Taming the beasts… aka suricata blueprint

n3by · Oct 20, 2015, 7:21 AM

Be careful with chosen ports, not to be used by normal applications because you will cut access to this ports.

You will put restriction rule from LAN only if you want to have specifics designated computers that can access the admin ports.

Attached floating rule for WAN and rule for LAN.

p.s.
you can use as destination: "This firewall (self)" instead of any

![2015-10-20 10.01.07.jpg](/public/imported_attachments/1/2015-10-20 10.01.07.jpg)
![2015-10-20 10.01.07.jpg_thumb](/public/imported_attachments/1/2015-10-20 10.01.07.jpg_thumb)
![2015-10-20 10.14.02.jpg](/public/imported_attachments/1/2015-10-20 10.14.02.jpg)
![2015-10-20 10.14.02.jpg_thumb](/public/imported_attachments/1/2015-10-20 10.14.02.jpg_thumb)

dmitri_oga · Oct 20, 2015, 8:45 PM

@n3by:

Be careful with chosen ports, not to be used by normal applications because you will cut access to this ports.

You will put restriction rule from LAN only if you want to have specifics designated computers that can access the admin ports.

Attached floating rule for WAN and rule for LAN.

p.s.
you can use as destination: "This firewall (self)" instead of any

Appreciate it! Thanks a lot. Kudos.

Oct 30, 2015, 8:41 PM

So long and thanks for all the fish.

pfcode · Nov 1, 2015, 4:42 AM

@jflsakfja:

So long and thanks for all the fish.

Oh, NO. r you leaving us? whats happening?

G.D. Wusser Esq. · Nov 10, 2015, 1:56 AM

@jflsakfja:

So long and thanks for all the fish.

Farewell. Thank you for everything.
Hoping you will return.

pfsenseboonie · Mar 28, 2016, 8:07 AM

Hi I am trying to create the golden custom rules and need help…

alert tcp $EXTERNAL_NET any -> $HOME_NET ![ports,open,on:firewall] (msg:"Blocked close TCP"; classtype:attempted-recon; sid:9900000; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET ![ports,open,on:firewall] (msg:"Blocked close UDP"; classtype:attempted-recon; sid:9900000; rev:1;)
alert tcp $EXTERNAL_NET [0:1023] -> any [0:1023](msg:"Blocked close TCP"; classtype:attempted-recon; sid:9900000; rev:1;)
alert udp $EXTERNAL_NET [0:1023] -> any [0:1023] (msg:"Blocked close UDP"; classtype:attempted-recon; sid:9900000; rev:1;)

the first two are to block incoming to closed ports.
the last two to block incoming from low ports to low ports.

How should i adjust them in the msg bit or any other comments on them.

Thanks.

lobotiger · Apr 4, 2016, 1:32 PM

Hi everyone. I'm thinking of following the guide here but jumping to the last page I noticed that jflsakfja indicated that he will no longer be on this forum. Is it worth reading 30 pages to get this setup? Is the snort page any better?

LoboTiger

n3by · Apr 4, 2016, 4:13 PM

My advice is to install Suricata if possible.
Yesterday I just had to uninstall Snort and installed Suricata from one remote site after I seen high CPU load and high CPU temp without traffic. Reason Snort >10-15% CPU - in the same conditions, now it is ok Suricata 1-2% CPU.
The other site had Suricata installed and no problems; both sites are running pfSense 2.2.5 & vpn site to site.

Downloadski · Apr 4, 2016, 7:38 PM

@lobotiger:

Hi everyone. I'm thinking of following the guide here but jumping to the last page I noticed that jflsakfja indicated that he will no longer be on this forum. Is it worth reading 30 pages to get this setup? Is the snort page any better?

LoboTiger

I am a absolute beginner and i found this thread very interesting to get some understanding of the principles of good security.
So i wil re-read it and start to implement it.

TDJ211 · Apr 26, 2016, 5:49 AM

@lobotiger:

Hi everyone. I'm thinking of following the guide here but jumping to the last page I noticed that jflsakfja indicated that he will no longer be on this forum. Is it worth reading 30 pages to get this setup? Is the snort page any better?

LoboTiger

It's probably the best read you'll find on the net about IDS/IPS security. Most of what you need to know is in the first few pages anyway….

glint.bladesong · May 13, 2016, 6:15 AM

SO… all quiet on the western front?

Did I miss a memo somewhere about what happened to this project, or the guide v2?

2chemlud · May 13, 2016, 6:53 AM

Not an expert, but I guess… yes

https://forum.pfsense.org/index.php?topic=88244.0

TDJ211 · May 13, 2016, 7:05 AM

Thats not it….They eventually gave him permission to use a disclaimer and from that point on, the project was under way. But then jflsakfja got into a serious car accident and he's just had to put all of this on pause til he gets better.

glint.bladesong · May 13, 2016, 1:01 PM

If that is indeed that case then he has my deepest and genuine sympathies and I wish him a hearty, fast and total recovery.

pfBasic · Jul 6, 2016, 11:13 PM

First off, great topic! I am completely new to all of this and I've spent hours reading through this topic and looking out over the internet to try to understand it.

The reason I made an account and posted is because I attempted to type up a How-To for the super-layman.
I attached it here and would love to get your feedback on it. There are certainly fundamental errors in it simply because I do not understand this stuff and my interpretations of what's going on are bound to be incorrect (hopefully not all the time).
If those of you who know what's going on would be so kind as to give me feedback and correct me, I'll revise and re-post the corrected copy. The intent is to have a document that I or someone like myself could pick up and use to setup pfSense in a secure way without any prior knowledge.

So I got on eBay and for $130 purchased a SFF HP with an i5-2400, 8GB RAM and 640GB HDD and an Intel PRO/1000 PT dual NIC. I know it's overkill, but it was cheap.
Going through MANY hours of youtube tutorials on pfSense and networking in general I learned that most of what I want to do on pfSense can be achieved by simply following instructions without very much understanding. However, it seemed to me that Firewall rules (what pfSense was actually made for) actually needed to be understood at least on a basic level since it is so specific to what you're using it for. Then I found this thread, I read through it, and didn't understand much. So I read through more, researched things online and started typing up a step-by-step document that I could use to accomplish each task and have some understanding of what I was doing. I didn't accomplish that completely, there are things that I know I don't fully understand, and I'm sure other things that I misunderstand.
It's worth noting that I haven't actually been able to attempt any of this on pfSense yet.

Anyways, thank you for what you've done and I'd appreciate any of your expertise and guidance!

@jflsakfja:

Here we go!

Firewalling
Always whitelist, NEVER blacklist…

<<<<<everything i="" tried="" to="" understand="" and="" included="" in="" my="" writeup="" thus="" far="" is="" contained="" between="" these="" two="" quotes="" from="" the="" op.="">>>>>> </everything>

…Back to where we left. Nobody likes his internet being down (I grew tired of having to explain that the Internet was designed to survive a nuclear holocaust without it being down, if you can't beat them, join them). So hurry up with the other interfaces as well.

pfBasic · Feb 15, 2017, 6:54 AM

I reformatted the tables in the word document so that I could publish what I'm trying to do directly here and no one has to download the word document. There are a lot of hyperlinks that are included on the word doc but not on this post, so if you see something that looks like it should be hyperlinked, it is on the .doc.

ANY help you guys can give me would be greatly appreciated!

I'm reading through tons of BBCan117's posts on pfBlockerNG trying to learn how to use it to accomplish this setup. I'll post that as soon as I'm done, but remember my done does not equal a finished product. I'll need correction from you guys to get this right.

–---------------------------------------

EDIT: Removed due to potentially misleading info.

BBcan177 · Jul 8, 2016, 3:12 AM

@pfBasic:

I'm reading through tons of BBCan117's posts on pfBlockerNG trying to learn how to use it to accomplish this setup. I'll post that as soon as I'm done, but remember my done does not equal a finished product. I'll need correction from you guys to get this right.

Thanks for all your efforts.. :)

Just to note, that my posts in relation to the script should be ignored, as its now superceded by the package pfBlockerNG…

https://forum.pfsense.org/index.php?topic=102470.0
https://forum.pfsense.org/index.php?topic=86212.0

pfBasic · Jul 8, 2016, 7:32 AM

@BBcan177:

@pfBasic:

I'm reading through tons of BBCan117's posts on pfBlockerNG trying to learn how to use it to accomplish this setup. I'll post that as soon as I'm done, but remember my done does not equal a finished product. I'll need correction from you guys to get this right.

Thanks for all your efforts.. :)

Just to note, that my posts in relation to the script should be ignored, as its now superceded by the package pfBlockerNG…

https://forum.pfsense.org/index.php?topic=102470.0
https://forum.pfsense.org/index.php?topic=86212.0

Yes sir, I am reading through your threads on pfBNG and trying to figure out how to use that to accomplish this threads intent without messing it up!

kody · Jul 19, 2016, 5:39 PM

pfBasic, did you just edit/reformat the content in the original post by “jflsakfja”?

Or, did you adapt the content in the original post to a later version of pfSense? If so, which version did you use for your document?

Thanks.

neonmatt · Jul 25, 2016, 2:35 PM

PFBasic, the word doc looks nice. I've come back to this after a long time working on other stuff, so thanks for condensing this very long thread. I look forward to implementing Suricata soon (getting ready to set aside some time to get into it without interruption).

I hope it's OP is well and doing great things (I'm sure that's a given).