firewall

I am using pfsense running on an old pc as my home firewall. It seems to be very customizable. I have been playing with the firewall rules, and got it so that I am allowing only one ip address through the firewall, but it allows all ports. I basically want the opposite of that and allow about 5 ip addresses through the firewall but allow only something like port 80.
So does anyone use pfsense and if so, got ideas how I could accomplish this?
LVL 1
JeffBeallAsked:
Who is Participating?
 
bigeven2002Connect With a Mentor Commented:
This assumes you are using pfSense 2.1.5 and the adapters have their default names of WAN and LAN.  This is a mock setup so be sure to test it fully to ensure it works as desired.

If it is 5 outside IP addresses allowing access to your network port 80 (Repeat this for each IP address):

1.

Go to Firewall > Rules

2.

Interface:  WAN

3.

Protocol:  TCP

4.

Source:  leave "not" unchecked;  Type:  Single host or alias;  Address: (outside IP address)

5.

Source port range:  from:  HTTP;  to:  HTTP

6.

Destination:  leave "not" unchecked;  Type:  LAN net (or single host or alias if just needing to reach one device, complete Address if so)

7.

Destination port range:  from:  HTTP;  to:  HTTP

8.

Click Save
After adding all 5, then click Apply changes.

If it is 5 internal IP addresses you want to allow outbound port 80 to Internet (Repeat this for each IP address):

1.

Go to Firewall > Rules

2.

Interface:  LAN

3.

Protocol:  TCP

4.

Source:  leave "not" unchecked;  Type:  Single host or alias;  Address: (internal IP address)

5.

Source port range:  from:  HTTP;  to:  HTTP

6.

Destination:  leave "not" unchecked;  Type:  WAN net

7.

Destination port range:  from:  HTTP;  to:  HTTP

8.

Click Save
0
 
bigeven2002Commented:
Hello,

Just to clarify, are you wanting to allow incoming connections to port 80 from 5 outside IP addresses or are these internal IP addresses you are allowing to surf the Internet?
0
 
JeffBeallAuthor Commented:
sorry bigeven2002, I wasn't clear, but it is the second scenario

"If it is 5 internal IP addresses you want to allow outbound port 80 to Internet"

5 internal ip's to make requests on port 80 to the "outside" world.
Thank you for the step by step. That is very helpful.
Being new to settting up firewalls and rules, I haven't seemed to figure it out yet. Last night I thought I was close, but I still could only get to things like yahoo if I was allowing any from the lan and wan
I'm at work, but will try the settings tonight.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
bigeven2002Commented:
No worries, thanks for the update.  You might also need to create rules for these IP addresses to access https as well.  Additionally, the rule protocol may need to be changed to be TCP/UDP.
0
 
JeffBeallAuthor Commented:
that works!! thank you so much for the help. I love pfsense because it blocks everything incoming and outgoing if you do the rules right. I tried ipcop, but it trusted everything coming out of the green interface, which, if your computer is compromised could be malware traffic.
So if you don't mind, I have one more question.
I see that I have to repeat the rules for each IP address, but I was wondering, is there a way to make the rules for a range of IP's. For instance for 192.168.1.70 to 192.168.1.75?
0
 
JeffBeallAuthor Commented:
I'm sorry, I have another question. If it should be a new question that is fine.
Now that it's working I LOVE looking at the logs to see what is blocked. Have you ever seen a lot of traffic to port 123?
I googled it and couldn't tell what it is? Although I think it might be network time protocol?
0
 
JeffBeallAuthor Commented:
you know what, never mind about the 123, I don't want to "wear out my welcome" on this question. I'm so excited that it's working!!!
but I think I have a better question, Is there a way to have pfsense be the firewall for my wireless?
0
 
bigeven2002Commented:
Glad to hear it is working!  Don't worry about the Port 123 question, I can answer that.

Port 123 is for NTP which is network time protocol.  By default, pfSense will try to query a time server on the Internet to keep accurate time for your logs.  It will usually try from pool.ntp.org so that may be where your port 123 traffic is going.  As for internal traffic going to port 123, if you have modern windows OS machines, they will try to query a time server by default as well, usually either time.windows.com or time.nist.gov.  If your PCs depend on that to keep accurate time, you might create a rule for port 123 outbound as well.

As for creating a rule for a range of IPs, you can do this by creating an Alias.  Under Firewall, choose Aliases and create a new one.  Define the type as host(s) and add each IP address then save and apply.  Now when you create a rule, you can refer to the alias instead of individual IP if the source is set to single host or alias.
0
 
JeffBeallAuthor Commented:
I'm going to close this before someone else jumps in because you deserve all the points for all the work you did

thanks so much for the help
I realized something about the outgoing traffic from my lan. I will probably always have to use "any" for the port because the ports would be random. If I request a website, the request would be on a random port because my pc would assign that specific request something random to keep it separated from other requests.
I thought it would be great to only allow specific ports outgoing and incoming, but I guess it's only practical to specify incoming ( from the "outside world" ) ports
0
 
bigeven2002Commented:
Sure thing, glad I could help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.