Locking down pfSense
-
I will try that when I get home. I do believe I was using the interface. Thank you. I'll reply back when I have had a chance to test it.
-
Thank you very much! That was exactly what I was missing. What is the difference between LAN and LAN subnet? I am trying to learn this firewall. I appreciate your insight. Again, thank you.
-
LAN-address means exactly that.
The address of the pfSense on the LAN interface.LAN-subnet means exactly that.
The subnet which is connected to the LAN interface. -
Gruens, I followed your instructions but I keep losing connectivity. Then i switch back to the default.
In 'Alias' I chose:
Type: ports(s)
Port(s): 80, 443, 68, and 53In 'Firewall: Rules: LAN' I chose:
Action: pass
Interface: LAN
Protocol: any
Source: type: LAN subnet
Destination: type: Single Host or Alias
Address: nameofmyaliasWhat am I doing wrong?
-
You have a port-alias in an address-field.
Reread my generic example above. -
Easiest way:
*Delete the default rule on the LAN.
–> No rules at all on the LAN.- Create an alias containing all the ports you want to allow (firewall --> alias) (21, 22, 23, 25, 53, 80, 110, 143, 443, 465, 993, ect.)
- Create a rule on LAN:
Protocol: any
Source: LAN-subnet (not address)
Source-port: any
Destination: any
Destination-port: YourAliasName
Gateway: default
Gruens, I reread your original instructions (above).
I keep loosing the connection every time I enable the configuration method you suggested. I tried several times, making small changes one by one. Nothing worked. I was so happy earlier today when I was teaching myself regular expression and succeding. Then I attempted to configure this router again….There is nothing on the Firewall Rules > LAN page that says "Destination-port".
When I set the Source to any I cannot put anything into the "Address" field.What should I put in each of these fields?
Action:
Interface:
Protocol:
Source:
Type:
Address:Source port range:
Destination:
Type:
Address:Anything else I need to do?
Should I reboot the router after saving the changes?Thank you so much for your help!
-
d'oh.
Set as protocol TCP/UDP ^^"
Otherwise you dont have the option to specify ports (since not all protocols feature ports). -
I tried what you said.
Still did not work…....
Every time I added the alias the Internet connection failed.
I have tried a couple of other things and now the router is completely hosed....
-
Screenshot of your rules configured according to GruensFroeschli please?
-
Eugene, I had to start all over from scratch.
Can you tell me how to do it in an easy to understand way? Thanks. -
P.S. what is the next step in hardening pfsense after configuring certain ports with an alias?
-
To harden your setup more:
Set the WebGUI to https.
Set the WebGUI to a different port than 443 (i usually use 444 :D ).
Disable the anti-lockout rule (under system–>advanced) and allow access only from a source you control.
Or even better: dont allow access to the webGUI at all besides via a VPN (OpenVPN comes to mind).Run as few packages/services as possible.
But these are just generic "security measures".
pfSense is with the default settings already pretty safe.