2 Oct 2008 01:02
Re: Can't connect to subaru.com on port 80
sure, but i'm not filtering traffic on port 80 by IP and all www traffic seems to work fine. please let me know if you prefer this an another format.
this has me stumped...
thanks!
-phil
here's the WAN Rules;
<rule>
<type>pass</type>
<interface>wan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>udp</protocol>
<source>
<address>216.181.136.7</address>
</source>
<destination>
<address>10.0.0.2</address>
<port>1000-65535</port>
</destination>
<descr>NAT Allow inbound traffic from Lingo</descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>172.16.0.99</address>
<port>22</port>
</destination>
<descr>NAT Allow Backups from PPGNetServ using SSH</descr>
</rule>
<rule>
<type>pass</type>
<interface>wan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<address>72.167.141.110</address>
</source>
<destination>
<address>172.16.0.99</address>
<port>5001</port>
</destination>
<descr>Allow iperf connections from GoDaddy Server</descr>
</rule>
<rule>
<type>pass</type>
<interface>wan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>172.16.0.1</address>
<port>443</port>
</destination>
<disabled/>
<descr>WAN -> Allow Remote Admin of FW</descr>
</rule>
<rule>
<type>pass</type>
<interface>wan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp/udp</protocol>
<source>
<any/>
</source>
<destination>
<any/>
<port>1194</port>
</destination>
<disabled/>
<log/>
<descr>Allow Incoming Remote VPN Road Warriors</descr>
</rule>
<rule>
And here's the LAN rules
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>8000-8030</port>
</destination>
<descr>LAN -> Allow FTP Out</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>80</port>
</destination>
<descr>LAN -> 80</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>443</port>
</destination>
<descr>LAN -> 443</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>22</port>
</destination>
<descr>LAN -> SSH</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>5900</port>
</destination>
<descr>LAN -> VNC</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os></os>
<source>
<address>172.16.0.25</address>
</source>
<destination>
<any/>
</destination>
<descr>LAN -> Allow Phill's mac ANY to ANY</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<address>172.16.0.99</address>
</source>
<destination>
<any/>
<port>12489</port>
</destination>
<descr>LAN -> Nagios</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>udp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>10001</port>
</destination>
<descr>LAN -> 10001(vpn)</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>udp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>500</port>
</destination>
<descr>LAN -> 500(vpn)</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>3000</port>
</destination>
<descr>LAN -> NTOP/NetFlow</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>5050</port>
</destination>
<descr>LAN -> Yahoo IM</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>icmp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
<descr>LAN -> ICMP</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp/udp</protocol>
<source>
<address>172.16.0.99</address>
</source>
<destination>
<any/>
</destination>
<disabled/>
<descr>LAN -> Allow All</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>26</port>
</destination>
<descr>LAN -> 26(ssh godaddy/PPGNetServ)</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp/udp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>1194</port>
</destination>
<disabled/>
<descr>LAN -> Allow 1194 for OpenVPN</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>110</port>
</destination>
<descr>LAN -> 110</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>139</port>
</destination>
<descr>LAN -> SMB</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>udp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>137</port>
</destination>
<descr>LAN -> SMB</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>udp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>138</port>
</destination>
<descr>LAN -> SMB</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>21</port>
</destination>
<descr>LAN -> FTP</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>10000</port>
</destination>
<descr>LAN -> Webmin</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>995</port>
</destination>
<descr>LAN -> 995</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>9999</port>
</destination>
<descr>LAN -> 9999 GoDaddy CP</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>587</port>
</destination>
<descr>LAN -> 587(STMP SSL)</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>993</port>
</destination>
<descr>LAN -> 993</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>43</port>
</destination>
<descr>LAN -> whois query</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>465</port>
</destination>
<descr>LAN -> Yahoo SMTP</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>25</port>
</destination>
<descr>LAN -> 25</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>3389</port>
</destination>
<descr>LAN -> Remote Desktop</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<address>192.168.1.0/24</address>
<port>5001</port>
</destination>
<descr>LAN -> 5001(iperf)</descr>
</rule>
<rule>
<type>block</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<source>
<any/>
</source>
<destination>
<any/>
</destination>
<log/>
<descr>Drop All Outbound Packets</descr>
</rule>
On Oct 1, 2008, at 5:46 PM, Tim Nelson wrote:
It may be helpful to see your rulesets on your LAN and WAN interfaces... or paste the pertinent XML from your config file..Tim NelsonSystems/Network EngineerRockbochs Inc.(218)727-4332 x105----- "BSD Wiz" <bsdwiz-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:i'm connected via cable modem, mtu is set to 1500.thanks-philOn Oct 1, 2008, at 5:23 PM, Chris Buechler wrote:On Wed, Oct 1, 2008 at 6:18 PM, BSD Wiz <bsdwiz-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:pfSense 1.2.1 RC1only add-on package installed is iperf.I have rules to allow allow traffic out on port 80 and 443. I havealso(justto be sure) allowed *ALL* traffic out from my static ip on mymacbook.Problem is I can't get to the site subaru.com.I don't see anything in the logs and I've never had a problemgetting to anyother site. If I telnet from the pfsense firewall to subaru.comon port 80it get's connected. If i try that from my machine(laptop macbook)it timesout.am i missing something or what?We don't like Subaru. ;) kiddingsounds like a MTU issue, try lowering your MTU on WAN if you havePPPoE.---------------------------------------------------------------------To unsubscribe, e-mail: support-unsubscribe <at> pfsense.comFor additional commands, e-mail: support-help-zsHM3v2T5LBBDgjK7y7TUQ@public.gmane.org---------------------------------------------------------------------To unsubscribe, e-mail: support-unsubscribe <at> pfsense.comFor additional commands, e-mail: support-help-zsHM3v2T5LBBDgjK7y7TUQ@public.gmane.org---------------------------------------------------------------------To unsubscribe, e-mail: support-unsubscribe <at> pfsense.comFor additional commands, e-mail: support-help-zsHM3v2T5LBBDgjK7y7TUQ@public.gmane.org
RSS Feed