HowTo Hardening PfSense firewall?
-
Syn cookies are already enabled by default.
Thanks for trying to come up with improvements but contrary to what you think we do think a LOT about every aspect of this project and we have done our homework prior.
-
Still open-standing questions are:
* How do I harding PfSense?
* Wich firewall rules are recommend to add, to improve overall security?
* Concerning netbios: is it safe to block netbios, while family members are connecting by PPTP?
- same question for IPSEC?
- do i need or have to block it at LAN side and/or WAN side (only)?
* Because there a no default rules present at the WAN, does this mean that the GUI and SSH ports etc are open? -
Still open-standing questions are:
* How do I harding PfSense?
* Wich firewall rules are recommend to add, to improve overall security?
* Concerning netbios: is it safe to block netbios, while family members are connecting by PPTP?
- same question for IPSEC?
- do i need or have to block it at LAN side and/or WAN side (only)?
* Because there a no default rules present at the WAN, does this mean that the GUI and SSH ports etc are open?1. pfSense defaults to block all that is not allowed. Only allow needed ports.
2. Yes.
3. Yes
4. See #1. pfSense rules are applied to the incoming interface.
5. No. See #1. -
Like, another stupid example:```
echo "1" > /proc/sys/net/ipv4/tcp_syncookies(syn_cookies, I am told, helps to prevent or reduce ddos attacks).pfsense is FreeBSD, not Linux. We've been through all the appropriate security settings and done what we can, but FreeBSD doesn't leave big gaping holes open by default like many Linux distros do, hence we're "secure by default", and don't need check boxes to "lock things down".
Agree w/Scott, adding checkboxes for things that should be permitted or not permitted via firewall rules is silly. Want to allow ping? Add a WAN rule. Don't want to? You're fine by default. Ditto for anything/everything else. What if you only want to allow ping from certain IP's on the Internet? That checkbox isn't going to help you. Lots of similar situations.
chkrootkit works on pfsense, though it's not a package in the GUI. If you enable SSH, SSH in, open a shell, and run the following you can run it.
pkg_add -r chkrootkit
rehash
chkrootkit
Note that if you don't religiously keep chkrootkit up to date, it'll report false positives after OS updates.
-
I think here is a good example of two different worlds trying to understand each other.
The first one is where you know what you want to do, what you do and how you have to do it.
The second one is where you rely on checkboxes, hopping the developper knew what you will want to do ;-) -
If you'd like checkboxes, there's a great little product called Microsft ISA 2004. I'm migrating off it. I'll sell you my licenses :)
-
Checkboxes always remind me of
Yes
No
Don't care;D
-
:+ :D Just a small comment on the comments relating the checkboxes: I am very delighted that two checkboxes are pressent in order to activate preset default firewall rules about denying non-standard wan-traffic. Three if u count the Snort 'autoblock' checkbox.
A fourth, lets call it a 'paranoid-idiot-fool-and-newbie-high-security's-firewall-proof' checkbox, ;D would be for me like a wet boy's dream has come true. :P :+ -
I think all the devs agree with me that we don't want "checkbox" behaviour. It's really all about firewallrules.
-
I think all the devs agree with me that we don't want "checkbox" behaviour. It's really all about firewallrules.
Yes, fully agree. There is no reason that this person cannot learn how to craft firewall rules properly.
-
A fourth, lets call it a 'paranoid-idiot-fool-and-newbie-high-security's-firewall-proof' checkbox, ;D would be for me like a wet boy's dream has come true. :P :+
so that checkbox will remove all rules on the wan port
same as youre virgin pfsense ;D