Default DNSBL Firewall Rule Potentially Opening Security Holes, Please Fix!
-
I'd like to point out a large security concern I just noticed regarding the DNSBL default VIP behavior. This is regarding the option to set a default firewall rule to permit traffic on the floating tab. I have no idea why the default rule permits ALL traffic rather than just the two ports needed 8081/8443 (if unchanged from default), but this default behavior completely bypasses all the hardened egress filtering rules I have in place on most of my vlans, especially for the guest vlans in a hotel environment. I only noticed this because the DNSBL wasn't working on one of my deployed boxes and I saw the default rule it had created in front of all my other rules. I suggest anyone else using DNSBL verify this in their own environment with a port scan and update the rule to only permit the TCP/UDP ports needed.
Please modify this default behavior to only permit the ports necessary for your package to work as it's easy to overlook this if you aren't paying close attention.
*This really applies to all package developers.In the perfect world it would be great if pfSense could automatically check if open ports were accessible by any untrustred/specified vlans and alert you if you weren't aware of this.
EDIT: I just wanted to give thanks to BBcan177 for both pfBlockerNG and DNSBL as they have been among the best tools I've used alongside my pfSense deployments. I really do appreciate the hard work and continuous effort in providing this for the community!
-
I already have port scanned my machine and it hasnt had unintended consequences but I agree with you that rules should only be set to allow the minimum possible.
Contact bbcan177 he is a good guy and will I expect make a change.
-
If you have other restrictive rules in front of the default DNSBL VIP permit rule (in the floating tab) then you may not have a problem, however if you add pfBlockerNG to a system that's already configured/hardened and use the option to add a floating rule it gets put in front of all other rules by default permitting all traffic to the local firewall via the VIP (10.10.10.1).
Glad to hear you weren't affected though. ;)
-
Well yes, in my case everyone on my lan can access the pfsense unit, I at this time have no guest network or similar setup. The ip is not a internet routeable address either.
However of course if I decide to make a subnet for guest's then this rule could then be a problem as I would want to not allow that subnet access to the pfsense interface.
-
That is an optional rule.
A permit firewall rule can be manually created to suit your network requirements…
I will try to improve this to the next release ...