Some basic advise
-
Hello hopefully i wont get flamed, but ive tried to look at other posts and i would like to ask a basic question.
When PF sense is installed it sets up a basic rule for the lan. From what ive read the rules control inbound traffic (https://doc.pfsense.org/index.php/Firewall_Rule_Basics)
So the default rule that is setup appears the allow anything. Is this a security issue ie could someone via the wan get to my lan interface.
Or am i missing the point, and the fact that the same default rule isnt setup on the WAN means the firewall will do its work?The reason im asking this is i setup the same default rule on an interface that i have plugged my CCTV NVR into, and i was able to see my cctv cameras on my phone via 4g with the wifi off so i hit via the wan interface. What i was confused about was how did this occur when i hadn't setup any port forwarding yet?
Im sorry for the basic questions, i would like to get some initial understanding before i mess about too much.
Trev
-
Rules on an interface allow traffic INTO that interface. That means connections originating INTO that interface.
Connections INTO your firewall from the outside will come INTO the WAN interface. By default, there are no rules on the WAN interface and nothing is passed.
If a user on your LAN interface opens a web browser and opens a web page, that connection will start on the LAN interface. By default, that traffic is passed by the default rules on the LAN interface. If you want to change that, you certainly can.
-
Keep in mind that rules are evaluated in specific order, on your lan or opt interfaces you create as traffic enters into the interface from that network.
Top down, first rule to trigger wins, no other rules are evaluated.
Floating rules can act a bit different, or could be set as quick and floating is looked at before lan and opt, etc. You need to look at https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order
But in general wan, lan and any opt/vlans you create top down, first to trigger wins stop looking at rules. If there are no rules on an interface then traffic will be denied by the default deny rule..
Pfsense does some stuff in the background to keep it simple, like if you enable dhcp server then rules are put in to allow for that to happen. Just not shown on the gui, etc.
Out the box unsolicited from the WAN into pfsense would be blocked - period. Anything on your lan would be able to do whatever it wants outbound.. Because of the default any any rule that is placed on the lan interface.
Now keep in mind from the lan you could hit the wan IP.. So you might think for example that pfsense wan is open.. No its not - you came from the LAN, the rules on lan said you could go any any.. So sure you can hit the pfsense wan IP on any port listening.. But if you were coming from the WAN side you would be blocked..
-
Thanks for your help guys. I'm just looking at your example lan and Wi-Fi set up and its given me a good idea. Its a bit of a step up when you've only used the basic home routers.
Trev