Is my network safe?
-
What happens when your WAN IP changes? This is why its better to use the this firewall built in alias.. What happens when you bring up a new vlan/interface and for get to block opt1 from getting to it.
You should allow the traffic you want to the opt1 IP, say ping and dns. And then block via the "this firewall" dest this blocks all access to any IP on the firewall along with any new ones or when they change, etc.
-
What happens when your WAN IP changes? This is why its better to use the this firewall built in alias.. What happens when you bring up a new vlan/interface and for get to block opt1 from getting to it.
You should allow the traffic you want to the opt1 IP, say ping and dns. And then block via the "this firewall" dest this blocks all access to any IP on the firewall along with any new ones or when they change, etc.
I tried that before. I coppied the allow Lan to any rule to the opt1 interface (the way I have it now) and used the build in "this firewall" rule to block traffic to the web configureator, but my Internet connection doesn't work anymore if I do it that way instead of the rule that I created with the adresses and the ports.
Have I made a mistake? While I tried that I also had the block traffic to Lan rule configured the exact way I have it now (but that shouldn't make a difference)
-
you have to ALL the traffic you want to the firewall before you block to firewall - for example DNS.. If you do not allow dns to the op1 interface then no clients would not be able to lookup anything and go to internet.
Its not a mistake per say, but the way you have the rules you not accounting for changes in your WAN IP.. since your PPPoE pretty sure your IP is going to change, etc. Also if you bring up new interfaces you have to remember to alter your alias, etc..
The whole point of this "this firewall" is to allow simple blocking to the firewall any IP..
-
you have to ALL the traffic you want to the firewall before you block to firewall - for example DNS.. If you do not allow dns to the op1 interface then no clients would not be able to lookup anything and go to internet.
Its not a mistake per say, but the way you have the rules you not accounting for changes in your WAN IP.. since your PPPoE pretty sure your IP is going to change, etc. Also if you bring up new interfaces you have to remember to alter your alias, etc..
The whole point of this "this firewall" is to allow simple blocking to the firewall any IP..
I understand the problem with my current configuration. Can you maybe give my a screenshot of what the ruleset should look like?
-
something like this for example - minus the stuff you do not need or want.
I allow ping to the interface
allow dns
allow ntp to my ntp servers on different network
I then block all access to any firewall IP.
I them allow access from this segment to the dmz segment of mine
I then allow any access that is not rfc1918 space - this allows access to internet but not any of my other networks current or future since they would all be rfc1918 space
-
Johnpoz,
Does your rule set block access to other interfaces? If you do not want, for example LAN to access Opt1(or visa verse) are additional block rules needed?The reason I ask is I too do not want other interfaces to access my LAN.
I think your "!RFC1918" rule prevents access to other interfaces?
(Johnlile I have a similar setup, Johnpoz was extremely helpful in getting my 10+ rules down to 3!! Assuming I do not need additional block rules….)
-
something like this for example - minus the stuff you do not need or want.
I allow ping to the interface
allow dns
allow ntp to my ntp servers on different network
I then block all access to any firewall IP.
I them allow access from this segment to the dmz segment of mine
I then allow any access that is not rfc1918 space - this allows access to internet but not any of my other networks current or future since they would all be rfc1918 spaceThank you, I just coppied your configuration and customized it a little bit. It works perfectly fine.
-
Johnpoz,
Does your rule set block access to other interfaces? If you do not want, for example LAN to access Opt1(or visa verse) are additional block rules needed?The reason I ask is I too do not want other interfaces to access my LAN.
I think your "!RFC1918" rule prevents access to other interfaces?
(Johnlile I have a similar setup, Johnpoz was extremely helpful in getting my 10+ rules down to 3!! Assuming I do not need additional block rules….)
No, from my understanding you don't need that if you don't create an additional subnet with a weird IP-Adress (one outside of the rfc1918 space)
EDIT: His rfc1918 is probably an alias (?) so the adress range within that alias is already blocked.
-
yes my rfc1918 is an alias that contains all the rfc1918 space 192.168/16, 10/8 and 172.16/12
If you did create a network that was public or non rfc1918 then that alias would allow access to that. But you would only do such a thing if you had public space that was routed to you, etc.
"Does your rule set block access to other interfaces?"
No it does not that the whole point of the "this firewall" built in alias - any IP that pfsense would have on any interface would be blocked. While the rfc1918 ! would all access to anything that was not rfc1918, so if I had another wan type interface with public would be allowed. The "this firewall" prevents such access, etc..
-
Thanks…my opt1 interface(separate isolated interface and not a WAN) falls within the RFC1918 range. Sorry to jump into the thread but appreciate the help.
I used your rule #2, 4 and 6 and I can access the net.