PFSense firewall pass rules

Discussion in 'Networking & Security' started by wavewerx, Mar 16, 2011.

  1. wavewerx

    wavewerx Limp Gawd

    Messages:
    284
    Joined:
    Oct 8, 2008
    [​IMG]

    Uploaded with ImageShack.us

    Firewall System Log and Firewall Rules attached.

    All of my rules are disabled except for TCP\UDP *\* - passing through anything to any port. This setup is the only way I can get low pings in games, server lists to appear, and most importantly - SC2 voice chat to work. I'd like to close down all ports except the ones I need - you know, like a firewall is supposed to act.


    The only ports that I can get to successfully open are 80-http and 53-DNS. Curiously, both of those ports are 'known' by pfsense and can be selected in a dropdown menu (other 'default' port protocols do not pass FWIW). If the rule is disabled, they're blocked. If it's enabled, they pass. For all my other ports (tests were done with 27015, 3074, 389, and 1119) enabling the specific rule, disabling the specific rule, or enabling/disabling the catch-all */* rule still displays them as unreachable (cantyouseeme.com) except for 80 and 53.

    Now - My firewall is letting them through - Green Light entry in the log - but cantyouseeme.com says otherwise.

    FWIW I followed this guide top change my NAT from Strict to Moderate (for Crysis 2 Multiplayer Beta). Thats basically the only other work done on my router as I'm just starting to learn on it.

    All I know is that I want my network secure and I want to hear my buds on SC2. Right now, I'm sacrificing security for teamwork and a better chance at fixing my w/l ratio!
     
  2. Mindflux

    Mindflux Limp Gawd

    Messages:
    251
    Joined:
    Feb 5, 2011
    What's under your "NAT" configuration under Firewall? I find configging NAT configs the corresponding firewall rules appropriately. The firewall comments/remarks lead me to believe you didn't configure them via NAT since they usually say things like UDP PORT 53 NAT etc...
     
  3. wavewerx

    wavewerx Limp Gawd

    Messages:
    284
    Joined:
    Oct 8, 2008
    I actually don't have anything setup under NAT under the assumption that 'NAT isn't something you need to mess with if everything works.' I'll check out NAT this afternoon and see if I can't get any different results.

    Any reason why ports 80 / 53 work just fine though?
     
  4. dave99

    dave99 2[H]4U

    Messages:
    2,129
    Joined:
    Jan 20, 2011
    Yes, you need to look at your NAT port forward entries. Also allowing all ports in to everything is bad, if nothing else you need to give your pc a static ip (or a dhcp reservation), and change your rules to forward just your machine.
     
  5. wavewerx

    wavewerx Limp Gawd

    Messages:
    284
    Joined:
    Oct 8, 2008
    I've added a NAT port forward entry for UDP 1119 and voice chat worked today in SC2. I'll update the rest of my entrys similarly and respond.

    Another reason that I didn't setup NAT Port Forwarding was because of 2 things: Source port and destination IP.

    I figure source port agnostic would be the way to go. Will you ever run into an instance where the source port is different from the destination port? (I'm talking about game firewall settings, and maybe torrenting?)

    Also, the destination IP needs to be 'whoever's requesting it.' I made the router (192.168.1.1) the destination IP because other users behind my firewall need to be able to voice chat and game besides just me. For something like RDP / VNC, I'll make it my computer, but for gaming - it needs to be the network. Comments there?
     
    Last edited: Mar 17, 2011
  6. dave99

    dave99 2[H]4U

    Messages:
    2,129
    Joined:
    Jan 20, 2011
    Ah, didn't realize there were other playing on the same network. You almost never need to set source port, only the destination port (destination being on your side), because they are rarely the same.

    I'm not sure what your best solution is where you need multiple machines access the same game servers, you can only nat port forward to 1 internal IP.

    Posting over at the pfsense board in the game forum might get you more answers. Might also have better luck upgrading to 2.0, I think it has more options available.
     
  7. wavewerx

    wavewerx Limp Gawd

    Messages:
    284
    Joined:
    Oct 8, 2008
    Quick note - Under NAT Port Forwarding I added an entry for UDP 1119, NOT UDP 1119-1120.

    I've just asked this question at pfsense forums. Thanks for the suggestion dave99.

    NAT Port Forwarding won't let me NOT declare a source port. Maybe 2.0 does? I don't want to continue adding entries until I can solve or learn more about that issue. SC2 Voice chat's working right now and after a day of work at the office, SC2 working is on high priority for the next few hours :)
     
  8. dave99

    dave99 2[H]4U

    Messages:
    2,129
    Joined:
    Jan 20, 2011
    You're right, 2.0 is different, it allows src prt selection (again, rarely used). On 1.2.3, your external port range & local port should be the same. You are selecting the the port the packets arrive on pfsenses external interface, and what they are translated to on your LAN side, so they should be the same.
     
  9. wavewerx

    wavewerx Limp Gawd

    Messages:
    284
    Joined:
    Oct 8, 2008
    I read that comment for the past few days over and over again trying to understand it. I thought you had repeated yourself but I finally figured it out!

    Thanks for the help Dave99 - I'll be adding all my other rules to NAT now. or rather - originating them within NAT port forwarding. Additionally, the NAT IP address (Enter the internal IP address of the server on which you want to map the port) is mapped to the router.
     
    Last edited: Mar 19, 2011
  10. Matthias

    Matthias n00b

    Messages:
    6
    Joined:
    Mar 18, 2011
    You shouldn't need to have so many openings on the WAN side. I haven't needed to make many NAT port forwards either. Right now I have pretty much allow everything coming in on the LAN port and block everything coming in on the WAN port. There are a few programs I have had to make NAT port forwards for and I'm not familiar with SC2 voice so this may be an exception.

    Allowing everything in on the LAN port isn't ideal but egress filtering is hell for P2P.