Additional protection beyond the basic set up
-
What are some suggestions or resources that could help me go beyond the basic pfSense sent set up to better protect my network using pfSense. what settings what they do where I set them what more can I do other than pfBlocker and IDS any resources you can point me towards would be great especially YouTube videos but anything helps open to suggestions and opinions
-
@VMlabman better protect your network in what sense?
IDS really has little use for your typical home/smb setup.. And the learning curve is steep, and requires constant care. It really only still valuable with specific use cases.
-
What might you suggest that I do for the greatest security on and with my firewall? What changes should I make outside the basic install and basic restrictive rules for browsing the internet? Let me share a few rule ideas and see if you have any suggestions on how I would make them even more restrictive and or secure.
----- Screenshots --- Block Any to Any is @ the very bottom
-
@VMlabman easier to just see your rules all at once vs details like that
Blocking at the end would already be done by the default deny, and for browsing - udp is quite often used now, quic is the protocol that does it over UDP.. Looks like your only allow tcp.
Where are you pointing to for dns, I don't see any rules that allow that.
In what sense is blocking outbound more secure.. Anything that has already infected your machine is more than likely going to go out https.. Blocking outbound ports of a control thing, I don't want my users talking to some vpn service on port x or y, or their home plex server.
Your box is already infected if trying to go to some odd port, so its too late to be honest. And it would be a pretty crappy badware thing if it just didn't use standard ports. Or something is redirecting you to something to infect you, and more than likely that would use a common port
What your going to find trying to control every single port that can go outbound, is your constantly adjusting this when this doesn't work and that doesn't work, etc.
-
I changed my browsing for 80, 8080 & 443 from TCP to TCP/UDP. As for my dns In DNS Server Settings I point to quad9.
As for more secure. It there a list of the top sat 500 or 1000 Domains I can put into an alias and use that and only that. I found this link: Top 1000 Websites By Ranking Keywords Any way for me to import a .csv into an alias? If I chose to do this? It's an idea. I just what a very secure environment and firewall. Any setting I can set in pfSense to better secure the WAN interface? What about a Proxy server?
-
@VMlabman you want to only allow top 1000 websites? Not a very good internet experience... I land on sites that for sure are not top 1000 all the time..
I would be more concerned with blocking bad sites then limiting to what good sites I can go to.
-
okay good to knwo
-
You can use authenticated NTP,
you can also set up time constraints for blocking the internet all together after hours. For example, if you lock your doors after specific hours, you can also lock your network after specific hours, like early am hours.There is also a way to separate specific traffic for game systems and stuff like that. You can set up ACLs for VPN to only allow in specific IP addresses that are known hosts too.
DNS over TLS can help add a layer of security, not much but it an extra step
-
@johnpoz What about to be more invisible to world. Lets say if someone will scanning my pfsense for ports and etc. What info he can get? pfSense version or outgoing traffic use by windows or linux and etc. I think he want to ask, how to be more invisible.
-
@Antibiotic said in Additional protection beyond the basic set up:
Lets say if someone will scanning my pfsense for ports and etc.
And out of the box pfsense would be completely "stealth" if you will - there are no open ports to world out of the box.. So scanning your public IP would give them nothing.
