Netgate 2100 and any any rules questions
-
Hello netgate community. Can you please help if you have a second. I am having issues setting this up correctly. I do not like to use any any rules and per NIST publications we should avoid using any any rules or * wildcard rules. I have a issue I want my basic firewall rules to work the same way we learned about in IT140 class with use of directing the firewall destination rule to a specific interface or for example below I want to use the WAN connection circled. This is not in a multi subnet environment with a dedicated router like in our class, this is a simple home set up with a DSL modem connected to the wan that issues a DHCP address from the ISP, my gateway is set up for this automagically. The lan side is connected to a Apple Airport Extreme this is in bridge mode so all the DHCP and everything is passed from the firewall to the "Wifi system." Why in class was this able to work however it will not work in a smaller set up?
My Gateway and DHCP server is the Firewall itself as this is in bridge mode. Side note: "This is not a Zytel system it is named this way because the old Wireless system was replaced because a firmware update depreciated all of the security rules on it so I returned it and reinstalled my Airport and just named it the same and it worked without changing every setting in the house again."
DHCP is my gateway everything works in the house with access of internet and Xbox Snort, pFsense squid content accelerator. I want to make the rules more specific now.
Screenshot: Airport set up for Bridge mode, a kind of dummy mode where the other device controls all the DHCP and rules "pFsense" and the Airport only controls access to it.Can you please help How can I get more granular rules in place for the destination rules?
Screenshot: Basic Firewall rules for Xbox Mail, HTTPS, HTTP SSL certificate is in use for the firewall for web interface access.I have tested using 192.168.1.1, firewall itself. loopback 127.0.0.1, wan network, and changed it to use a gateway of the DHCP. It only works with any right now. I would like to follow NIST standards and remove the any wildcard from the destination from this only not the port.
Screenshot: Services running
Content Accelerator/Antivirus Proxy running
IPS IDS running fine.
Wan Rules In place I have no servers or anything running it acts as a mini DMZ only the LAN rules matter.
Interfaces. What is recommended? For my rules to say WAN and not any.
System also has SSL certificates in use for Web Interface access only. -
I'm not sure I fully understand, but for your circled rule, allowing LAN Net to WAN Net:993 will allow any LAN device to access any device in the WAN subnet on 993. It will not allow 993 on other servers. If your goal is to allow 993 on some server on the Internet, and no others, you'll need to add a rule allowing 993 to that server's IP address.
-
@steveits thanks for the reply. This will not work with it set to WAN only any. So I would have to place in the IP address of smtp.gmail.com ? I just do not like the any rules
-
@jonathanlee smtp.gmail.com would presuambly be for SMTP not IMAP, but yes, you'd have to manually add all the IP addresses Google uses as you discover them.
-
@steveits so if I was a business I could not load something like Gmail approved email server ID or Yahoo etc? PaloAlto has app-Id and content-id but nothing for email approved server Id. It would have to be done by hand.
-
You can add an alias there with a list of destinations if you wish. But you would need to find a list of IPs used by gmail and that's going to be difficult. That actual list is large and not static.
I also note you have added default block rules which is not necessary in pfSense as everything is blocked by default. Adding them your self can appear logical but you can end up blocking things that would normally be passed automatically. Also without logging enabled on those you will not see any blocked traffic in the firewall log.
Steve
-
@stephenw10
Thanks for the information,Our College Class taught to make a default block anything rule on the interfaces as it runs sequentially down and if you do not have a default block it will allow that traffic. My network I only want Xbox, internet, and email, nothing else that is why I have the default block rule.
-
@jonathanlee said in Netgate 2100 and any any rules questions:
do not have a default block it will allow that traffic.
There is a default block - just not shown in the gui.. Not sure what college class your taking, but I have worked on all the major players firewalls, palo, checkpoint, cisco, etc etc.. And I don't recall ever being default allow.. That would be a horrible default stance for a firewall.
https://docs.netgate.com/pfsense/en/latest/firewall/rule-methodology.html#default-deny-rule
https://docs.netgate.com/pfsense/en/latest/firewall/best-practices.html#firewall-bp-default-denyAn intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@jonathanlee said in Netgate 2100 and any any rules questions:
Our College Class taught to make a default block anything rule
Yup, that's not required in pfSense. I don't know what firewall you were using for that class.
pf itself, the filter used by pfSense, is pass by default but the default ruleset adds block all rules already.
Quite a few users add a block rule just to make the ruleset easier to read. You just need to be aware that doing so can break the default rules that you don't see altering the expected behaviour.
Steve
-
@stephenw10
Hello thanks again for the reply.I am taking a specific higher education advanced firewall college credited class. I will continue to leave that specific rule in place. When logging is enabled on this rule it does block traffic I do not want running on my network.
-
@stephenw10 Thanks for the reply, How can you just set the outside rule to WAN, doing so blocks all mail, however when it is set to allow anything out it works. I just want it to say anything is allowed for a specific port out the WAN or Gateway, and try not to just not state rule needed, source, and destination only "*" I want it set to WAN interface, or WAN network, or only allow out to WAN.
-
@johnpoz "Generally, firewalls should block all inbound and outbound traffic that has not been expressly permitted by the firewall policy—traffic that is not needed by the organization. This practice, known as deny by default, decreases the risk of attack and can also reduce the volume of traffic carried on the organization’s networks. Because of the dynamic nature of hosts, networks, protocols, and applications, deny by default is a more secure approach than permitting all traffic that is not explicitly forbidden" (NIST Special Publication 800-41r1).
For me If it is not specifically built into the firewall I am going to block it with a default block anything at the end of the Access control lists here is my reasons why and the reasons the class is taught for students to add such rules at the end of access control lists or ACLs.
"Firewall rulesets should be as specific as possible with regards to the network traffic they control. To create a ruleset involves determining what types of traffic are required, including protocols the firewall may need to use for management purposes. The details of creating rulesets vary widely by type of firewall and specific products, but many firewalls can have their performance improved by optimizing firewall rulesets. For example, some firewalls check traffic against rules in a sequential manner until a match is found; for these firewalls, rules that have the highest chance of matching traffic patterns should be placed at the top of the list wherever possible" (NIST 800-41r1).
"Organizations should only permit outbound traffic that uses the source IP addresses in use by the organization—a process that helps block traffic with spoofed addresses from leaking onto other networks. Spoofed addresses can be caused by malicious events such as malware infections or compromised hosts being used to launch attacks, or by inadvertent misconfigurations" (NIST 800-41r1).
"Create a firewall policy that specifies how firewalls should handle inbound and outbound network traffic."
Make sure to upvote
-
I have reordered the rules per the document for the rules that are most often used at the top so it does not have to check the other rules before reaching the HTTPS for example.
-
@jonathanlee said in Netgate 2100 and any any rules questions:
(NIST Special Publication 800-41r1).
Dude that is funny.. I have been doing firewall, most likely before you were born ;) hehehe
Really before statefull firewalls, back in the day of just old packet filters... hehehehe But sure ok feel free to quote docs ;)
I was just pointing out that pretty much every firewall on the market is default deny, no need to put in the rule. And from your rules there all your doing is hiding blocked traffic from your log for tcp and udp.. Since your not logging that rule.. What about all the other protocols - that deny there at the end should be logging and any rule..
Also btw NTP, doesn't use TCP - so why have it allowed? ;)
And there are many sites that do can do QUIC, HTTP/3 which is over UDP.. Guess you want to block that traffic and not log it ;)
From a security point of view, allowing those tunnel protocols for your XBOX -- horrible horrible idea.. Once you allow such a tunnel or vpn out like that - all of your firewall rules and blocking go out the window.. Your allowing anything on the lan net to do that, not just some specific xbox..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
Realistically you cannot define the destination for a lot of those rules, it has to be 'any external IP'.
But you can set that by defining an alias with your own local subnets in it and then using the inverse of that. Like:
and
Steve
-
@johnpoz Thanks for the information on HTTPS/3 that is new to me. I was born years ago and have worked on IT equipment for over 15 combined years, all over the USA all the way up to the internet backbone level. Like you I have also worked on glorified packet filters back in the day, all Command Line Interface (CLI) based with no GUI.
I did have logging turned on for this rule, however if I am not looking at it I turned it off to have less resource use.
Over the years one can say we learned that all protocols and the rules that are in place for them need to follow some official government guidelines. Again we all can agree with that, or why have protocols at all? What is a protocols but a set of rules.
As for new HTTPS/3 "This is new to me thanks for sharing." Thank you for sharing. Why do you think this was made? Maybe because of new GDPR laws? Or something else?
Companies always have created new cutting protocols to make something work better or sometimes to just avoid detection. However, they should always train students on it before just using it or doing a blanket deployment of use.
That is why data center compliance systems can and will continue block them out when out of compliance. Rules that came out a couple years ago like GDPR and California Privacy Laws are never going away. They will continue to grow and expand for a safer internet. If protocols change to avoid detection or to avoid a system that can decrypt SSL over a enterprise network, one could say that it is no longer in "compliance" or following the official government guidelines. At that point more rules will be made and new fines put in place. "User Datagram Protocol" (UDP) does not have a three way handshake so it is harder to work with on for Nmap scans and things like that we know that and harder to detect. Thanks again for the information, I will research this more.
HTTPS/3 and use of it with UDP that is new to me. Thanks for sharing, this is why I went back to school. We have got to keep learning update our skill sets.
Years ago it was only HTTP port 80 with 56 k Modems in the 90s. I remember my 8088 Dos 3.11 PC6300 system built by AT&T all green monochrome text. Today I can download from my phone over a audio connection full files to my Apple IIc it is amazing how fast it changed.
-
@johnpoz, I had to set to the specific IP address for the XBOX last week, I did not like the double rules, I wanted to be able to add 2 IP addresses to one rule for them The Xbox 360, and the One private Ip addresses only. Tunnels are a issue Yes.
-
-
-
It looks like NIST is already planning a course of action of HTTPS /3 QUIC over UDP
