Block pfsense localhost flows?

crester

Hello.
I have just installed pfSense and I recognize it is intuitive but I have no idea more than my background in another firewalls.

I am able to NAT, do rules, get working snort and so on.

But I have seen I can connect from pfsense to anywhere, and I can ping i.e. an Internet address.

I have created a any-any-drop rule for each interface, and in none of them there are a rule to allow ping, but still I can ping from the host, and I haven't logs regarding this traffic.

How can I block the firewall host to get certain flows?

Thank you.

gderf

Rules on an interface only apply to packets coming into the firewall on that interface. They can not have an effect on packets originating from inside the firewall.

crester

So, is it impossible to have rules that apply the firewall as-is?

Don't you think it is a security breach having the firewall host with whole flows to all the connected hosts "to it"?

gderf

Password protect the console and/or restrict physical access to it. Do not allow unauthorized access to the shell and GUI.

crester

yep, it is on page 1 of the good practices manual.

what about, i.e. a pfSense 0-Day and a host compromise?
there are no keys nor passwords nor phisical access.

gderf

How would anything you could do with the firewall configuration protect you against a pfsense remote access vulnerability? If they can breach the firewall via external access they can can gain a shell and reconfigure it to their desire, removing anything you had put in place to protect attached networks.

I just don't understand your concern. Maybe you could explain it more fully. How is pfsense any different than any other security solution in this regard?

cmb

You can use floating rules to override the default pass out.

crester

@gderf:

How would anything you could do with the firewall configuration protect you against a pfsense remote access vulnerability? If they can breach the firewall via external access they can can gain a shell and reconfigure it to their desire, removing anything you had put in place to protect attached networks.

I just don't understand your concern. Maybe you could explain it more fully. How is pfsense any different than any other security solution in this regard?

Hi gderf,

lets suppose there is a worm that is not designed to attack pfSense as is, but it works in linux/bsd environment.
lets suppose an administrator infects the pfSense host with the worm
This worm is unable to change the rules. This worm is unable to offer gain a shell.

But this worm is a zombie that is able to read, tcpdump, and so on.

This is only a think in a forum…. but I still think there must be control over the flows from the firewall.

crester

@cmb:

You can use floating rules to override the default pass out.

Thank you cmb.

I will have a look to see what can I do with floating rules.