Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.7 Legacy Series
»
Can't specify a port in firewall rules
« previous
next »
Print
Pages: [
1
]
Author
Topic: Can't specify a port in firewall rules (Read 2600 times)
stop.eject
Newbie
Posts: 3
Karma: 0
Can't specify a port in firewall rules
«
on:
August 11, 2020, 06:59:03 am »
I want to restrict traffic to RDP. When I save the rule, it still passes traffic on all ports. This issue is not restricted to RDP, any other port selection is also not saved.
See the attached screenshots.
Logged
lar.hed
Sr. Member
Posts: 323
Karma: 10
Re: Can't specify a port in firewall rules
«
Reply #1 on:
August 11, 2020, 11:42:32 am »
You have to fill in
from
and
to
port.
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: Can't specify a port in firewall rules
«
Reply #2 on:
August 11, 2020, 03:46:44 pm »
Or only from I think.
Cheers,
Franco
Logged
lar.hed
Sr. Member
Posts: 323
Karma: 10
Re: Can't specify a port in firewall rules
«
Reply #3 on:
August 11, 2020, 04:29:44 pm »
Correct, from will somehow copy itself to to :-)
Logged
stop.eject
Newbie
Posts: 3
Karma: 0
Re: Can't specify a port in firewall rules
«
Reply #4 on:
August 12, 2020, 05:12:17 am »
Quote from: franco on August 11, 2020, 03:46:44 pm
Or only from I think.
Cheers,
Franco
Ha-ha, thanks! My inattentiveness bites again! Somehow I mistook "from" as "source port". Shame on me.
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: Can't specify a port in firewall rules
«
Reply #5 on:
August 12, 2020, 09:21:42 am »
No worries, was confused for a second there too
Logged
Vilhonator
Full Member
Posts: 245
Karma: 13
Re: Can't specify a port in firewall rules
«
Reply #6 on:
August 12, 2020, 09:42:56 am »
You need to specify destination host, otherwise incoming RDP traffic from designated source (which are set to be all IPs which begin as 10.200.1) will be forwarded to next available RDP server within the network, which is something that can be exploited.
You must always specify destination host even with LAN to LAN connections. Source address is needed, if you want to allow connection from specific source IP or specific network.
If you mean to have multiple machines with RDP enabled in your LAN, and you want to allow access only within same LAN, then you don't need to create firewall rule for it (Devices within same network are always able to communicate with each other, you only need to add LAN rules, when you want to restrict LAN).
If you have multiple LANs on your firewall and want to allow only RDP connection between 2 separate networks, then you can create a rule like that, but I much rather would create VLAN, static route and add block rule for webgui, ICMP etc. for it.
«
Last Edit: August 12, 2020, 10:17:18 am by Vilhonator
»
Logged
stop.eject
Newbie
Posts: 3
Karma: 0
Re: Can't specify a port in firewall rules
«
Reply #7 on:
August 12, 2020, 04:08:17 pm »
You are correct, the rules should be defined as narrow as possible. I left "any" in the rule to take a screenshot withot exposing the server IP.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
20.7 Legacy Series
»
Can't specify a port in firewall rules