Port restriction rule!

Antibiotic

@johnpoz The ports are different but the rules order are correct for restriction? will this work?I try to restrict ports to expose to world ( do not leave WAN but still available for LAN) by this instruction: https://www.sans.org/media/score/checklists/FirewallChecklist.pdf

Antibiotic

@stephenw10 The ports are different but the rules order are correct for restriction? will this work?I try to restrict ports to expose to world ( do not leave WAN but still available for LAN) by this instruction: https://www.sans.org/media/score/checklists/FirewallChecklist.pdf

johnpoz

@Antibiotic said in Port restriction rule!:

estrict ports to expose to world ( do not leave WAN )

There is a huge difference in expose to world, ie allow that unsolicited inbound to your wan from the internet, or forwarded inbound to something behind the internet, and allow a client outbound to the internet that wants to talk on those ports.

The checklist is worded horrible in making that distinction - and the references are from 2000,2001..

But you do you.. Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated. Or of blocking doesn't really matter if you have no allow between them... Some of that stuff makes no sense to be honest... Block 80/443 except for external webservers.. Well no shit, where else would you be going to for webservers.. And your firewall wouldn't blocking traffic for stuff on your own network talking to each other.

That is a pretty dated horribly written guide from 2000, I wouldn't given it to much credence to be honest.. BGP.. What on your network would be talking outbound to the internet via BGP? They list ntp as port 37.. That is the old timeservice and hasn't been used in like forever. Then they also list NTP on 123..

Out of the box pfsense does not "expose" anything to the world - the wan is default deny and their are no rules.. Nothing is getting to pfsense or stuff behind it, unless pfsense or something behind it requested the conversation.

It says to block ping.. You want to block your clients from pinging something out on the internet? Mentions dns TCP, that is not only used for zone transfer, that is used when the response is too big for UDP as well.. They mention finger, you worried about blocking outbound to finger, what the maybe 2 servers still running that - if any ;)

Antibiotic

@johnpoz said in Port restriction rule!:

Out of the box pfsense does not "expose" anything to the world - the wan is default deny and their are no rules.. Nothing is getting to pfsense or stuff behind it, unless pfsense or something behind it requested the conversation.

Yea but if rule like that:

Like me understanding expose all to world?

johnpoz

@Antibiotic that does not EXPOSE anything to the world - that allows you to talk to the world..

Expose would be your wan rules..

If your concerned that some client on your network is going to start talking BGP to the internet out of the blue and you don't want it to do that - then sure ok vs like not running bgp on your client machine, sure feel free to block it on pfsense ;)

Antibiotic

@johnpoz said in Port restriction rule!:

Expose would be your wan rules.

Could you please to show example?

johnpoz

@Antibiotic what example is there to show.. Out of the box the pfsense wan rules don't allow anything inbound to your pfsense wan IP from the internet.

What is "exposed" to the internet is what you add.. Here are my wan rules currently

This is what I have exposed to the internet... Ie some rando IP address out on the internet can talk to these ports.. The ones that are in the US, or elsewhere via my pfblocker alias of what is allowed to talk to these ports. Mostly US based IPs

I have those block rules at the end that log, because I have turned off logging for the default deny.. And this logs what I am interested in seeing. Only tcp syn traffic to my wan, and some common udp ports that might be interesting to know if seeing traffic to those ports..

Here are my LAN rules.

My clients could talk outbound on BGP... Oh no ;) hehehe

Out of the box the only rules are wan are the 2 blocking source IP of rfc1918 and bogon.. Nothing is "exposed"

Antibiotic

@johnpoz Do you have openvpn server or client?

Antibiotic

@johnpoz said in Port restriction rule!:

what example is there to show.. Out of the box the pfsense wan rules don't allow anything inbound to your pfsense wan IP from the internet.

Inbound yes, but outbound allow all like me undesrtanding?

johnpoz

@Antibiotic that is for my server, so I can connect while out and about. I also have a vpn client setup on pfsense that talks to one of my vpses out on the internet. But I don't normally use it.. It is there for testing/helping users with client setups.

I have two instances running, one on 443 tcp (this is for when udp 1194 might be blocked outbound where I am at).. And then your common UDP 1194 instance.

And yes I allow all outbound.. I have no reason to limit what my machines can talk too.. They are my machines and under my control, they only ever run code that I trust.. Blocking outbound would be too little and too late if I infected myself..

And then again, if I did infect myself - highly unlikely they would be using some odd ball port to talk outbound, they would use 443 most likely, just like everything else on the planet uses now.

Now I do log all my devices dns queries (I use pihole - mostly because I like its eye candy more than pfblocker).. And I do check on this now and then to see if they are talking to anything that looks weird.. But I don't block them from talking outbound.

Antibiotic

@johnpoz How do you connect pi hole and any additional rules in pfsense?Why I'm asking because have also small Glinet router with built in adguard dns server and he is dusting on sofa. Could be also start using in this way!

johnpoz

@Antibiotic I point my clients to the pihole, which forwards to pfsense, which then unbound resolves. There are no rules needed on pfsense do this.. Pihole is just like any other client asking unbound for dns.

Antibiotic

@johnpoz said in Port restriction rule!:

I point my clients to the pihole

How? Did you manually set pihole ip address for each home network in dns settings?

Antibiotic

@johnpoz said in Port restriction rule!:

which forwards to pfsense

Did you set to forward pihole dns request to unbound than?

johnpoz

@Antibiotic yes my pihole is on 192.168.3.10, it forwards to pfsense IP address 192.168.3.253

Pfsense manages my local network home.arpa, and all the dhcp for all my network.. You could have pihole handle that if you wanted.. But if you have more than network that can get a bit complicated.

client ask pihole for say nas.home.arpa, it says well that is not on any of my block lists so like anything else you ask for it forwards to pfsense.. pfsense says nas.home.arpa is at 192.168.9.10

One thing you prob want to do is in pihole allow it to forward ptrs for rfc1918. So you would uncheck this

And you sure don't want it do dnssec, because unbound is doing that.

pfblocker can for sure do the same thing, etc. but I like the pihole eyecandy

Its easy to look at the query log, filter exactly on what a machine asked for - or anything specific has been asked for, and who asked for it.

Antibiotic

@johnpozHello,

Local subnet 192.168.10.1
Local subnet 192.168.20.1 (connected router in AP mode, this router have usb connected hard disk with sharing files)
How to make to see PC connected to 192.168.10.1 subnet to see this hard disk for file sharing?

johnpoz

@Antibiotic not sure what is what here, but your policy routing.. If you want network x to access something on y you need to allow it before you policy route out some specific gateway.

https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#bypassing-policy-routing

Antibiotic

@johnpoz I did

But this rule should be on top, regarding DNS redirect and all other redirection rules or can be locate above "Default allow LAN to any rule"?

stephenw10

That's fine as long as you only need TCP traffic between the local subnets.

Define exactly how you are testing? If by 'see' the hard disk you mean some sort of Windows device discovery that usually only works within one subnet.

Antibiotic

@stephenw10 said in Port restriction rule!:

Определите, как именно вы проводите тестирование? Если под словом «видеть» жесткий диск, вы имеете в виду некое обнаружение устройств Windows, которое обычно работает только в пределах одной подсети.

Yes exactly, i want to connect from Windows pc subnet 192.168.10.1 to Wireless router hard disk in subnet 192.168.20.1