Proper rules for proper separation for LANs
-
If that description was not enough you should probably go to something like this hangout:
Otherwise you appear to be asking for a complete firewall design in a forum post. It is unlikely you will receive that here.
-
"Blocking traffic with a pass rule is bad juju."
I don't see why you think its blocking any traffic.. Its just an allow rule.. The default deny is what is blocking..
Why should he create an extra block when the default deny is there to use? Its a specific allow rule with a specific dest, anything BUT whats in the alias..
Thats my take on it - we seem to butt heads on this point ;) hehehe
-
Because it is a pass rule, not a block rule.
Strange things can happen there.
I am not opposed to using pass rules and relying on the default deny. You are actually passing desired traffic there.
I am opposed to using pass to ! Alias when you really want to BLOCK to Alias. If you want to block traffic, block it. Reject is probably more suitable in that case, anyway.
But yeah, this will come around again, and we will disagree again. I guess https://redmine.pfsense.org/issues/6799 isn't enough to prove that the rule order principles I adhere to are sound.
-
If that description was not enough you should probably go to something like this hangout:
Otherwise you appear to be asking for a complete firewall design in a forum post. It is unlikely you will receive that here.
This is very good suggestion. These "hangouts" are so great i don't know how i missed them. Actually I know how - I dissregard them without checking what are they cause my brain related google hangouts and just shut them down, but that besides the point. The are great sorce of information that I needed so thatnks a lot for point8ng them out.
To bad they are not downloadable (at least i dont seee it) so I have to listen them only when I am home.(comcast 1TB data cap vs verizon mobile 5GB).
-
I do like the 2 separate rules idea, even if it's just for the cleaner easy to read reasons. Prone to human mistake is a major security issue, and just by using "!" and making a diference from let everything local in or block it, it's not worth the risk compared to the convenience it bring. Just my 2 cents. :)
-
I have a specific question that should be very narrow one and I hope I could get help here:
Let's say you have a file server (freenas) that you would like to be on you LAN net (of course) but also you would like to be on WIFI net , so you can stream to yoy mobile devices at home.
Now I know some people after put one leg (nic interface) on LAN and another leg in WIFI and will work, but I always worried that if fileserver is compromised on WIFI leg will have then acces to LAN and the whole separation of LAN and WIFI will be useless. After I heard Jim Pingle on the hangouts pointing exactly that , I won't even consider doig it that way.
So how this could be done then ?! (with security as most important priority in mind)
-
I am known to do that… My setup would be running Plex Media server in a FreeNAS jail, and add a rule in PF on the WIFI net,
to allow tcp access to the Plex jail ip on the lan, port 32400 only. -
Yeah just add rules to the source network interface passing the traffic you want.
-
Yeah just add rules to the source network interface passing the traffic you want.
So this is most secure way to do it, not putting the file-server on both networks with 2 nics ?
-
There is no, "this is more secure than that." It all depends. It is not binary.
But yes, in general, I would say it is more secure.
You also eliminate potential asymmetric routing problems.
It makes essentially no sense to separate two segments (like LAN and DMZ) using a firewall then just bypass the same firewall using a host with a nic on each side.
-
Thank you.
From what I understand now pf-sense will move the data on layer3 , instead of layer2 if they were together on the same subnet ? So the traffic will go through pf-sense, from WIFI net to file server on LAN net.
-
If there was a question in there I can't see it.
-
If there was a question in there I can't see it.
I guess you are right.:-))))))))
P.S.
Not at the moment at least. I have to read and try some things before the real question emerge. Thanks again in a meantime. -
Ok but reading from the book and Example configurations I end up with these basic LAN rules. I would like some help to make sure if I did a good job with the rules order. I am pretty sure about the bottom 2 rules , but not about the top ones.
Is this the proper order ?
![lan rules.PNG](/public/imported_attachments/1/lan rules.PNG)
![lan rules.PNG_thumb](/public/imported_attachments/1/lan rules.PNG_thumb) -
It depends on what you are looking to accomplish.
-
I thought it shows on the picture.
If I have to describe it: I am trying to have have very secure network , by conservatively locking it down and only allow things on "need to know" in this case on "need to pass" base. And while still learning I would like to know if what I doing so far is correct , before it becomes a mess. I really don't know if it makes any difference the order for the first 3 rules for example ?!
-
I really don't know if it makes any difference the order for the first 3 rules for example ?!
The rules show what you have done not what you are trying to do.
You continue to think there is one right answer when every network has different requirements, compliance issues, goals, threat models, etc.
"need to know" "need to pass"
Only you know who needs to know what and what needs to pass where.
-
I am thinking that in order to master the pf-sense rules and improve security I need to see examples from experts so I can get an ideas and then tailor it for the specific needs for my network, don't you agree ?
P.S.
I know there is a lot of information floating around the net , but most of it is wrong or at least not correct and I don't want to learn wrong way. From a people who are trying to be helpful but unfortunately not knowledgeable, and that I think is the worst outcome.