New User to pfSense - some doubts
-
@johnpoz said in New User to pfSense - some doubts:
@HansSolo said in New User to pfSense - some doubts:
So far in my experiments with pfsense, too many are "slipping" through and being so new to pfSense, I'm not sure why.
Connections do not "slip" through a firewall, they are either allowed or not allowed.. If traffic was allowed, then your rules allowed it.. While the countries listing are pretty good - if you think the pfblocker list of countries is 100% accurate then your kidding yourself. There is no list that is going to be 100%... IP ranges get transferred all the time for starters. A netblock might be registered to company X in country Y, but being used in country Z etc..
We are in the process of transferring some IPs to another company in the EU, ie moving from arin to ripe.. How long do you think it will take for these "lists" to get updated, if they ever do? And when the listings do get updated - this new company we transferred to might be using the IPs in APAC, and not the EU, etc.
Are you logging all traffic that is allowed via your rules? Had your logged rolled over in pfsense, it only shows in the gui last X number of entries, you can adjust.. But again not going to be complete logs and depending on how much your logging can roll over.. You would have to look in the actual logs vs the gui.. Better yet your logs should be sent to your logging server.
But if pfsense allowed it, and you have set it to log - then it would log.
Thanks. Agreed. As mentioned several times above, I realize it's more likely a short-coming with the lists rather than the firewall.
I think your point about sending the logs to a logging server is a good one. I need to see all the logs sometimes, not just the last 50 entries.
Not wanting to invest in any more WG (or other) firewall appliances and so REALLY hoping I can adapt to pfSense. (My only concern is that they will eventually end the "freebie" program once they get where they want to be market-wise., and the price will be up there. (Happens all the time)
Thanks again
-
@HansSolo said in New User to pfSense - some doubts:
(My only concern is that they will eventually end the "freebie" program once they get where they want to be market-wise
Dude if your here to troll this FUD... This has be asked an answered many many times all over the freaking internet... Free version of pfsense isn't going anywhere..
-
If those WAN rules are allow traffic only to that one internal server you really should change them to have that destination IP and ports. Right now you are allowing access from any IP in the list to the pfSense GUI. And any other services running on pfSense....
I prefer to set pfBlocker to create Native aliases only and add the rules using them myself.
Also the x700/x1000 was 32bit hardware so won't run current pfSense in case you were considering it.
Steve
-
@stephenw10 said in New User to pfSense - some doubts:
If those WAN rules are allow traffic only to that one internal server you really should change them to have that destination IP and ports. Right now you are allowing access from any IP in the list to the pfSense GUI. And any other services running on pfSense....
I prefer to set pfBlocker to create Native aliases only and add the rules using them myself.
Also the x700/x1000 was 32bit hardware so won't run current pfSense in case you were considering it.
Steve
Steve,
I didn't create those rules.
They were AutoGenerated BY pfSenseBlockerNGThis rule does not give you the option to change the ports.
I do sincerely hope they are not creating rules that compromise security.
Like I said above, isn't there some kind of proxying going on here?If you look at the rules, they do not point to an IP address, alias or any location for that matter.
They simply point to the blocking file configuration itself.Can you let me know if you STILL believe these rules are in error?
Thanks -
@HansSolo said in New User to pfSense - some doubts:
Can you let me know if you STILL believe these rules are in error?
An any any rule on your wan is NEVER going to be a good thing to be honest.. be it you lock down the source in some way or not..
-
For anyone who comes to this thread later......
At least in pfsense 2.4.4, here is how you can look at your pfSenseBlockerNG files and see ALL the IP addresses in any given file....
In the WebConfiguration console, go to --> DIAGNOSTICS --> EDIT FILES
There you get a graphical Directory listing of the entire PfSense system (it's a Linux system)
The pfb_NAmerica file for example is located here.....(click on it and it will open in a text editor)
/var/db/pfblockerng/original/pfB_NAmerica_v4.orig
-
@johnpoz said in New User to pfSense - some doubts:
@HansSolo said in New User to pfSense - some doubts:
Can you let me know if you STILL believe these rules are in error?
An any any rule on your wan is NEVER going to be a good thing to be honest.. be it you lock down the source in some way or not..
I agree....
So are you also agreeing that pfSenseBlockerNG has incorrectly configured their settings?
Because once again, what you see in the diagram above is created during the install of pfsenseblockNG and I did not configure those rules.
-
Yes, you should change those rules.
As I said, if I were doing it I would set pfBlocker to create aliases only, not add rules. Then add the rules I need separately using those aliases.
pfBlocker only does what you configure it to do and looks like you configured it so add inbound pass rules. That is almost certainly not what you wanted. At least not without a destination/port.
Steve
-
@HansSolo said in New User to pfSense - some doubts:
So are you also agreeing that pfSenseBlockerNG has incorrectly configured their settings?
NO!!! I just ran through the wizard and it didn't create single rule on my WAN!!
-
There seems to be some confusion floating here, so I'm posting a screen shot of the rule that everal keep saying I need to change.
Here is the configuration for the rule in question for pfSenseBlockerNG.
As you can see, it is not like a regular rule configuration screen and does not allow for the changes being suggested.....
There is nowhere to change PORTS....and the destination could be changed to the IP of the server but I get an error when I make that change. -
There is no ports option as you have Protocol set to Any, that needs to be set to TCP/UDP or one of them to see ports. For example ESP, ICMP and AH protocols do not have ports.
-
@johnpoz said in New User to pfSense - some doubts:
@HansSolo said in New User to pfSense - some doubts:
So are you also agreeing that pfSenseBlockerNG has incorrectly configured their settings?
NO!!! I just ran through the wizard and it didn't create single rule on my WAN!!
Really ????
I didn't create those rules. Honest.
I wonder if it's because our configurations are different? Are you running a server behind your pfSense?
What version pfsense are you running? -
@conor said in New User to pfSense - some doubts:
There is no ports option as you have Protocol set to Any, that needs to be set to TCP/UDP or one of them to see ports. For example ESP, ICMP and AH protocols do not have ports.
Ah!
ok.It's a mystery then why those rules were created like that?
I DID NOT create those rules and thought they were just part of the pfSenseBlockerNG setup.
Good thing my server is still behind my WG Firebox at the moment and not the pfSense firewall.
-
@HansSolo said in New User to pfSense - some doubts:
I wonder if it's because our configurations are different? Are you running a server behind your pfSense?
What version pfsense are you running?Yes I have ports forwarded, I run ntp server to the world via ntp pool.. I have friends and family access to my plex server.
As to what version of pfsense I run - its in my signature.. And yes I would be running current, as any sane person should be.
That you think an any any rule is ok on your wan - even IF some tool created it.. Is just beyond nuts...
-
They are created by pfBlocker but only because of how it's configured.
pfBlocker can create firewall rules but does not have to. It depends what you have set the list action to.
Typically it is set to add block rules to prevent LAN side clients reaching out to, for example, known malware sites.
However I recommend setting the list action to Native Alias only and then using those aliases in rules you add yourself.
Also worth noting the pfBlocker setup wizard is only in the dev version I believe.
Steve
-
While the wizard might be only in dev... The older version doesn't create rules like that without being told to do it..
You don't install any version of pfblocker and next thing without doing anything have any any rules on your wan... That would be insane!!
-
@johnpoz said in New User to pfSense - some doubts:
While the wizard might be only in dev... The older version doesn't create rules like that without being told to do it..
You don't install any version of pfblocker and next thing without doing anything have any any rules on your wan... That would be insane!!
ok ok...I'm probably not insane (or nuts). and no, I do not think ANY rule is "ok". Not sure where you assumed that. Just not familiar with pfsense and pfSenseBlockerNG. Day 3 with pfSense so I can't possibly know everything about how it and the blocker works under the hood. I thought it was some kind of fancy proxying of the lists and DNS manipulation.
I did check with my cell phone and no access was granted to any unauthorized part of the network so no harm done.
-
@HansSolo said in New User to pfSense - some doubts:
I do not think ANY rule is "ok". Not sure where you assumed that
Because you had them on your wan ;) And then asked if they were ok...
-
@johnpoz said in New User to pfSense - some doubts:
@HansSolo said in New User to pfSense - some doubts:
I do not think ANY rule is "ok". Not sure where you assumed that
Because you had them on your wan ;) And then asked if they were ok...
Well think about it.....
If I was "insane" or "nuts", I probably wouldn't have even asked.Let's not beat up the noobs just because they are not totally familiar with pfsense yet and don't know right off the bat if automated configurations that they didn't put there are legit or not (even if they look odd)
Thanks for all the great advice everyone !
-
Where exactly are you seeing that rule that doesn't allow you dest port in it.. What version of pfblocker are you running the older or dev version?
-
@johnpoz said in New User to pfSense - some doubts:
Where exactly are you seeing that rule that doesn't allow you dest port in it.. What version of pfblocker are you running the older or dev version?
by the time I reply, you will probably have discovered that that was answered above
as for the pfBlocker version.....3 days in, so I downloaded it probably yesterday. latest, I assume ?
Let me check and see if I can find that version.....
-
@HansSolo said in New User to pfSense - some doubts:
pfSenseBlockerNG
what version does it say.. that tells me not the old one... But maybe you have not updated your packages? Can not tell if you mean non dev or dev version.
its listed right in your package manager
example
pfBlockerNG-devel 2.2.5_22there should be really screaming red flags on the pfblocker gui that its going to create an any any rule.. If that is what its doing.
Where exactly did you go in pfblocker to create said rule.
Paging @BBcan177 if pfblocker creates any any rules on the wan without huge warnings to the user.. That really should be changed..
-
@johnpoz said in New User to pfSense - some doubts:
@HansSolo said in New User to pfSense - some doubts:
pfSenseBlockerNG
what version does it say.. that tells me not the old one... But maybe you have not updated your packages? Can not tell if you mean non dev or dev version.
its listed right in your package manager
example
pfBlockerNG-devel 2.2.5_22there should be really screaming red flags on the pfblocker gui that its going to create an any any rule.. If that is what its doing.
Where exactly did you go in pfblocker to create said rule.
Paging @BBcan177 if pfblocker creates any any rules on the wan without huge warnings to the user.. That really should be changed..
pfBlockerNG net 2.1.4_16
Agreed. Unless......that rule doesn't actually give said access.
Let's hope the developer will reply regardless of the outcome.I KNOW I didn't create those rules intentionally.....but maybe they got created some how that I'm not aware of other than by pfBlockerNG ?
My gut feeling is that they were created intentionally and do not allow the access it appears.
That said...I've changed them all as suggested.....to be safe. (And I have not yet reconnected pfsense, still using WG)And as mentioned, I DID CHECK WITH MY CELL PHONE and was not able to find any compromised connections.
-
@HansSolo said in New User to pfSense - some doubts:
Agreed. Unless......that rule doesn't actually give said access.
It DOES!! since its a rule on your WAN...
-
@johnpoz said in New User to pfSense - some doubts:
@HansSolo said in New User to pfSense - some doubts:
Agreed. Unless......that rule doesn't actually give said access.
It DOES!! since its a rule on your WAN...
But in the source it lists a pfBlockerNG file, NOT a network location. What do you interpret that to mean?
OTOH...I can't speak for anyone else, but there's so much information to absorb in such a short time, brain farts do occur.
And it's possible I experienced a real winner. -
Doesn't matter if it only allows source IPs.. it is allowing to ANY ANY as dest.. So if user had a port forward to say 443 behind pfsense.. And it created a any any rule above that even if locked down to only NA... It now allows access to pfsense web gui and anything else that listens on pfsense wan, say dns, etc. etc.
Which is BAD!!! I just installed that version, enabled it and did an update.. No rules on the WAN, only the rule on my lan blocking outbound access to stuff.
-
@johnpoz said in New User to pfSense - some doubts:
Doesn't matter if it only allows source IPs.. it is allowing to ANY ANY as dest.. So if user had a port forward to say 443 behind pfsense.. And it created a any any rule above that even if locked down to only NA... It now allows access to pfsense web gui and anything else that listens on pfsense wan, say dns, etc. etc.
Which is BAD!!! I just installed that version, enabled it and did an update.. No rules on the WAN, only the rule on my lan blocking outbound access to stuff.
Ok.
Then I have no clue how that rule got there and where it came from.
I may have to chalk it up to trying to learn too much too fast over the last 3 days. -
pfBlocker just by itself can be pretty confusing IMO. There's a LOT there to take it.
I like to have full control of what rules are where which is why I recommend the Native Aliases approach. It's easier to understand the resulting ruleset when you have added everything yourself.
pfSense is guilty of that in other areas, you have to add firewall rules to allow OpenVPN traffic but IPSec traffic is passed by default by rules added automatically. You can disable that at least. If we changed that now it would break hundreds of thousands of VPNs though!
Steve
-
So I see this warning
Also consider protecting just the specific open WAN ports and it's just as important to protect the outbound LAN traffic.
And if you open the advanced, you can limit to specific ports..
But yeah if just set to inbound us, it creates this rule
===[ Aliastables / Rules ]================================ Firewall rule changes found, applying Filter Reload
Yeah this is a HORRIBLE implementation... Just freaking HORRIBLE!!
That should be limited to wan address on specific PORTS, unless the user changes it... Then that would be on them.. But I can see how new users might just open wide their wan... Arrrgghhh!!
Or anything behind pfsense if they had a routed netblock, etc. etc.
paging @BBcan177 again, I don't see how such a thing would be ok... Ultimately its on the admin of the firewall to understand what they are doing, and what is set... But pfsense does try and keep the users from shooting themselves in the foot.. This is not doing that at all..
-
@johnpoz said in New User to pfSense - some doubts:
So I see this warning
Also consider protecting just the specific open WAN ports and it's just as important to protect the outbound LAN traffic.
And if you open the advanced, you can limit to specific ports..
But yeah if just set to inbound us, it creates this rule
===[ Aliastables / Rules ]================================ Firewall rule changes found, applying Filter Reload
Yeah this is a HORRIBLE implementation... Just freaking HORRIBLE!!
That should be limited to wan address on specific PORTS, unless the user changes it... Then that would be on them.. But I can see how new users might just open wide their wan... Arrrgghhh!!
So I'm not nuts or insane?......
I gave the system the benefit of the doubt that it was performing some kind of "magic" on the back end.Then checked to see if my system was compromised in any way from outside my network and couldn't find any compromises or openings etc. I agree those settings could be dangerous but again, it didn't seem to allow the access it appears it would. maybe because of redundant filters I had setup on the Opt1 and LAN interfaces.
I ALSO changed the port on which the WebConfigurator resides early on. I didn't like it on port 80 at all.
-
In the past when I had played with this, I had always just used the aliases in my own rules.. This really needs to be changed to force the user to easy select their wan address as destination or the any, vs forcing them to use an alias. And it should WARN them about ANY as destination especially above all other rules on the wan,
-
@johnpoz said in New User to pfSense - some doubts:
In the past when I had played with this, I had always just used the aliases in my own rules.. This really needs to be changed to force the user to easy select their wan address as destination or the any, vs forcing them to use an alias. And it should WAN them about ANY as destination especially above all other rules on the wan,
Totally agree.
But would still like to hear from the developer to make sure there is no "back end" magic going on here.Seems to write something like this they would know better, right?
-
also, Jon....this is probably a totally different topic but....
You said you have no WAN rules, only outgoing LAN rules.....correct?If you have no WAN rules, then everything inbound at least (probably outbound as well) "should" be blocked by default, right? WAN is your "gateway" to external ie the Internet.
So how then does anyone get to your server?
Only way a server is available to the public that I know of is specific WAN rules that allow traffic inbound.Such as ALLOW from * * TO 'server address' 'server port'
And most often, it involves Natting from your Public IP address to the server's IP (which is usually Opt1)
Just curious. Always ready and eager to learn something new.
-
Yes, that's true. Without any pass rules on WAN no external clients can open a connection to a server behind the firewall.
However traffic from LAN side client can still open outbound connections as long as there are pass rules on LAN to allow it in.
Sorry, initially I though that was what you were trying to do. It's a common misconception to put pass rules on WAN to allow traffic out.
Technically the pf packet filter that pfSense is built on can filter traffic in both directions on all interfaces. pfSense configures it to allow traffic out on all interfaces by default and filter traffic in according to the user rules.
The only exception to that are rules on the floating tab that can be applied outbound. But don't worry about that until you're familiar with the normal rules.Steve
-
@HansSolo said in New User to pfSense - some doubts:
You said you have no WAN rules, only outgoing LAN rules.....correct?
I guess I can answer that one on behalf of @johnpoz (as he said so above) :
He has some pass firewall rules on his WAN interface, created when building the a NAT rules.
An incoming UDP port 123 directed to his NTP server.
An incoming TCP port 80/443 directed to his Plex server.
Probably a VPN UDP port too. -
How do you have your port forwards configured? Specifically "Filter rule association" ??
-
@johnpoz said in New User to pfSense - some doubts:
@HansSolo said in New User to pfSense - some doubts:
So are you also agreeing that pfSenseBlockerNG has incorrectly configured their settings?
NO!!! I just ran through the wizard and it didn't create single rule on my WAN!!
pfBlockerNG 2.1.4_16 here.. Yep- no wizard on NG.
It does not do any good to modify those rules because an update will rewrite them back to the way they were.. -
@chpalmer said in New User to pfSense - some doubts:
@johnpoz said in New User to pfSense - some doubts:
@HansSolo said in New User to pfSense - some doubts:
So are you also agreeing that pfSenseBlockerNG has incorrectly configured their settings?
NO!!! I just ran through the wizard and it didn't create single rule on my WAN!!
pfBlockerNG 2.1.4_16 here.. Yep- no wizard on NG.
It does not do any good to modify those rules because an update will rewrite them back to the way they were..Whoa!
I just ran into this on my pfSense machine.
I had changed ALL those rules and then a bit later when I went back it had reset them ALL to ANY ANY.Anyone know what's going on? Is it SUPPOSED to re-write them back to ANY ANY ????
-
That's what pfBlocker does, it creates and maintains those rules. But you can set what port and destination it uses:
Or you can set the list action to alias only and then add the rules manually. Which is what I would do.
Steve
-
@HansSolo said in New User to pfSense - some doubts:
You said you have no WAN rules, only outgoing LAN rules.....correct?
What I meant is pfblocker didn't create any wan rules... Only a lan rule filtering traffic to ad sites, etc.
I do have multiple inbound wan rules that "I" created..