Firewall rules and 1:1 NAT
-
I'm setting up a 1:1 NAT (mapping WAN address 74.92.11.134 to LAN address 192.168.10.46).
Three assumptions about the firewall rules that I'd like someone to confirm as correct:
Assumption 1: Unless I add PASS rules, all access is BLOCKED from the WAN to the LAN address
– I need to add ALLOW rules for each protocol/ports that I would like to pass over the 1:1 NAT. For example if I'm running a web server behind the 1:1 NAT I should add a pass rule for TCP/80 and TCP/443.Assumption 2: The firewall rules should be added to the WAN interface, but use the internal IP addresses
– So in the above example, I should add a rule for PASS on the WAN interface specifying IP address, so in this case 192.168.10.46.Assumption 3: I don't need to add any outbound rules.
Really appreciate someone confirming (or correcting) my assumptions.
Thanks!
-
1. Correct
3. Correct
3. Correct with a comment-
Since there should already be a default LAN rule to allow all you would need no further rules. But also.. Since the traffic is initiated from the WAN side I don't think you need LAN rules for that LAN address anyways. Ive never tried but would seem to hold true. But without any LAN rule your server device would never be able to initiate traffic on its own.
-
False, False, and True.
There are numerous rules that pfsense sets up automatically, but, in general you should setup explicit rules to govern it.
The initial configuration which matches the way most home routers work is to have no rules for your WAN interface, and an explicit rule that passes all incoming traffic to the LAN interface. This makes no real use of the firewall's capabilities, other than the various monitoring capabilities.
The recommended configuration is to
1. explicitly pass the traffic that is trusted, and then
2. block everything else.Initially, you can try this by having all PASS rules on the LAN interface. The last rule is to PASS IPv4+IPv6 traffic for any protocol with logging disabled and a rule label of "Last rule". Above the last rule, you create rules for the trusted traffic. For example, PASS all IPv4+IPv6 TCP/UDP to destination port 53 with a rule label of "IPv4/IPv6 DNS". Make sure you apply the settings after defining the rules. If you get the rules in the wrong order, you can drag them into the correct order and then click the "Save" at the bottom.
Then, take a look at the dynamic matching of your rules. Go to the Diagnostic menu and select pfTop. Change the view from "default" to "label" and you will see all the rules pfsense is currently using. All the user rules have the text "USER_RULE: " added just before the rule label, and sometimes a rule in the pfsense UI will create multiple rules for the firewall. For instance, the final rule as listed above will have two rules for the firewall; one for IPv4 traffic and one for IPv6. If your ISP supports IPv6 (eventually, all will), you may find that some of the outbound traffic is using IPv6. Your goal is to define enough rules to reduce increase of packets matched to the "Final Rule" as close to zero as possible. Besides port 53, you will probably want to pass TCP ports 80 and 443, ICMP, UDP ports 123 and 5353. pfTop should show packets increasing for each new rule you define; if it doesn't, that rule isn't needed.
Take a few days of defining rules to pass traffic you expect and therefore trust. If you have a lot of devices or use computers with many network applications, there may be many rules required. Many networked applications just use the basic TCP or UDP ports, but each new application may add to the list. Also, some vendors may say they use a port, but, your use of their product may not require that that port be added to the firewall. If the counters don't increase, the port isn't in use currently. Most pfsense systems can handle hundreds of rules with no significant performance issues.
When you have completed sufficient PASS rules for the protocols you trust, change the "Final Rule" to Reject the traffic and log the results. Check if your devices are still working as expected. If not, change the final rule back to "Pass" and then check the Firewall log. The log file is best seen by selecting "System Logs" from the Status menu, and then selecting the "Firewall" tab.