Are my firewall rules secure?



  • Hi All,

    Long time lurker but first time poster here. I would like someone's opinion on the firewall config I have on my pfsense. I run a PBX server in my network, so I have ports unblocked for specific sources. Other than that I should not have any inbound access other than my access through VPN from a remote site.

    I've 3 IP ranges: 192.168.29.0 for LAN, 192.168.27.0 for OPT1 Guest and 192.168.25.0 for VPN.
    VPN has tunnel to 192.168.29.0.
    OPT1 should not have any access to LAN, but should have internet access.
    OPT1 should not have any access to management interface (I've not yet figured it out).

    So could someone please see if my firewall settings are secure enough and how can I block OPT1's access to pfsense management gui? If you see the screenshot, the rule I've disabled blocks access to management gui, but also blocks their internet.

    Thank you for any advice.


  • Galactic Empire

    You could vastly reduce your rules on the wan interface by creating an alias for the 7 external SIP networks.

    Is the OPT1 is acting like a DMZ, if it is you could rename it to DMZ in the interface description.

    Create an alias with all your subnets in and have a couple of rules, an allow -> ! alias rule and a block -> alias rule.

    I also include my WAN address in my alias.

    Also you break IPv6 blocking ICMP

    http://blogs.cisco.com/security/icmp-and-security-in-ipv6




  • Thank you very much!

    1. Sure, I can rename OPT1 to DMZ (but unlike a DMZ in my office which hosts web servers, I do not want any inbound access to DMZ network, just outbound only).

    2. I didn't understand the purpose for having an alias for all my subnets and defining a rule for that. Should those subnets include my LAN, DMZ and VPN ranges?

    3. Why add WAN in alias? What traffic will be self-looping?

    4. If ICMP breaks IPV6 - what is another way of blocking ping requests? I see tons of request from bad-bots in pinging the network.


  • Galactic Empire

    1. It looked to me like you were using it as a DMZ :)

    2. If you have a rule including all your subnets you can say "allow out anything that isn't local to the device" use the invert match on the destination, basically any subnet or ip you don't want the OPT1 hosts to 
    get to.

    3. You'll be able to hit your WAN interface from the OPT1 lan.

    4. Sure you're seeing hits against your IPv6 Interfaces, IPv4 I could understand but the IPv6 address space is huge, I've not seen a single hit and I allow IPv6 ICMP and log it.
        You could block IPv6 ICMP requests only


  • Rebel Alliance Global Moderator

    As stated those rules could be reduced to a handful for your different dest ports or really just 1.  Blocking icmp isn't required since the default rule would do that out of the box, same goes for your default rule at the end.  So to be honest you could have 2 rules on your wan.  The rule that allows your port forward, and the rule that allows your remote sites for openvpn  access.

    Pretty sure that if your using ipv6 on your wan that there is a hidden rule that allows icmp.. Since as stated blocking icmpv6 will break ipv6.

    What is the point of blocking icmp on your lan outbound??  I just don't get the point of that rule at all..  Why would you not want a PC to be able to ping say www.pfsense.org ?  Why would you not want to be able to ping pfsense interface from your own lan?

    Same goes for on your opt1 interface - why are you blocking icmp?  I can see you blocking access to your lan which is fine.  Your rules for dmz for sure could be locked down more, I too assume that is some sort of dmz segment.  Attached are example of my dmz segment rules

    So I allow anything in the dmz ping and icmpv6, this is simple check for connectivity, etc.
    I then allow devices in this segment to use pfsense IP address in the dmz for dns.
    I then block all any other access to pfsense IPs on any other segments and its wan.  And log such attempts.
    I then via alias NOT rule allow dmz devices to go anywhere where they want on any protocol they want as long as they are not my other local segments either ipv4 or ipv6..