Block pfsense localhost flows?

crester · May 13, 2013, 5:52 PM

Hello.
I have just installed pfSense and I recognize it is intuitive but I have no idea more than my background in another firewalls.

I am able to NAT, do rules, get working snort and so on.

But I have seen I can connect from pfsense to anywhere, and I can ping i.e. an Internet address.

I have created a any-any-drop rule for each interface, and in none of them there are a rule to allow ping, but still I can ping from the host, and I haven't logs regarding this traffic.

How can I block the firewall host to get certain flows?

Thank you.

gderf · May 13, 2013, 6:16 PM

Rules on an interface only apply to packets coming into the firewall on that interface. They can not have an effect on packets originating from inside the firewall.

crester · May 13, 2013, 6:43 PM

So, is it impossible to have rules that apply the firewall as-is?

Don't you think it is a security breach having the firewall host with whole flows to all the connected hosts "to it"?

gderf · May 13, 2013, 7:01 PM

Password protect the console and/or restrict physical access to it. Do not allow unauthorized access to the shell and GUI.

crester · May 13, 2013, 7:55 PM

yep, it is on page 1 of the good practices manual.

what about, i.e. a pfSense 0-Day and a host compromise?
there are no keys nor passwords nor phisical access.

gderf · May 13, 2013, 8:55 PM

How would anything you could do with the firewall configuration protect you against a pfsense remote access vulnerability? If they can breach the firewall via external access they can can gain a shell and reconfigure it to their desire, removing anything you had put in place to protect attached networks.

I just don't understand your concern. Maybe you could explain it more fully. How is pfsense any different than any other security solution in this regard?

cmb · May 13, 2013, 11:25 PM

You can use floating rules to override the default pass out.

crester · May 14, 2013, 10:41 AM

@gderf:

How would anything you could do with the firewall configuration protect you against a pfsense remote access vulnerability? If they can breach the firewall via external access they can can gain a shell and reconfigure it to their desire, removing anything you had put in place to protect attached networks.

I just don't understand your concern. Maybe you could explain it more fully. How is pfsense any different than any other security solution in this regard?

Hi gderf,

lets suppose there is a worm that is not designed to attack pfSense as is, but it works in linux/bsd environment.
lets suppose an administrator infects the pfSense host with the worm
This worm is unable to change the rules. This worm is unable to offer gain a shell.

But this worm is a zombie that is able to read, tcpdump, and so on.

This is only a think in a forum…. but I still think there must be control over the flows from the firewall.

crester · May 14, 2013, 10:42 AM

@cmb:

You can use floating rules to override the default pass out.

Thank you cmb.

I will have a look to see what can I do with floating rules.