Setting changes for Better Security



  • I am looking for recommendations to improve security on my pfSense FW. After the upgrade to 2.3 and a few updates, now would be a good time to review securiy settings of the Firewall.

    My home firewall is currently running pfSense on a dual core atom with WAN and LAN interfaces, connected to broadband internet . Using the default firewall rules. Squid is the one installed package.

    After installation, the user name of the admin account and it's password were changed. The FW has been kept current with new updates.



  • If you don't have any port forwards or other NATs going on then you're probably good.  The default WAN rules allow nothing unsolicited in.


  • Rebel Alliance Global Moderator

    you don't have web gui open to internet, or ssh open to internet?  Yeah out of the box your pretty freaking secure..  Unless you do something stupid there really shouldn't be any concerns.



  • First of all, for better security, consider allowing things explicitly in and out. The default install allows everything out. If you disable that rule, and add rules as needed, that would be an extra step towards better security; though you will see a lot of things stop working at first, and you will need to learn how they communicate to let them through the firewall. You will gain a lot of knowledge in the process.

    Ideally you should have no rules that restrict packets. Only rules that allow things through on as-needed basis.

    Second, consider installing ether Snort or Suricata package for intrusion detection and protection. The following thread is a wealth of knowledge on the subject:
    https://forum.pfsense.org/index.php?topic=78062.0

    HTH



  • Thanks all for your replies.

    Just using defaults for most settings.
    No open ports or changes to NAT.
    No admin access on WAN side, believe off by default.
    I have seen a few posts on controlling outbound using rules, don't know how helpful others would find it.
    Need to try using a IDS/IPS package, did have a simple IPS on an older HW router.



  • As GD mentions, a default deny stance can help you learn quite a lot about traffic on your network, but you must be willing to put in the effort to understand it.  That's what you have on the WAN interface, but the LAN side is the opposite.  For a consumer/home network the pfSense defaults make sense because you wind up with protection against stuff from the outside by default.  For an office/professional network, default deny is better, but then someone is getting paid to put in the effort.

    As pointed out by johnpoz, out of the box, pfSense is pretty secure;  they've put effort into understanding typical usage and tailoring the defaults to that.  Saves the typical user a lot of effort.  As an aside, "default allow vs default deny" is probably the longest running "discussion" in network security, so a bit of Google-time should give you a lot to read.  ::)

    Snort, Suricata and other similar products:  keep in mind that they are typically not just "install, turn on and forget".  They often need a bit of tuning for your specific network usage to avoid false positives.  Again, like the pfSense defaults, their defaults are reasonable, but may not be optimal for you, so be prepared to put in the effort with them.



  • Controlling outgoing traffic with just firewall rules is really hard because of the multitude of TCP/UDP ports used for different applications and many of them are not officially allocated. The worst are filesharing applications such as BitTorrent that can use almost any port imaginable. You're much better off using a proxy with whitelist/blacklist techniques if you want to control outbound.