pfSense - Firewall rules

Have spent the most part of the weekend trying to figure out how to get my games running with a locked down firewall. Current computer is on a separate vlan called PC Net and I added the rules PC Net to 443 (https) and PC Net to 80 (http). Then I added firewall rules for to play games such as Modern Warfare, Apex Legends, NFS Heat.

Even after trying uPNP (as per this guide: pfSense and Multiple Xbox Ones: Open NAT Guide) I didn’t have any success. It seems the game server ports randomise and they use ports outside of the range specified.

I am not a fan of uPNP so I gave up on the above and just added the rule PC Net to Any. All games work fine and connections are good (even though some games list it as Strict NAT).

Is there a security concern running PC Net to Any?

You are exposing more ports on your PC which means if something running on your system has a port open and there is a flaw you are exposing that flaw to the world.

So ideally I should only have ports 80 (http) and 443 (https) open as a firewall rule.

The only thing I can think of is to create 3 rules:

  • PC Net to Any
  • PC Net to 80 (http)
  • PC Net to 443 (https)

When I want to play any games, disable the last 2 rules and enable the first rule. When finished gaming, do the reverse.

It’s a total pain however I can’t see any other option as I refuse to utilise uPNP

I am a bit confused, I thought you were talking about inbound ports. I would allow the computer all with egress ports, unless you want to deal with the tediousness of only allowing certain egress ports. Inbound ports are what pose more of a security risk than outbound ports. Something has to be on your computer to initiate the outbound connection and most modern malware will use common outbound ports.

Sorry for the confusion, I wasn’t clear in my explanation!

Yes this is for egress ports. So PC Net to Any should be fine as it is only opening the ports when required.

I am not too concerned with Malware etc as I am running very strict and rigorous pfblockerng rule sets.

I have read that pfSense is a stateful firewall so if a connection is allowed out on port 10 for instance it will allow an incoming connection on the same port only whilst that program is using the port

Here is a pic from my pfSense firewall rules for PC vlan.

Is this rule still secure? (PC Net to Any)?

It allows your PC to get out to the internet, so is it safe for you to do that? :slight_smile: Generally speaking, inbound ports are the one you have to worry about.

Cisco has some details on how NAT works here

1 Like