Locking down pfSense

RussMuscle

I have just started using the pfSense firewall.  I am moving from both Watchguard and Sonicwall.  With the WG and SW, I like to configure them to only alllow specific ports outbound.  I currently am running the default configuration with a WAN interface and a LAN interface.  I have tried to configured it to lockdown everything except myspecific ports, and end up with no access outbound at all everytime.  I end up going back to the default configuration to get internet access again.  Can I have some screen shots of the necessary changes to allow the lockdown?  I can figure out how to do the rules after I can get basic http access while blocking everything else.  I have read through the forums and tried the things I have read.  The things I find seem to be for more complicated setups.  I feel really dumb for asking for this, but I just can't seem to figure it out.  Help would be much appreciated.

GruensFroeschli

I suspect you used in your rules ports in the source-port field, or set as source address instead of subnet. (The most common errors i see).

Easiest way:
*Delete the default rule on the LAN.
 –> No rules at all on the LAN.

• Create an alias containing all the ports you want to allow (firewall --> alias) (21, 22, 23, 25, 53, 80, 110, 143, 443, 465, 993, ect.)
• Create a rule on LAN:
  Protocol: TCP/UDP
  Source: LAN-subnet    (not address)
  Source-port: any
  Destination: any
  Destination-port: YourAliasName
  Gateway: default

RussMuscle

I will try that when I get home.  I do believe I was using the interface.  Thank you.  I'll reply back when I have had a chance to test it.

RussMuscle

Thank you very much!  That was exactly what I was missing.  What is the difference between LAN and LAN subnet?  I am trying to learn this firewall.  I appreciate your insight.  Again, thank you.

GruensFroeschli

LAN-address means exactly that.
The address of the pfSense on the LAN interface.

LAN-subnet means exactly that.
The subnet which is connected to the LAN interface.

joebobfrank

Gruens, I followed your instructions but I keep losing connectivity. Then i switch back to the default.

In 'Alias' I chose:

Type: ports(s)
Port(s): 80, 443, 68, and 53

In 'Firewall: Rules: LAN' I chose:

Action: pass
Interface: LAN
Protocol: any
Source: type: LAN subnet
Destination: type: Single Host or Alias
                Address: nameofmyalias

What am I doing wrong?

GruensFroeschli

You have a port-alias in an address-field.
Reread my generic example above.

joebobfrank

@GruensFroeschli:

Easiest way:
*Delete the default rule on the LAN.
 –> No rules at all on the LAN.

• Create an alias containing all the ports you want to allow (firewall --> alias) (21, 22, 23, 25, 53, 80, 110, 143, 443, 465, 993, ect.)
• Create a rule on LAN:
  Protocol: any
  Source: LAN-subnet    (not address)
  Source-port: any
  Destination: any
  Destination-port: YourAliasName
  Gateway: default

Gruens, I reread your original instructions (above).
I keep loosing the connection every time I enable the configuration method you suggested. I tried several times, making small changes one by one. Nothing worked. I was so happy earlier today when I was teaching myself regular expression and succeding. Then I attempted to configure this router again….

There is nothing on the Firewall Rules > LAN page that says "Destination-port".
When I set the Source to any I cannot put anything into the "Address" field.

What should I put in each of these fields?

Action:

Interface:

Protocol:

Source:
Type:   
Address:

Source port range:

Destination:
Type:   
Address:

Anything else I need to do?
Should I reboot the router after saving the changes?

Thank you so much for your help!

GruensFroeschli

d'oh.
Set as protocol TCP/UDP ^^"
Otherwise you dont have the option to specify ports (since not all protocols feature ports).

joebobfrank

I tried what you said.

Still did not work…....

Every time I added the alias the Internet connection failed.

I have tried a couple of other things and now the router is completely hosed....

Eugene

Screenshot of your rules configured according to GruensFroeschli please?

joebobfrank

Eugene, I had to start all over from scratch.
Can you tell me how to do it in an easy to understand way? Thanks.

joebobfrank

P.S. what is the next step in hardening pfsense after configuring certain ports with an alias?

GruensFroeschli

To harden your setup more:
Set the WebGUI to https.
Set the WebGUI to a different port than 443 (i usually use 444 :D ).
Disable the anti-lockout rule (under system–>advanced) and allow access only from a source you control.
Or even better: dont allow access to the webGUI at all besides via a VPN (OpenVPN comes to mind).

Run as few packages/services as possible.

But these are just generic "security measures".
pfSense is with the default settings already pretty safe.