Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Terse Install HOWTO on Steriods

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    3 Posts 2 Posters 3.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rnsc
      last edited by

      A couple of months ago when I started working with pfsense, all how-to's I was able to find stepped through the trivial steps to a "Default Allow" install, not guiding you through the full configuration.  The "Definitive Guide" makes it very clear that a "Default Deny" is the way to go, I could find no rule sets to start with.

      The attached file steps through every single step, menu, and dialog box very tersely, with explanatory comments interspersed.  It provides both a "Default Allow" and a "Default Deny" rule set, including rules (subject of another recent post) enabling an XBox 360 to work.

      The configuration is for three internal networks:

      LAN:  Trusted "Trustworthy" machines (UN*X)
      YEL:  Trusted "Un-Trustworthy" machines (Windows, fully patched w/ AV etc.)
      ORA:  Un-Trusted scum (XBox360, Unpatched, Windows without AV, people who walk in the door, etc.

      All networks can get at the Internet, LAN can get anywhere, and YEL and ORA can get to LAN only through ssh or IPP (To print).  If you have a simpler setup, you can simply ignore the sections for the extra interfaces.

      Note that I am by no means a security expert.  I started from deny everything and built the rules by adding capabilities that were obviously needed (e.g. ftp, ssh, CPanel, etc.) and other things as they came up.  Nothing new has come up in the past month.  I am confident that it is pretty complete, and very confident that it is fairly safe since I started with deny everything.  Many people (Including me before a month ago) run with a wide-open default allow.  This is clearly worlds better than that.

      I would be very grateful for feedback from experts, which I will incorporate through editing.  I am afraid that I am no longer running pfsense since I failed in my attempts to get content (keyword) filtering running.  However if you are new to pfsense, note that this IS the place to be…as long as you do not need keyword filtering!

      If you are a newbie, I hope that this will eliminate the high barrier that I felt by providing a detailed, robust example with a complete ruleset and explanatory comments.

      --Ray
      pfsense_1.2.3_InstallNotes.txt

      1 Reply Last reply Reply Quote 0
      • R
        rnsc
        last edited by

        RE: my comment

        I am afraid that I am no longer running pfsense since I failed in my attempts to get content (keyword) filtering running.!

        I am back to PFSense.  The other solution has a rich set of extensions doing everything I needed, and the base system worked great, but once I waded in the extensions while they no doubt worked by themselves where (1) There was no maintained set of the "latest" directions correlated to version.  One had to read hundreds of mailnotes only to find the information not there, and (2) They were uncoordinated, so one extension stepped on another.

        Also found that the other platform introduced long and random packet delays that totally trashed online gaming.  Restoring PFSense restored perfection.  I hope that these comments encourage others wondering if PFSense is a good thing vs. yet another firewall project.  It is clearly in a class by itself.  Thank you all who created it.

        I hope I can work this HOWTO into something to help others adopt PFSense.

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          You might be able to have the best of both worlds if you setup your keyword filtering software on another box (in a DMZ, perhaps) and then forward web traffic through it.

          Keyword filtering is rather expensive in terms of CPU, it would probably be better on its own box anyhow. I know some people have setup a separate server for something such as DansGuardian to use as a local proxy.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.