Is my network safe?
-
what tutorial would state to put in such a rule? There is no tutorial that should say that..
No your Wan address is NOT outside your network… Where would you get such an idea??
Here is a screenshot of my WAN IP-Adress:
https://drive.google.com/open?id=0B5MY92jm0NVhWVFSSXR0OE9EdWsI am sorry if I make a big mistake here but why would I have to block that IP-Adress? I thought pfSense only lets you access the web configurator on the Wan interface if there is no other Interface configured?
-
what tutorial would state to put in such a rule? There is no tutorial that should say that..
No your Wan address is NOT outside your network… Where would you get such an idea??
I just figured out what you said, and tried to access the web configurator with the WAN IP-Adress and it still worked so I blocked that too.
Here are two screenshots of my new rules:
https://drive.google.com/open?id=0B5MY92jm0NVhdFFveHFUUG9fckk
https://drive.google.com/open?id=0B5MY92jm0NVhVndSaS1SbDhfemcadmin adresses are the two adresses of the router on the two interfaces and my WAN IP
admin ports is still port 80, 443 and 22Is this correct now?
Thanks for helping me. -
What happens when your WAN IP changes? This is why its better to use the this firewall built in alias.. What happens when you bring up a new vlan/interface and for get to block opt1 from getting to it.
You should allow the traffic you want to the opt1 IP, say ping and dns. And then block via the "this firewall" dest this blocks all access to any IP on the firewall along with any new ones or when they change, etc.
-
What happens when your WAN IP changes? This is why its better to use the this firewall built in alias.. What happens when you bring up a new vlan/interface and for get to block opt1 from getting to it.
You should allow the traffic you want to the opt1 IP, say ping and dns. And then block via the "this firewall" dest this blocks all access to any IP on the firewall along with any new ones or when they change, etc.
I tried that before. I coppied the allow Lan to any rule to the opt1 interface (the way I have it now) and used the build in "this firewall" rule to block traffic to the web configureator, but my Internet connection doesn't work anymore if I do it that way instead of the rule that I created with the adresses and the ports.
Have I made a mistake? While I tried that I also had the block traffic to Lan rule configured the exact way I have it now (but that shouldn't make a difference)
-
you have to ALL the traffic you want to the firewall before you block to firewall - for example DNS.. If you do not allow dns to the op1 interface then no clients would not be able to lookup anything and go to internet.
Its not a mistake per say, but the way you have the rules you not accounting for changes in your WAN IP.. since your PPPoE pretty sure your IP is going to change, etc. Also if you bring up new interfaces you have to remember to alter your alias, etc..
The whole point of this "this firewall" is to allow simple blocking to the firewall any IP..
-
you have to ALL the traffic you want to the firewall before you block to firewall - for example DNS.. If you do not allow dns to the op1 interface then no clients would not be able to lookup anything and go to internet.
Its not a mistake per say, but the way you have the rules you not accounting for changes in your WAN IP.. since your PPPoE pretty sure your IP is going to change, etc. Also if you bring up new interfaces you have to remember to alter your alias, etc..
The whole point of this "this firewall" is to allow simple blocking to the firewall any IP..
I understand the problem with my current configuration. Can you maybe give my a screenshot of what the ruleset should look like?
-
something like this for example - minus the stuff you do not need or want.
I allow ping to the interface
allow dns
allow ntp to my ntp servers on different network
I then block all access to any firewall IP.
I them allow access from this segment to the dmz segment of mine
I then allow any access that is not rfc1918 space - this allows access to internet but not any of my other networks current or future since they would all be rfc1918 space
-
Johnpoz,
Does your rule set block access to other interfaces? If you do not want, for example LAN to access Opt1(or visa verse) are additional block rules needed?The reason I ask is I too do not want other interfaces to access my LAN.
I think your "!RFC1918" rule prevents access to other interfaces?
(Johnlile I have a similar setup, Johnpoz was extremely helpful in getting my 10+ rules down to 3!! Assuming I do not need additional block rules….)
-
something like this for example - minus the stuff you do not need or want.
I allow ping to the interface
allow dns
allow ntp to my ntp servers on different network
I then block all access to any firewall IP.
I them allow access from this segment to the dmz segment of mine
I then allow any access that is not rfc1918 space - this allows access to internet but not any of my other networks current or future since they would all be rfc1918 spaceThank you, I just coppied your configuration and customized it a little bit. It works perfectly fine.
-
Johnpoz,
Does your rule set block access to other interfaces? If you do not want, for example LAN to access Opt1(or visa verse) are additional block rules needed?The reason I ask is I too do not want other interfaces to access my LAN.
I think your "!RFC1918" rule prevents access to other interfaces?
(Johnlile I have a similar setup, Johnpoz was extremely helpful in getting my 10+ rules down to 3!! Assuming I do not need additional block rules….)
No, from my understanding you don't need that if you don't create an additional subnet with a weird IP-Adress (one outside of the rfc1918 space)
EDIT: His rfc1918 is probably an alias (?) so the adress range within that alias is already blocked.
-
yes my rfc1918 is an alias that contains all the rfc1918 space 192.168/16, 10/8 and 172.16/12
If you did create a network that was public or non rfc1918 then that alias would allow access to that. But you would only do such a thing if you had public space that was routed to you, etc.
"Does your rule set block access to other interfaces?"
No it does not that the whole point of the "this firewall" built in alias - any IP that pfsense would have on any interface would be blocked. While the rfc1918 ! would all access to anything that was not rfc1918, so if I had another wan type interface with public would be allowed. The "this firewall" prevents such access, etc..
-
Thanks…my opt1 interface(separate isolated interface and not a WAN) falls within the RFC1918 range. Sorry to jump into the thread but appreciate the help.
I used your rule #2, 4 and 6 and I can access the net.