• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Setting changes for Better Security

Scheduled Pinned Locked Moved General pfSense Questions
7 Posts 6 Posters 1.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L
    LANshake
    last edited by May 31, 2016, 7:38 PM

    I am looking for recommendations to improve security on my pfSense FW. After the upgrade to 2.3 and a few updates, now would be a good time to review securiy settings of the Firewall.

    My home firewall is currently running pfSense on a dual core atom with WAN and LAN interfaces, connected to broadband internet . Using the default firewall rules. Squid is the one installed package.

    After installation, the user name of the admin account and it's password were changed. The FW has been kept current with new updates.

    1 Reply Last reply Reply Quote 0
    • K
      KOM
      last edited by May 31, 2016, 8:58 PM

      If you don't have any port forwards or other NATs going on then you're probably good.  The default WAN rules allow nothing unsolicited in.

      1 Reply Last reply Reply Quote 0
      • J
        johnpoz LAYER 8 Global Moderator
        last edited by May 31, 2016, 9:20 PM

        you don't have web gui open to internet, or ssh open to internet?  Yeah out of the box your pretty freaking secure..  Unless you do something stupid there really shouldn't be any concerns.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • G
          G.D. Wusser Esq.
          last edited by May 31, 2016, 9:26 PM

          First of all, for better security, consider allowing things explicitly in and out. The default install allows everything out. If you disable that rule, and add rules as needed, that would be an extra step towards better security; though you will see a lot of things stop working at first, and you will need to learn how they communicate to let them through the firewall. You will gain a lot of knowledge in the process.

          Ideally you should have no rules that restrict packets. Only rules that allow things through on as-needed basis.

          Second, consider installing ether Snort or Suricata package for intrusion detection and protection. The following thread is a wealth of knowledge on the subject:
          https://forum.pfsense.org/index.php?topic=78062.0

          HTH

          1 Reply Last reply Reply Quote 0
          • L
            LANshake
            last edited by Jun 1, 2016, 10:42 PM

            Thanks all for your replies.

            Just using defaults for most settings.
            No open ports or changes to NAT.
            No admin access on WAN side, believe off by default.
            I have seen a few posts on controlling outbound using rules, don't know how helpful others would find it.
            Need to try using a IDS/IPS package, did have a simple IPS on an older HW router.

            1 Reply Last reply Reply Quote 0
            • M
              mer
              last edited by Jun 2, 2016, 6:54 AM

              As GD mentions, a default deny stance can help you learn quite a lot about traffic on your network, but you must be willing to put in the effort to understand it.  That's what you have on the WAN interface, but the LAN side is the opposite.  For a consumer/home network the pfSense defaults make sense because you wind up with protection against stuff from the outside by default.  For an office/professional network, default deny is better, but then someone is getting paid to put in the effort.

              As pointed out by johnpoz, out of the box, pfSense is pretty secure;  they've put effort into understanding typical usage and tailoring the defaults to that.  Saves the typical user a lot of effort.  As an aside, "default allow vs default deny" is probably the longest running "discussion" in network security, so a bit of Google-time should give you a lot to read.  ::)

              Snort, Suricata and other similar products:  keep in mind that they are typically not just "install, turn on and forget".  They often need a bit of tuning for your specific network usage to avoid false positives.  Again, like the pfSense defaults, their defaults are reasonable, but may not be optimal for you, so be prepared to put in the effort with them.

              1 Reply Last reply Reply Quote 0
              • K
                kpa
                last edited by Jun 2, 2016, 8:50 AM

                Controlling outgoing traffic with just firewall rules is really hard because of the multitude of TCP/UDP ports used for different applications and many of them are not officially allocated. The worst are filesharing applications such as BitTorrent that can use almost any port imaginable. You're much better off using a proxy with whitelist/blacklist techniques if you want to control outbound.

                1 Reply Last reply Reply Quote 0
                2 out of 7
                • First post
                  2/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received