Restric LAN access for traffic originating from pfsense box
-
I'm was a little bothered by the idea that from the pfsense shell, I could reach any host in my LAN.
I don't see why this traffic should be possible so I wanted to restrict it. I first created a rule under LAN as pass but log all traffic from source pfsense to network LAN, matching ipv4, all ports and all protocols.
Nothing got logged when I did an ssh to my server from the pfsense box. Puzzled, I created the same rule as floating and now I see the ssh going out. I changed it to reject and it seems to work. All my internet and local LAN traffic seems unaffected and I see packets being logged when there is something originating from pfsense towards the LAN.
Now, I'm not entirely sure I did the right thing. I don't really understand why the rule under LAN didn't work and even though I got what I wanted with a floating rule, I'm not sure that was actually the correct way of doing things. Am I missing something that's now broken or did I do it correctly?
For my understanding, could someone explane why the LAN rule didn't work?
Thanks for the replies!
-
Because interface rules evaluate traffic as it enters that interface from that network.. Traffic from pfsense would not be entering lan, it would be leaving lan interface.
If you want to do rules as they leave an interface you would need to do this on floating.
"I'm was a little bothered by the idea that from the pfsense shell, I could reach any host in my LAN."
I don't see why you feel this is an issue.. Who would be on the pfsense shell that should be blocked from talking to the lan.. And if they have access to the pfsense shell, then most likely they would have the ability to undo whatever rules you put in place anyway.
-
Because interface rules evaluate traffic as it enters that interface from that network.. Traffic from pfsense would not be entering lan, it would be leaving lan interface.
If you want to do rules as they leave an interface you would need to do this on floating.
Thanks for explaining that. Makes sense now.
I'm was a little bothered by the idea that from the pfsense shell, I could reach any host in my LAN.
I don't see why you feel this is an issue.. Who would be on the pfsense shell that should be blocked from talking to the lan.. And if they have access to the pfsense shell, then most likely they would have the ability to undo whatever rules you put in place anyway.
When I said shell, it's because that is from where I tested it. I actually meant someone gaining remote access in one way or another.
My take on security is that if access is not needed for functionality that I, my household or pfsense needs, it should not be possible.
Simple illustration, people may leave a window open on the 3rd floor when they leave the house for a few hours, reasoning that no burglar can reach it anyway. I'd say close it anyway because there is no reason to leave it open, except for laziness to go up to the 3rd floor and close the window.
Remote code execution vulnerabilities (as an example) not often get fully elevated permissions. They are typically limited to user or even guest (other) permissions. But even that can be enough to gain access to information on disk or to another system … unless that is blocked :).
So basically, I want to lock the window and if someone does manage to get in, he should face a locked door leading to the hallway ;D.
See, making this rule was easy and took me a few minutes at most, and if that traffic really serves no purpose and it doesn't break anything, then why leave it open?
So, is it oke to leave that rule in there, even if it is useless? It doesn't break anything?
Thanks!
-
It doesn't break anything until your on pfsense wanting to trouble shoot connectivity in your lan, and you can not ping a box on lan from pfsense.
As to the window - other than helping keep the house cool, or airing out the room because you just painted it, etc.
You preventing your "firewall" from talking to stuff on a network it protects is more akin to thinking a screen in your window is going to stop someone who just broke the glass from getting into the house..
its your network, its your firewall.. If what you want is to stop your firewall from talking to stuff on your network - then have at it.. Been in security for 20+ years.. I don't see the point of such a rule to be honest. I can tell you for sure if you have questions about stuff not working in the future.. You might want to mention such a rule up front, and any other "security" changes you make as well. Such things would not come to mind to anyone trying to help you troubleshoot something.. Because its not a standard practice.
-
Appreciate the feedback. You make some valid points. The security benefit (if any) is academic I realize that so I'd only want to keep it if there was no downside.
I'll remove the rule. Your points for problems in the future I think are valid and I don't want to run into weird problems in the future possibly caused by this rule. And you're right too that troubleshooting can actually be very useful from the firewall itself too.
Thanks! I'm glad I asked ;D.
-
No problem - what we are here for to help and discuss and debate different sorts of setups.
Nice to see someone take discussion points the way they are meant to be taken, as discussion points… Not trying to belittle your point of view or your idea.. Just sharing my take on that sort of setup (honestly)..
Some people take such discussion points as direct attacks against them for some reason.. And then go on smite rampages ;) When someone tries to point out a different method or way of attacking a problem or way of looking at setup, etc. They get their little hearts set on doing something way X, and when you try and point out that Y is a better way to do it.. Its like you took out your wang and pissed all over them and into their beer or something.. Or called their mom a fat whore because you try and point out that there might be a better way to do it.. Or ask them to explain why they feel X is the best way, etc. They read into that you called them a F'ing moron or something..
-
No problem - what we are here for to help and discuss and debate different sorts of setups.
Nice to see someone take discussion points the way they are meant to be taken, as discussion points… Not trying to belittle your point of view or your idea.. Just sharing my take on that sort of setup (honestly)..
Some people take such discussion points as direct attacks against them for some reason.. And then go on smite rampages ;) When someone tries to point out a different method or way of attacking a problem or way of looking at setup, etc. They get their little hearts set on doing something way X, and when you try and point out that Y is a better way to do it.. Its like you took out your wang and pissed all over them and into their beer or something.. Or called their mom a fat whore because you try and point out that there might be a better way to do it.. Or ask them to explain why they feel X is the best way, etc. They read into that you called them a F'ing moron or something..
Haha I can see you were all prepared for me to go on a rampage, sorry to disappoint haha ;D
I know what you mean though. Consider this. When someone spends considerable amount of time setting something up, reading up on how all that works and being succesful at it (feeling all good about himself), and then finds something out on his own which looks great from all angles he can look at it (now feeling godlike and invincible), it becomes very difficult to admit it wasn't such a good idea after all. That hurts. What that often needs is simply an acknowledgement and a little respect (to be clear: that is not to say you didn't do that). I admit I had to think about your points a few times. Honestly, I didn't like it, because I was still all focussed and zoomed in on my own idea! But, I kicked myself into submission and yelled at me in the mirror ADMIT ADMIT! And once I pulled myself together and took a few steps back, I saw the bigger picture … and I admitted ... that maybe, I'm not as smart as I would like to be ::).
;)
-
Nobody is as smart as they would like to be ;)
I wouldn't say you disappointed me - what I will say is was a pleasant surprise to not get a diatribe back how I was a RUDE asshat, for asking a question. And see my smite count increase every time you login for days on end ;) Which I currently has some kiddy doing…