Firewall Testing

guardian

Thanks all for the replies…. I guess I haven't phrased my question correctly.

I'm concerned about outbound traffic, which means I need to test from inside out.

The reason I am asking is that I accidentally switched a Block rule to allow, and was letting a lot of traffic out that shouldn't have gone out.

Luckily I found it, but I want a proactive way to check for that type of error.

After some further investigation it seems like running nmap -sS 192.168.100.1 gives me a list of ports that I have open on pfSense.

LAN Computer –-----> | pfSense | ----> Cable Company Router (192.168.100.1)

I'm not yet in production with pfSense, so I am behind the cable company NAT Internet Gateway, with pfSense and my production network firewall sharing that gateway.

Once I manage to get into production, I will no longer have 192.168.100.1 to nmap against, and I think the cable company may be a bit upset if I nmap their gateway address.

Any suggestions?  I need a general sinkhole to nmap against.

johnpoz

" nmap -sS 192.168.100.1 gives me a list of ports that I have open on pfSense."

That doesn't tell you want pfsense lets out.. That tells you what is listening on 192.168.100.1 address, and is also allowed by the rules..

Here is the thing the default rules are ANY ANY.. pfsense out of the box allows all traffic on the lan interface.  if your having an issue blocking - then post up your rules and what your trying to block.. There seems to be a real issue with new users to pfsense..

Rules are evaluated top down on the interface that traffic first enters pfsense.. First rule to trigger wins, no other rules are evaluated..

guardian

Thanks very much for the reply johnpoz.

@johnpoz:

Here is the thing the default rules are ANY ANY.. pfsense out of the box allows all traffic on the lan interface.  if your having an issue blocking - then post up your rules and what your trying to block.. There seems to be a real issue with new users to pfsense..

Rules are evaluated top down on the interface that traffic first enters pfsense.. First rule to trigger wins, no other rules are evaluated..

I do understand that (but you are right, I didn't at first), and based on another post "Taming the Beast" I got rid of the default allow rules and put in explicit allow rules for what I want.  DNS is forced through unbound and NTP if forced to pfSense and pfSense uses two trusted servers.

Anti-lockout Rule is enabled.

Ports 80/443 are open to ANY.

IMAP/S, SMTP/S, SSH are open for a list of aliases that I use these services with.

Ports 666/3000 are open for  Source: LAN net Dest: LAN address to allow me to use DarkStat and NTOPNG

And a couple of other ports that were required to support other applications.

@johnpoz:

" nmap -sS 192.168.100.1 gives me a list of ports that I have open on pfSense."

That doesn't tell you want pfsense lets out.. That tells you what is listening on 192.168.100.1 address, and is also allowed by the rules..

Thanks for this… I tried again with some other obscure ports and they didn't show up....  @#$@ cable box opened up port 139/22 when I tested them.

So is there any way to accomplish this for testing/validation? 
I need some sort of sink that will accept ANY/ANY/ANY if it comes through the firewall.

This is purely for testing/validation so that I can confirm what I think should be happening is actually happening rather than just hoping to catch it with some random PCAP.

So is there any practical way to test firewall rules?

johnpoz

why do you need anything on the other side?  Just sniff on the wan interface send your traffic out - do you see it?  If not then firewall did what you told it to do.. Just log your block - is it logged that it was blocked.

Post up a picture of your rules - picture is worth 1000 words ;)  You make no mention of dns.. for example..

guardian

@johnpoz:

why do you need anything on the other side?  Just sniff on the wan interface send your traffic out - do you see it?  If not then firewall did what you told it to do.. Just log your block - is it logged that it was blocked.

Post up a picture of your rules - picture is worth 1000 words ;)  You make no mention of dns.. for example..

DNS/NTP have been well verified with PCAP… since there is always lots of DNS traffic on any functioning network.  It took me awhile to get the rules correct... killed most traffic several times before I got it working.  Also plan to use pfBlockerNG DNSBL to do some filtering on it as well, but still have too many false positives.

The issue is that I may not always be generating the problematic traffic.  At the moment, I am using Linux, so even if I have a problem blocking Torredo I won't see it because it's not being generated.  If I start up Windows 8, there going to be a ton of Torredo.  I want to make sure the block is working before I start Windows 8, not find out I have a problem later.

Just learned abot pfctl -vvsr - It's easier to actually review that then several GUI screens for NAT/WAN/LAN + any interfaces.  I just did that with a | grep pass and discovered I forgot to put a host alias list on my CPANEL ports.  I thought I did, but I had to take them off because they were causing problem.  Got to go back and PCAP, to see what is actually happening so I can put the right hosts in.
You did give me an idea…. I'm wondering if I did an nmap -sS -p1-65536 x.x.x.x and did a packet capture on WAN.  If a SYN packet for port Y shows up in the PCAP, then port Y is open - correct?  The challenge is what do I use as x.x.x.x that won't get me into trouble?  Would this work?

johnpoz

Dude I don't see the need for such testing.. The is a default deny at the end of every interface.. If you remove the any any, then only stuff you allowed would be allowed through.

What good would be a firewall if just let shit through that did not have a rule to allow it?

Your point of testing is kind of pointless..

But sure you could pick any IP as your scan dest that would be sent to your default gateway, ie your isp..  Could be anything… 6.6.6.6 if you wanted for example..

guardian

@johnpoz:

Dude I don't see the need for such testing.. The is a default deny at the end of every interface.. If you remove the any any, then only stuff you allowed would be allowed through.

What good would be a firewall if just let shit through that did not have a rule to allow it?

The firewall is only as good as it's rules… If I made a mistake, I need a way to find it.

@johnpoz:

Your point of testing is kind of pointless..

Maybe you have been in networking for a long time and are really good with very detailed work / never forget to change things back etc., but I'm new, and also have a lot of other things I'm doing besides network work.

Did you ever tick a box by accident, or type a number wrong and not notice it?

Point is that in my mind I set (a) rule(s) up one way, but the reality of it was, I didn't because I made some type of mistake.  A firewall ruleset is like a program.  Good programming practice involves unit testing.

Things will no doubt get a lot more difficult once I start tying to deal with Remote VPN and multiple VLANs/Interfaces.

Is there anything that simulates/test the output of pfctl -vvsr? 
(Reading/Grepping this output will go along way to sorting things out.)

johnpoz

Dude do you have 1000's of rules?  You have what  handful.. Post them!!!

The gui shows you the rules that would be allowed.  There is a hidden rule that allows dhcp if you enable dhcp on the interface..

As to mistakes.. Its outbound to the internet.. Not inbound.. So what if port xyz is open??  Really??? You clearly are not working in a DOD facility as their network engineer ;)

If you have 1000's of rules that went on for pages and pages.. Ok  But looks like you have this

Ports 80/443 are open to ANY.

IMAP/S, SMTP/S, SSH are open for a list of aliases that I use these services with.

Ports 666/3000 are open for  Source: LAN net Dest: LAN address to allow me to use DarkStat and NTOPNG

And a couple of other ports that were required to support other applications.

Why would you think you need to scan 65k ports to see if any of them get through???

guardian

@johnpoz:

Dude do you have 1000's of rules?  You have what  handful.. Post them!!!

No problem for now I'm fine….

@johnpoz:

As to mistakes.. Its outbound to the internet.. Not inbound.. So what if port xyz is open??  Really??? You clearly are not working in a DOD facility as their network engineer ;)

You got that right!

@johnpoz:

Why would you think you need to scan 65k ports to see if any of them get through???

Looking for something simple that I could automate to tell me if I changed something by accident and forgot to put it back.

pfctl -vvsr is helping alot… one source and it shows everything!

johnpoz

Scanning 65k ports doesn't seem like a simple test to see if forgot to open a port you need open.  Why don't you just check that the ports you need open are open, shoot you could setup a monitor tool for that and it would warn you when its not working, etc.

Sounds like you have a handful of rules - whey not just look ;)  If your wanting to monitor changes - you could always grab the pfsense config and do diff on it..  That would be how I would monitor for changes..

guardian

@johnpoz:

Sounds like you have a handful of rules - whey not just look ;)  If your wanting to monitor changes - you could always grab the pfsense config and do diff on it..  That would be how I would monitor for changes..

Where in the file system do I find those files?  Where do I find the firewall rules so that I can read them in with a script?