pfSense Firewall Rules for Tanium

This is a short article, more to capture the data than anything.

The following screenshot is the simple setup for adding a firewall rule to pfSense to allow Tanium traffic through.

12-23-2016 9-03-49 AM

The settings boil down to allowing all traffic on destination port 17472 to pass through to the specified destination ip address.

Accessing SQL through the Windows Firewall

Recently I installed a new instance of SQL 2008r2.  (Get more details on installing Microsoft SQL Server 2008r2 here…)

Upon my arrival I quickly learned in order to allow applications to access the SQL server instance I needed to open up the following port on my windows firewall:  1433

So here goes…













The Microsoft article described a way to do this via an admin command prompt. I chose the graphical process.

If you have your firewall configured for outbound filtering as well, you may need to follow this process for under outbound filters as well.

Do you have an alternative way of configuring SQL for firewall access?  I’d love to hear from you… leave your comments below with your process or comments/suggestions on my process.

TMG and BigFix BESClient

No series of posts would be complete if I didn’t relate it back to my new fabulous job some how…

The Microsoft Threat Management Gateway is secure by default.  This means everything you want to do or rather connect to online must be configured properly within the TMG console.  The BigFix Enterprise Client is no different.

By default the BigFix infrastructure communicates on port 52311.  Therefore we must let TMG know that we’d like our clients to talk over this port.

Below is a graphical step by step on how this is done:

1. Lets start by creating a new row…

ForeFront TMG->Firewall Policy->Tasks (tab)->Create Access Rule


2. Of course we’ll be Allowing this port to communicate


3. We’ll be creating a brand new protocol… so hit Add then in the Add Protocols window click New->Protocol

3    4

4. Name your protocol…


5. We’ll be adding the BigFix TCP port 52311 here… (You may have deployed via a different port… specify your custom BigFix port here…)

6  7   8

6. We have no secondary connections that are needed… so click next and hit finish

9   10

7. Next we will expand the “User-Defined” branch and choose our “BigFix Communication Protocol” we just defined and hit Add->Close->Next

11  12

8. Specify who is allowed to communicate… Source which should be your internal network.


9. And specify our destination which in my case I am setting up a secondary site and all these clients will communicate with my BigFix Root server somewhere else on the internet.  (later on I’ll setup a relay on one of the computers at this location and adjust TMG firewall rules.)


10.  Because BigFix is my main management for all my computers, I want every computer to have permissions to communicate via this port… so I’ll leave the default “All Users” here… Next->Finish

15   16


We’ll probably want to make sure this is our first firewall rule so it is not interfered with by some other rule.  After hitting finish it should look like this:


Lastly we’ll need to “Apply” this new rule set in order to get things working.


TMG and AT&T Global Network Client

Since setting up my Microsoft Threat Management Gateway, I’ve come to realize how restrictive it is… The default installation setups both an in-coming and out-going firewall.  This can be rather frustrating if you don’t know how to configure things correctly.
In this post I’ll show you how to configure an Access Rule to allow the AT&T Global Network Client thru to wherever your going…

01. Open up your Forefront TMG Management console and find the "Firewall Policy" link within the left side tree.

2. Under the Tasks tab on the right side, find the “Create Access Rule” and left click it.

3. Call the Rule name:  AT&T Global Network Client
and hit next

4. We’ll want to “Allow” it…

45. This rule applies to “Selected protocols” and click the “Add” button

6. Under the “Add Protocols” window, click New->Protocol

7. Name it the “AT&T Network Client” then add the following ports to the list:

a. TCP, Outbound, From 50 To 50

b. TCP, Outbound, From 389 To 389

c. UDP, Send, From 500 To 500

d. TCP, Outbound, From 709 To 709

e. UDP, Send, From 4500 To 4500

f. TCP, Outbound, From 5080 To 5080

8. Our rule now needs to specify the “From” network of Internal, and the “To” network as External

Finish and Apply the changes… This should allow your VPN Client to connect and work properly.

OpenSuSE: Disable firewall

Disable firewall completelyI was wondering… why I can’t connect through ssh. sshd daemon is running fine, so I found out that OpenSuSE installs its stikin’ firewall by default and blocks everything. I’m pretty well protected behind enough high end security devices, and don’t need to micro-manage my connection. Here is how I disabled the firewall altogether:

/sbin/SuSEfirewall2 offTo start the firewall:

/sbin/SuSEfirewall2 onIf you want to temporarily disable your firewall:

/etc/init.d/SuSEfirewall2_setup stopEnter the above line without “stop” and you will see all available switches.