Default Permit: a Dumb idea
-
While I am all for a default deny, as mentioned if you want such a setup - its click click and there you go default deny outbound. But having that the default setup when you first setup pfsense would only drastically increase the number of it doesn't work posts ;) And your typical user is just going to create the any any rule outbound anyway. Since that is how their typical soho off the shelf home router is designed to function.
Shoot look at how many post there are on how come opt1 doesn't work.. since the only interface that out of the box is allow any any is your lan. When you add an interface it is your default deny policy.. Browse the forum - how many posts are there asking why their opt interfaces doesn't work ;)
Yeah I certainly believe you. But I do think that your average home user can run a whitelisted LAN with minimal setup, a little troubleshooting, and a lot of reading through this forum.
If I can do it then anyone can, I have no computer science, IT, networking background of any type at all. But there are enough smart people on this forum sharing their knowledge that even my network (I believe) is pretty damn secure for a home network and runs very well. -
" a little troubleshooting, and a lot of reading through this forum. "
Your typical user is not up to either of those ;)
-
Good point, so I guess I'd modify my original statement to say that white-listing your LAN is not too difficult for a small home network assuming you are willing to do a little troubleshooting and a lot of reading if it becomes necessary.
I'd still recommend doing exactly that to any new user, if for no other reason that to learn the basics about what's going on. While you're figuring it out you can always keep that allow LAN to anyone anywhere on the top, disable it while you're working on setting up your white-listing rules and then re-enable until the next time you want to work on it.
-
Unless your home users are cyber-criminals, I really don't see the advantage of locking down your LAN at home, other than as an exercise.
-
@KOM:
Unless your home users are cyber-criminals, I really don't see the advantage of locking down your LAN at home, other than as an exercise.
Yeah, in my case I did it as an exercise. I'm not genuinely that concerned about my networks security, as in I don't particularly care about the NSA monitoring my traffic on a personal level (while I don't love the policy), and I don't particularly worry about being hacked, etc. However, I geek out on pfSense and do a lot of stuff just to learn/I think it's neat. If you were to look at my pfSense setup you would be convinced that my tinfoil hat is on really tight anytime I venture outside of my lead-lined fallout shelter ::), haha.
The only argument I could think of for whitelisting a home network would be to mitigate the effects of an infected computer phoning home or something along those lines? But I don't know if that is even valid? I just do it to learn and for fun.
In general I don't believe that any average home user needs pfSense at all, but if you're here and you fit that bill I'm guessing you are either here to learn for fun or to cinch down your tinfoil hat!
-
@KOM:
Unless your home users are cyber-criminals, I really don't see the advantage of locking down your LAN at home, other than as an exercise.
Not necessarily, you could also potentially prevent infection from spreading or prevent a bot from reaching a C&C server.
-
Not necessarily, you could also potentially prevent infection from spreading or prevent a bot from reaching a C&C server.
Exactly. Any new program wanted or not, sticks out like a pimple on the end of your nose.
Marcus also said FTP should have been taken out back behind the shed years ago and shot. That talk was also a decade ago.
If I was using FTP still then I would have a dedicated interface for just that use.
Default deny all on every interface here. Each computer running linux also has ufw set Deny in and Reject out.
Who needs cyber-criminals when Windows 10 is around. ???
But to have this set up out of the box for PfSense would be chaos. ::) -
On the topic of learning through pfSense and the kind of activity your WAN side ports see, try running these two custom rules in Suricata or Snort (change drop to alert or run as IDS if you just want to see for fun).
drop tcp !$MY_NET any -> any !$MY_PORT (msg:"The Golden Rule, TCP"; classtype:network-scan; sid:9000; rev:1;) drop udp !$MY_NET any -> any !$MY_PORT (msg:"The Golden Rule, UDP"; classtype:network-scan; sid:9001; rev:1;)Where $MY_NET and $MY_PORT are variables you'll need to specify as necessary for your own network in /usr/local/pkg/suricata/suricata_yaml_template.inc under the "vars:" section.
It will just show you that every network out there is getting scanned all the time, scanning for vulnerabilities is often not discriminatory, just a dragnet.
As a sidenote, whitelisting your LAN won't do a thing about probes on your WAN, but it is interesting in terms of general security on pfSense.
-
"or prevent a bot from reaching a C&C server."
I honestly do not agree with such an argument at all.. If your going to want your bot to talk to your CC why would you not just use a common port like 80/443 so its traffic for one is hidden with all the normal traffic and on a port that would be open almost everything.
-
"or prevent a bot from reaching a C&C server."
I honestly do not agree with such an argument at all.. If your going to want your bot to talk to your CC why would you not just use a common port like 80/443 so its traffic for one is hidden with all the normal traffic and on a port that would be open almost everything.
I know not a damn thing about this stuff but I had always wondered about this exactly. It seems like if you were writing malware and trying to avoid detection (not to mention blocking) it would be a lot less suspicious (and surrounded by a lot more static) to have your malware phone home on port 80 (or something along those lines) than 23 or something less common?
-
You assume bot writers have anything that resembles intelligence. There will be smart ones, but there are more dumb ones. :D
-
"or prevent a bot from reaching a C&C server."
I honestly do not agree with such an argument at all.. If your going to want your bot to talk to your CC why would you not just use a common port like 80/443 so its traffic for one is hidden with all the normal traffic and on a port that would be open almost everything.
I know not a damn thing about this stuff but I had always wondered about this exactly. It seems like if you were writing malware and trying to avoid detection (not to mention blocking) it would be a lot less suspicious (and surrounded by a lot more static) to have your malware phone home on port 80 (or something along those lines) than 23 or something less common?
Guys, the idea is to increase your odds of finding said offender. That is enough for me to do it. Keep the haystack as small as you can.
-
You assume bot writers have anything that resembles intelligence. There will be smart ones, but there are more dumb ones. :D
Haha, good to know!
@webtyro:
Guys, the idea is to increase your odds of finding said offender. That is enough for me to do it. Keep the haystack as small as you can.
You certainly don't need to convince me, my LAN is already whitelisted for whatever reason. But I do like hearing all this feedback from you guys on the topic!
-
For more references:
- Port trends: https://isc.sans.edu/trends.html
- Port activity graphs: https://isc.sans.edu/port.html
-
I honestly do not agree with such an argument at all.
Same here.
-
Evidence disagrees with your disagreement. Check the data in the links I just posted.
-
pfSense out of the box: Works for 99.99% of traffic
pfSense with uPNP enabled: Works for 99.999999% of trafficIf you find the default block permissions are a "bad idea", you're somewhere between the 0.01% and the 0.000001%. You're a special snowflake. For the rest of us people, it works just fine and it makes us safer.
