Locking down pfSense

RussMuscle

Thank you very much!  That was exactly what I was missing.  What is the difference between LAN and LAN subnet?  I am trying to learn this firewall.  I appreciate your insight.  Again, thank you.

GruensFroeschli

LAN-address means exactly that.
The address of the pfSense on the LAN interface.

LAN-subnet means exactly that.
The subnet which is connected to the LAN interface.

joebobfrank

Gruens, I followed your instructions but I keep losing connectivity. Then i switch back to the default.

In 'Alias' I chose:

Type: ports(s)
Port(s): 80, 443, 68, and 53

In 'Firewall: Rules: LAN' I chose:

Action: pass
Interface: LAN
Protocol: any
Source: type: LAN subnet
Destination: type: Single Host or Alias
                Address: nameofmyalias

What am I doing wrong?

GruensFroeschli

You have a port-alias in an address-field.
Reread my generic example above.

joebobfrank

@GruensFroeschli:

Easiest way:
*Delete the default rule on the LAN.
 –> No rules at all on the LAN.

• Create an alias containing all the ports you want to allow (firewall --> alias) (21, 22, 23, 25, 53, 80, 110, 143, 443, 465, 993, ect.)
• Create a rule on LAN:
  Protocol: any
  Source: LAN-subnet    (not address)
  Source-port: any
  Destination: any
  Destination-port: YourAliasName
  Gateway: default

Gruens, I reread your original instructions (above).
I keep loosing the connection every time I enable the configuration method you suggested. I tried several times, making small changes one by one. Nothing worked. I was so happy earlier today when I was teaching myself regular expression and succeding. Then I attempted to configure this router again….

There is nothing on the Firewall Rules > LAN page that says "Destination-port".
When I set the Source to any I cannot put anything into the "Address" field.

What should I put in each of these fields?

Action:

Interface:

Protocol:

Source:
Type:   
Address:

Source port range:

Destination:
Type:   
Address:

Anything else I need to do?
Should I reboot the router after saving the changes?

Thank you so much for your help!

GruensFroeschli

d'oh.
Set as protocol TCP/UDP ^^"
Otherwise you dont have the option to specify ports (since not all protocols feature ports).

joebobfrank

I tried what you said.

Still did not work…....

Every time I added the alias the Internet connection failed.

I have tried a couple of other things and now the router is completely hosed....

Eugene

Screenshot of your rules configured according to GruensFroeschli please?

joebobfrank

Eugene, I had to start all over from scratch.
Can you tell me how to do it in an easy to understand way? Thanks.

joebobfrank

P.S. what is the next step in hardening pfsense after configuring certain ports with an alias?

GruensFroeschli

To harden your setup more:
Set the WebGUI to https.
Set the WebGUI to a different port than 443 (i usually use 444 :D ).
Disable the anti-lockout rule (under system–>advanced) and allow access only from a source you control.
Or even better: dont allow access to the webGUI at all besides via a VPN (OpenVPN comes to mind).

Run as few packages/services as possible.

But these are just generic "security measures".
pfSense is with the default settings already pretty safe.