75,000 victims were reported in 90+ countries. Learn more from our research team about this threat & how to protect your organization!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Zultys IP phone on home network 19 60
HP Storage and Cisco Nexus 4 73
Reconfigure Corporate IP Address Scheme 2 61
port-forwarding asa 9.5 9 28
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question