Blocking ports using alias not working?

Started by cableguy187, April 28, 2016, 07:23:57 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
April 28, 2016, 07:23:57 AM
Could someone please clarify the alias setup is the same as PFsense?

I had a Steam port block setup and working with PF using an alias with all of the ports listed.

I duplicated that setup in Opnsense but it will not block, even after resetting states...

I have placed the rule in LAN up the top just below the anti-lockout rule..

Could someone please point me in the right direction?

Thanks  :D
April 28, 2016, 08:52:27 AM #1
What does your alias look like (type, content)?
April 28, 2016, 08:58:12 AM #2
See screenshot..

I even tried entering the ports as a new rule for 1x host.. Steam was still able to connect.

Also, I created a port forward for my cctv cameras and can access from external WAN, but when I turn on WIFI and connect on the LAN side, it doesn't work. I have enabled 'Pure NAT' in the rule options.
April 28, 2016, 09:00:28 AM #3
Ah, you probably want to remove the source port alias  :)
April 28, 2016, 09:12:07 AM #4
Sorry, I don't understand.

If you remove the source port alias, how's it meant to filter the ports?
April 28, 2016, 09:14:06 AM #5
your specifying destination ports, the source port is chosen (random) at the client side.... so this rule will probably never match.
Just try to set the source port to any and leave destination as it was and try again...
April 28, 2016, 09:26:55 AM #6
Tried it, after killing states to the single host Steam is still able to connect..

"Also, I created a port forward for my cctv cameras and can access from external WAN, but when I turn on WIFI and connect on the LAN side, it doesn't work. I have enabled 'Pure NAT' in the rule options."

Any ideas about the other question above?
April 28, 2016, 10:09:07 AM #7
Please try step by step, first you want to block steam by blocking the ports in your list coming from your lan network....

This should be a rule which looks something like :

source address (any), source port (any) dest addr (any), dest port (your alias)

Simple test, add port 80 and 443 to your alias, apply and see if your lan web traffic is dropped.

If you want to drop traffic coming from your wan, create a new rule there doing something similar using the same or a new alias.

April 28, 2016, 10:56:23 AM #8
Yeah, that's what I have done, only difference in what you suggest is I am testing on one LAN IP at the moment.. Not the whole network.
April 28, 2016, 11:11:16 AM #9
This worked.
April 28, 2016, 11:29:13 AM #10
Quote from: cableguy187 on April 28, 2016, 09:26:55 AM
Tried it, after killing states to the single host Steam is still able to connect..

"Also, I created a port forward for my cctv cameras and can access from external WAN, but when I turn on WIFI and connect on the LAN side, it doesn't work. I have enabled 'Pure NAT' in the rule options."

Any ideas about the other question above?

This above worked with PFSense 2.2.5.. I must be missing something, I have looked through my PF configs and have setup OPNSense exactly the same.

If attempting to connect to the public IP from the internal network ( CCTV & alarm system apps ) is there an additional feature I have missed?
April 28, 2016, 01:31:02 PM #11
Fixed the public IP issue.

System/Settings/Firewall-NAT -

One more question..PFSense had an issue with keeping states when a scheduled block was applied. This required a cron task to manually kill off the states after the schedule. How does OPNSense handle states during a schedule change? When are the states cleared? Block or pass?
April 28, 2016, 01:36:58 PM #12
Firewall Schedules are one of the areas we barely touched (GUI only), still queued for an eventual replacement. In this regard I cannot say much about the state of things. I've heard of no issues ever since we started, which may also mean it's not a feature that gets a lot of exposure.

The state should be roughly the same as pfSense 2.2. There's an option for disabling killing states on schedule under System: Settings: Misc which suggest it's doing the right thing already. Did you verify?

But as I said, this part is not maintained, only curated.
April 28, 2016, 01:44:27 PM #13
Quote from: franco on April 28, 2016, 01:36:58 PM
Firewall Schedules are one of the areas we barely touched (GUI only), still queued for an eventual replacement. In this regard I cannot say much about the state of things. I've heard of no issues ever since we started, which may also mean it's not a feature that gets a lot of exposure.

The state should be roughly the same as pfSense 2.2. There's an option for disabling killing states on schedule under System: Settings: Misc which suggest it's doing the right thing already. Did you verify?

But as I said, this part is not maintained, only curated.

Thanks for the reply. I cut over the new firewall today, still setting up everything.. Will setup the schedules and report back.

I do like the interface over the dated PFsense  ;D Way easier to configure.

April 29, 2016, 12:22:29 PM #14
I tried the scheduled block and it worked however, when inverting the rule (set rule to PASS and schedule times to ALLOW) this allowed some services to work but no browsing. I checked the logs and it is blocking 80 & 443 traffic on the associated IP??

Also, states were not broken when the BLOCK rule applied.

Looks like I will still need a cron task to flush states for the IP in the rule?
Print
Go Up Pages1 2
User actions