pfSense Support Subscription

Author Topic: Blocking a specific net from reaching a portforwarded ip/port  (Read 206 times)

0 Members and 1 Guest are viewing this topic.

Offline bingo600

  • Full Member
  • ***
  • Posts: 156
  • Karma: +12/-0
    • View Profile
Blocking a specific net from reaching a portforwarded ip/port
« on: December 26, 2017, 02:55:44 pm »
I have portforwarded my "outside" port 25 to a DMZ 192.168.x.x ip addr.
And have set "any" to be able to reach the server on port 25.

Now i'd like to deny 91.200.12.0/24  from connecting to it (Ukrainian mail spammer net)

At the moment i have added a block rule on the Wan IF:
block 91.200.12.0/24  , any , dest TCP/25

If i wanted to make it more specific , ie. just blocking the DMZ server.

Should i then use the wan (outside) , or the Xlated IP  (192.168.x.x/32 DMZ address) , as the dest ip

My gut tells me that it should be the 192.168.x.x , as the NAT might be done before the rule is hit , but i thought i'd just ask before trying.

TIA
/Bingo
pfSense 2.4.2-p1

QOTOM-Q355G4 Quad Lan.
CPU  : Core i5 5250U
Ram : 8GB Kingston DDR3LV 1600
LAN  : 4 x Intel 211
Disk  : 240G Toshiba Sata SSD

Offline leungda

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Blocking a specific net from reaching a portforwarded ip/port
« Reply #1 on: December 30, 2017, 10:56:45 am »
Install package suricata

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2279
  • Karma: +173/-9
    • View Profile
Re: Blocking a specific net from reaching a portforwarded ip/port
« Reply #2 on: December 31, 2017, 11:11:11 am »
Now i'd like to deny 91.200.12.0/24  from connecting to it (Ukrainian mail spammer net)

At the moment i have added a block rule on the Wan IF:
block 91.200.12.0/24  , any , dest TCP/25

If i wanted to make it more specific , ie. just blocking the DMZ server.
You're to kind ;)
I wouldn't enter "dest TCP/25" but default to any at first. Thus blocking 91.200.12 to whatever.
"Set if and forget it" for a while. When the rule counter goes zero, remove the rule.

Btw : I'm not an expert, but I 'think' the firewall rule comes first, and NAT will be handled afterwards.


Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14747
  • Karma: +1370/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Blocking a specific net from reaching a portforwarded ip/port
« Reply #3 on: December 31, 2017, 11:41:44 am »
No the nat rule is looked at first, but would not be allowed unless there is a firewall rule.  You could just put it in one rule with the use of ! or not or inverted however you want to call it... So your forwarding 25 to 192.168.9.50 lets say... In that rule just put a ! source saying anything But 91.200.12.0/24, you end up with this.. see attached.

But some people don't like ! rules, so yes you can just put a rule above the rule that your port forwarded created.. See second attachment.

https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

More accurately, the following order (still simplified) is found in the ruleset (Check /tmp/rules.debug):

    Outbound NAT rules
    Inbound NAT rules such as Port Forwards (including rdr pass and UPnP)
    NAT rules for the Load Balancing daemon (relayd)
    Rules dynamically received from RADIUS for OpenVPN and IPsec clients
    Internal automatic rules (pass and block for various items like lockout, snort, DHCP, etc.)
    User-defined rules:
        Rules defined on the floating tab
        Rules defined on interface group tabs (Including OpenVPN)
        Rules defined on interface tabs (WAN, LAN, OPTx, etc)
    Automatic VPN rules


But with a rule like this why would you want/need to be specific - the only reason you would need to be specific is if you wanted to allow that netblock access to other stuff other than smtp.. If they are spammers why would you want to have them be able to even ping your wan, etc.  Just block them outright to any above you port forward wan rule that allows access to 25.

« Last Edit: December 31, 2017, 11:46:28 am by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2279
  • Karma: +173/-9
    • View Profile
Re: Blocking a specific net from reaching a portforwarded ip/port
« Reply #4 on: December 31, 2017, 05:50:58 pm »
Instructive.
Thanks !

Offline biggsy

  • Hero Member
  • *****
  • Posts: 646
  • Karma: +16/-0
    • View Profile
Re: Blocking a specific net from reaching a portforwarded ip/port
« Reply #5 on: December 31, 2017, 06:08:57 pm »
But with a rule like this why would you want/need to be specific - the only reason you would need to be specific is if you wanted to allow that netblock access to other stuff other than smtp.. If they are spammers why would you want to have them be able to even ping your wan, etc.  Just block them outright to any above you port forward wan rule that allows access to 25.

This, plus there are a whole lot more spam sources out there.  Are you going to manually create a rule for each one?  That way madness lies.

Try Suricata or a VM with postfix to front-end your mail server or maybe even the unofficial postfix package - any of these with zen.spamhaus.org

Offline bingo600

  • Full Member
  • ***
  • Posts: 156
  • Karma: +12/-0
    • View Profile
Re: Blocking a specific net from reaching a portforwarded ip/port
« Reply #6 on: January 01, 2018, 02:59:12 am »

More accurately, the following order (still simplified) is found in the ruleset (Check /tmp/rules.debug):

    Outbound NAT rules
    Inbound NAT rules such as Port Forwards (including rdr pass and UPnP)
    NAT rules for the Load Balancing daemon (relayd)
    Rules dynamically received from RADIUS for OpenVPN and IPsec clients
    Internal automatic rules (pass and block for various items like lockout, snort, DHCP, etc.)
    User-defined rules:
        Rules defined on the floating tab
        Rules defined on interface group tabs (Including OpenVPN)
        Rules defined on interface tabs (WAN, LAN, OPTx, etc)
    Automatic VPN rules


Thank you - informative  :D

/Bingo
pfSense 2.4.2-p1

QOTOM-Q355G4 Quad Lan.
CPU  : Core i5 5250U
Ram : 8GB Kingston DDR3LV 1600
LAN  : 4 x Intel 211
Disk  : 240G Toshiba Sata SSD

Offline bingo600

  • Full Member
  • ***
  • Posts: 156
  • Karma: +12/-0
    • View Profile
Re: Blocking a specific net from reaching a portforwarded ip/port
« Reply #7 on: January 01, 2018, 03:02:42 am »
any of these with zen.spamhaus.org

I'm looking into combining zen.spamhaus.org with my sendmail
But just got annoyed at that /24 , as it kept hammering my mail-logs (they actually list it as a /22 doing noise on spamhaus)

I was just trying out possibilities , to get a feeling of pfsense possibilities  -  (comming from a PIX/ASA world)

/Bingo
pfSense 2.4.2-p1

QOTOM-Q355G4 Quad Lan.
CPU  : Core i5 5250U
Ram : 8GB Kingston DDR3LV 1600
LAN  : 4 x Intel 211
Disk  : 240G Toshiba Sata SSD