Security question

  • I don’t have a problem, but I have a question.  I have setup a SG-4860 as a dumb router, turned off packet filtering, DHCP, NAT, DNS and IP6.  The WAN port is setup with the Comcast Metro-E /30 subnet and the OPT4 port is setup with one of the Comcast “usable block” IP address.  This is the default gateway for my firewalls.  Everything works!

    My question is I setup the LAN port with a normal non-routable address (10.x.x.x) I use this for management, the WebGUI. The other ports, WAN and OPT4, have “Block private network and loopback address” checked.

    Is this okay from a security standpoint?  I have been leaving the LAN port unplugged, but I would like to just have a management only port to the router.  What do you think?


  • LAYER 8 Global Moderator

    Security standpoint from what view.  Who do you think would be accessing the management gui.  Its on a rfc1918 space, your not even natting.  Someone else from your local network.. Why exactly do you unplug it??

  • Rebel Alliance Developer Netgate

    You "turned off packet filtering" so pf isn't loaded, so "block private networks" does nothing. In that state, it cannot block and the GUI and other firewall services which remain enabled are exposed to every connected interface.

    If it's a completely internal box, you may not need filtering, but if that has a connection to the Internet, then it's very insecure.

    What was your specific reasoning for turning off packet filtering?

  • LAYER 8 Global Moderator

    If what you want is a router, you could just turn off nat.  And leave firewall rule in place any any rule is pretty much just routing ;)

    Jimp makes a great point if turned off the firewall, pretty sure gui is open on every interface, your transit network and your routed network in pfsense.. does not matter what IP address your other interfaces use, ie lan.  Since you have no firewall I believe the gui listens on all interfaces.

  • Rebel Alliance Developer Netgate

    pf will cause a significant performance drop vs having it disabled, so if you need high-speed internal routing then you might require pf to be disabled.

    Otherwise, yes, you can either go with a pass all rule (or a more reasonable but permissive ruleset which also blocks access to the firewall itself) or you might even go with rules set for "no state" (with matching outbound quick floating rules) so you don't bother with state tracking when routing.

  • It sounds like I need to turn packet filtering back on and make some rules.


Log in to reply