Terse Install HOWTO on Steriods
-
A couple of months ago when I started working with pfsense, all how-to's I was able to find stepped through the trivial steps to a "Default Allow" install, not guiding you through the full configuration. The "Definitive Guide" makes it very clear that a "Default Deny" is the way to go, I could find no rule sets to start with.
The attached file steps through every single step, menu, and dialog box very tersely, with explanatory comments interspersed. It provides both a "Default Allow" and a "Default Deny" rule set, including rules (subject of another recent post) enabling an XBox 360 to work.
The configuration is for three internal networks:
LAN: Trusted "Trustworthy" machines (UN*X)
YEL: Trusted "Un-Trustworthy" machines (Windows, fully patched w/ AV etc.)
ORA: Un-Trusted scum (XBox360, Unpatched, Windows without AV, people who walk in the door, etc.All networks can get at the Internet, LAN can get anywhere, and YEL and ORA can get to LAN only through ssh or IPP (To print). If you have a simpler setup, you can simply ignore the sections for the extra interfaces.
Note that I am by no means a security expert. I started from deny everything and built the rules by adding capabilities that were obviously needed (e.g. ftp, ssh, CPanel, etc.) and other things as they came up. Nothing new has come up in the past month. I am confident that it is pretty complete, and very confident that it is fairly safe since I started with deny everything. Many people (Including me before a month ago) run with a wide-open default allow. This is clearly worlds better than that.
I would be very grateful for feedback from experts, which I will incorporate through editing. I am afraid that I am no longer running pfsense since I failed in my attempts to get content (keyword) filtering running. However if you are new to pfsense, note that this IS the place to be…as long as you do not need keyword filtering!
If you are a newbie, I hope that this will eliminate the high barrier that I felt by providing a detailed, robust example with a complete ruleset and explanatory comments.
-
RE: my comment
I am afraid that I am no longer running pfsense since I failed in my attempts to get content (keyword) filtering running.!
I am back to PFSense. The other solution has a rich set of extensions doing everything I needed, and the base system worked great, but once I waded in the extensions while they no doubt worked by themselves where (1) There was no maintained set of the "latest" directions correlated to version. One had to read hundreds of mailnotes only to find the information not there, and (2) They were uncoordinated, so one extension stepped on another.
Also found that the other platform introduced long and random packet delays that totally trashed online gaming. Restoring PFSense restored perfection. I hope that these comments encourage others wondering if PFSense is a good thing vs. yet another firewall project. It is clearly in a class by itself. Thank you all who created it.
I hope I can work this HOWTO into something to help others adopt PFSense.
-
You might be able to have the best of both worlds if you setup your keyword filtering software on another box (in a DMZ, perhaps) and then forward web traffic through it.
Keyword filtering is rather expensive in terms of CPU, it would probably be better on its own box anyhow. I know some people have setup a separate server for something such as DansGuardian to use as a local proxy.