Firewall Config - Security

jami

Hello, I'm currently running a pfsense 2.3.5p1 on a x86 machine (Celeron 2.13 Ghz, 768 MB ram DDR, Prescott 400 Motherboard 2005) as a home firewall for my computer. Rules are to allow outbound on LAN and reject inbound on WAN. My configuration is something like this:

ISP –- Router (provided by ISP) --- WiFi WPA/WPA2 TKIP Link --- WAN interface (150 Mbps pci card) --- Pfsense Stateful Firewall --- LAN (pci card) --- Ethernet Cable --- Computer

Of course wifi is disabled on the computer.

My questions:

1. Would you consider a risk having a WiFi link for the WAN interface? Is it possible gain admin access on pfsense by some kind of wifi attack? I think perhaps of a denial of service attack (because the hw isn't that great) but I'm not sure. Is it possible to perform the MITM attack by cracking the wifi link?

2. Would you consider upgrading to more powerful and up to date hardware? What would you choose for this kind of application?

I ask this because I had some mysterious crashes in previous version 2.3.5 and to be honest I do not know the reason.

Thanks in advance,

Jami

Gertjan

@jami:

Hello, I'm currently running a pfsense 2.3.5p1 on a x86 machine (Celeron 2.13 Ghz, 768 MB ram DDR, Prescott 400 Motherboard 2005) as a home firewall for my computer. Rules are to allow outbound on LAN and reject inbound on WAN. My configuration is something like this:

So, you have zero rules on WAN (a hidden block all rule exists) and a pass-all (outbound) rule on LAN.
A motherboard from 2005 …. you are breaking things and some records.
The fact that it actually boot doesn't mean you should also use it.

@jami:

ISP –- Router (provided by ISP) --- WiFi WPA/WPA2 TKIP Link --- WAN interface (150 Mbps pci card) --- Pfsense Stateful Firewall --- LAN (pci card) --- Ethernet Cable --- Computer

Why not ….

@jami:

1. Would you consider a risk having a WiFi link for the WAN interface?

Only if you can't trust your very local zone - in wifi range ;)
You are aware of the fact that we all have pfSense hooked up to the entire internet … so adding some WPA2 'risk' is pretty close to nothing.

@jami:

Is it possible gain admin access on pfsense by some kind of wifi attack?

The AP is on the WAN side. As is the entire internet. So, no.

@jami:

I think perhaps of a denial of service expore ^ attack (because the hw isn't that great) but I'm not sure.

DOS because hardware is not great ?
I don't understand.
Is your WAN connection THAT BIG (in speed) ??

@jami:

Is it possible to perform the MITM attack by cracking the wifi link?

You are mixing up terms  I guess.
Check out (a wiki page might do it) what a MITM attack really is.
MITM isn't done in front of your door.

If you do not trust your WPA2, call an electrician and put a wire in place from your ISP router to pfsense - or even better, replace your ISP router by pfsense. Case closed.
(But then, the nasty ones will focus your entire LAN, after breaking into your place, of course.)

@jami:

2. Would you consider upgrading to more powerful and up to date hardware? What would you choose for this kind of application?

What application ? what are you doing with your connection ?
I state up front : it won't make you a cup of the.

@jami:

I ask this because I had some mysterious crashes in previous version 2.3.5 and to be honest I do not know the reason.

Now you mention an interesting point.
You answered that question already yourself !

jami

So you think the random crashes might be a hw issue or previous version? I read about some kernel fixes done in 2.3.5p1

The main application is home internet (no big servers) and my connection speed is 10 Mbit/s at most. My plan is to add also an IDS package for monitoring.

I think I'll buy a better computer (perhaps a core i3 with ddr3, would this be enough?) and then test the system again with 2.4.2 x64. The problem is that sometimes (randomly) I cant get access to web gui and of course no wan connection at all. The only solution is reboot.

I read in another post that I could be a low signal in the wireless card for the wan interface, that makes the link go up/down very fast and sometimes it turns in a crash, but i'm not sure since I dont know how to measure the signal levels and what levels are considered acceptable.

Thanks for the quick answer!

jami

Gertjan

@jami:

So you think the random crashes might be a hw issue or previous version? I read about some kernel fixes done in 2.3.5p1

Well, only expert should consider using old (pfSEnse) versions.
And belief me, they normally don't ….
The rest of us should use the most recent version. Makes live easier.

@jami:

… My plan is to add also an IDS package for monitoring.

Packet inspection can be a resource eater !

@jami:

… My plan is to add also an IDS package for monitoring.
I think I'll buy a better computer (perhaps a core i3 with ddr3, would this be enough?) and then test the system again with 2.4.2 x64. The problem is that sometimes (randomly) I cant get access to web gui and of course no wan connection at all. The only solution is reboot.

When my WAN goes down, the LAN stays perfectly well accessible.

@jami:

I read in another post that I could be a low signal in the wireless card for the wan interface, that makes the link go up/down very fast and sometimes it turns in a crash, but i'm not sure since I dont know how to measure the signal levels and what levels are considered acceptable.

Check out the system logs.
When WAN goes down and up, many things happen in pfSense.
Packages get restart, firewall is reloaded, etc.
All this and more is visible in the logs.
So, does your WAN goes down ? What does it show ?
Why not testing your setup by bypassing your Wifi-WAN by a simple cable ? Cable  connections are pretty close to "set it and forget if - for live" or a Wifi connection can go down every time a neighbor heats up his coffee again in the micro wave oven.

Derelict

So, you have zero rules on both, because LAN has a hidden pass-all rule, and WAN a hidden block all rule.

Pardon the interjection but LAN has no such thing. It has a default pass all rule but it is not "hidden" like default deny.

Gertjan

@Derelict:

So, you have zero rules on both, because LAN has a hidden pass-all rule, and WAN a hidden block all rule.

Pardon the interjection but LAN has no such thing. It has a default pass all rule but it is not "hidden" like default deny.

Ok, good to know. I always though there was one - I guess I need to re install pfSense ones just to so what is is when it jumps out of the box - last time for me was to many years ago, it's to stable …
I'll edit my post above.

johnpoz

There is a hidden rule that allows dhcp to work, if you enable dhcp server on an interface.. But there sure is not an hidden any any allow..

Derelict

There is a default pass any initially created on the LAN interface because it is generally what most people need to get running.

Any other LAN-type interfaces you create get no such rule.

Gertjan

@johnpoz:

There is a hidden rule that allows dhcp to work, if you enable dhcp server on an interface.. But there sure is not an hidden any any allow..

That's the one :  this DHCP-pass rule that I was mistaken for a global pas-all-outbound one. I was wrong.

johnpoz

That being hidden is a good thing.. Do you know how many threads we would get on dhcp doesn't work after some user deleted the dhcp rule if it was shown ;)

Part of the not having nice things comes down from trying to idiot proof shit ;) heheheeh

Not showing the default deny same concept ;)  Some user would just delete it..  On their wan trying to get something to work by clicking on random shit…

jami

The problem was the wireless connection of WAN interface. Today I bought a 10 m cat 5e ethernet cable and made a wired wan link. EXCELLENT results, no logs about wan link up/down, 5 hours with no crashes (x86 firewall) at all and almost no suricata alerts. It's amazing! Next task, upgrade hw to x64 and go for 2.4.2p1 version.

Thank you all for the help

Jami