Understanding pfSense Firewall



  • Hi *

    i am trying to understand the concept of the pfSense firewall. Installation of the sw was straightforward and i have created all required networks and finished base configuration.

    Now I want to set up firewall rules but even with no rules (except the anti-lockout rule) I can reach the internet. However, I am expecting a firewall with no rules to have no possibility to talk to any network device. Is there no default deny all rule? Do I have to manually secure the system before I can actually define the rules I need?

    /ni



  • pfSense comes default with an allow all rule on the LAN interface for outbound connections and no rules on the WAN interface which block anybody from getting inside unsolicited.

    By default any solicited connection from your LAN will allow the response from the destination. So from a security standpoint if you can trust your LAN users your fine.

    Yes you can tighten the LAN rules down to block certain services but you might want to hang around and do some serious reading before you start.  :)



  • @nischl:

    Is there no default deny all rule? Do I have to manually secure the system before I can actually define the rules I need?

    You have that backwards. Rules first then default deny rule,
    You better know all your needed connections for firewall access before making that default deny all rule at the bottom.
    Sorry where are my manners. Welcome to the default deny club, I think with you here we make 4 or 5 of us. :o
    Default deny is contrary to most firewalls.
    As chpalmer pointed out for you pfsense is allow all out at start and deny any in with out your lan machines starting the handshake.
    Most everyone here make rules to block and in default deny your rules are to allow traffic out. Not to bad if you know what is on your network and know it well. The smaller the network the easier it could be. For the average user this is considered a pain in the a&&.
    Good luck. Default deny will force you to know your network.  ;)



  • well, i did delete the default LAN rule, however, I can still use the internet from the pfsense box. So even with no rule except the anti-lockout, there is no global deny all in place.

    The reason to use pfSense in the first place is to limit outbound traffic, as inbound traffic is filtered by the router i have from the telco company.



  • You pretty much need a proxy such as squid for effective outbound filtering, firewall rules don't really cut it for outbound filtering unless it's a very simple set up that allows only http/https/ftp and doesn't allow any deviation from the standard ports.



  • @kpa:

    You pretty much need a proxy such as squid for effective outbound filtering, firewall rules don't really cut it for outbound filtering unless it's a very simple set up that allows only http/https/ftp and doesn't allow any deviation from the standard ports.

    Agreed. Keep it simple stupid. My personal favorite. I block ftp also. Run about 15 rules and that includes two default deny rules.
    One for lan and other for everything else. Ports are locked down also on firewall and all linux boxes with ufw.


  • Rebel Alliance Global Moderator

    "well, i did delete the default LAN rule, however, I can still use the internet from the pfsense box."

    You removed the allow rule on the lan, pfsense is not on the lan ;)  No there is no default block pfsense from using the internet rule.. Be freaking hard for your firewall to check for updates, do dns queries for your clients, etc.  That would make pfsense even more impossible for the new user to setup.. They already have problems and its pretty much click and go everything works out of the box..



  • @johnpoz:

    "well, i did delete the default LAN rule, however, I can still use the internet from the pfsense box."

    You removed the allow rule on the lan, pfsense is not on the lan ;)  No there is no default block pfsense from using the internet rule.. Be freaking hard for your firewall to check for updates, do dns queries for your clients, etc.  That would make pfsense even more impossible for the new user to setup.. They already have problems and its pretty much click and go everything works out of the box..

    Yep! Default deny out of the box, what a mess it would be here. Everyone trying to hack into their own firewall. lol. too funny. ;D ;D



  • @nischl:

    The reason to use pfSense in the first place is to limit outbound traffic, as inbound traffic is filtered by the router i have from the telco company.

    I personally do not trust telco's equipment for a number of reasons. The link below is just one of them.
    https://www.youtube.com/watch?v=rz0SNEFZ8h0
    PfSense is a good security measure behind any telco box. Especially the inbound. For outbound just block what you want and go from there. Default Deny is not for everyone. Your choice.



  • thanks for enlightening me.

    the allow pfsense box to any rule, is this hardcoded or is this a kind of hidden rule i can make visible and change as needed?

    @webtyro. i don't trust them, too, however, i plan to use the subnet from the telco box to the pfsense box as a dmz.

    for outbound filtering i will have a look at proxy possibilities.

    /ni



  • @nischl:

    the allow pfsense box to any rule, is this hardcoded or is this a kind of hidden rule i can make visible and change as needed?

    ??? PfSense is a stateful firewall.
    Your machine sends a request to another machine outside your network.
    Firewall creates entry in state table. Moments later an outside machine sends packets
    at your firewall. Firewall checks state table and if that machine is indeed listed
    in there, it can pass, if not listed, it is blocked. Thus it keeps state.
    There is no PfSense to any rule. Its just baked into the cake, as in by Design.
    Your going to have to trust the developers know what they are doing…. I do. :o
    The firewall is an edge device, neither LAN nor WAN. It is creating a LAN.
    Egress Filtering- LAN to WAN there are two choices.
    Firewall reads rules from top to bottom.
    Default Allow (for ease of use). Permit lan to any rule on bottom with your block rules above.
    Default Deny (admin attention to detail). Block everything rule on bottom with allow rules above.
    Capiche! ;)



  • Looks like i found it by myself.

    You have to create a floating rule, this is the only type of rule that allows the pfsense box itself.