Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Setting changes for Better Security

    General pfSense Questions
    6
    7
    1.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      LANshake
      last edited by

      I am looking for recommendations to improve security on my pfSense FW. After the upgrade to 2.3 and a few updates, now would be a good time to review securiy settings of the Firewall.

      My home firewall is currently running pfSense on a dual core atom with WAN and LAN interfaces, connected to broadband internet . Using the default firewall rules. Squid is the one installed package.

      After installation, the user name of the admin account and it's password were changed. The FW has been kept current with new updates.

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        If you don't have any port forwards or other NATs going on then you're probably good.  The default WAN rules allow nothing unsolicited in.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          you don't have web gui open to internet, or ssh open to internet?  Yeah out of the box your pretty freaking secure..  Unless you do something stupid there really shouldn't be any concerns.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • G
            G.D. Wusser Esq.
            last edited by

            First of all, for better security, consider allowing things explicitly in and out. The default install allows everything out. If you disable that rule, and add rules as needed, that would be an extra step towards better security; though you will see a lot of things stop working at first, and you will need to learn how they communicate to let them through the firewall. You will gain a lot of knowledge in the process.

            Ideally you should have no rules that restrict packets. Only rules that allow things through on as-needed basis.

            Second, consider installing ether Snort or Suricata package for intrusion detection and protection. The following thread is a wealth of knowledge on the subject:
            https://forum.pfsense.org/index.php?topic=78062.0

            HTH

            1 Reply Last reply Reply Quote 0
            • L
              LANshake
              last edited by

              Thanks all for your replies.

              Just using defaults for most settings.
              No open ports or changes to NAT.
              No admin access on WAN side, believe off by default.
              I have seen a few posts on controlling outbound using rules, don't know how helpful others would find it.
              Need to try using a IDS/IPS package, did have a simple IPS on an older HW router.

              1 Reply Last reply Reply Quote 0
              • M
                mer
                last edited by

                As GD mentions, a default deny stance can help you learn quite a lot about traffic on your network, but you must be willing to put in the effort to understand it.  That's what you have on the WAN interface, but the LAN side is the opposite.  For a consumer/home network the pfSense defaults make sense because you wind up with protection against stuff from the outside by default.  For an office/professional network, default deny is better, but then someone is getting paid to put in the effort.

                As pointed out by johnpoz, out of the box, pfSense is pretty secure;  they've put effort into understanding typical usage and tailoring the defaults to that.  Saves the typical user a lot of effort.  As an aside, "default allow vs default deny" is probably the longest running "discussion" in network security, so a bit of Google-time should give you a lot to read.  ::)

                Snort, Suricata and other similar products:  keep in mind that they are typically not just "install, turn on and forget".  They often need a bit of tuning for your specific network usage to avoid false positives.  Again, like the pfSense defaults, their defaults are reasonable, but may not be optimal for you, so be prepared to put in the effort with them.

                1 Reply Last reply Reply Quote 0
                • K
                  kpa
                  last edited by

                  Controlling outgoing traffic with just firewall rules is really hard because of the multitude of TCP/UDP ports used for different applications and many of them are not officially allocated. The worst are filesharing applications such as BitTorrent that can use almost any port imaginable. You're much better off using a proxy with whitelist/blacklist techniques if you want to control outbound.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.