How to change default rules
I want to change the pfSense default rules but I couldn't find a way to do it properly.
I can see the rules with pfctl -sa
I googled a bit and found that pf should have its rules in /etc/pf.conf, however, this file is not here and that is stated in /etc/pfSense.obsoletedfiles also.
Unfortunately, pfSense.obsoltetedfiles did not contain any information how these files are replaced by pfSense.
So how can I change the information that defines the default firewall rules in pfSense?
What default rule are you wanting to change?
Default rules are in /etc/inc/filter.inc and you'd better not mess with that without understanding what's going on.
If you want to change the default deny log to default deny don't log just add a rule at the bottom.
Setting the default rules not to log is the only thing I can imagine anyone wanting to do, it can also be done under Status -> System Logs -> Settings
Don't mess with the default rules :)
If you want to change the default deny log to default deny don't log just
add a rule at the bottom.
use the GUI settings (Log firewall default blocks).
It is all about control. I have difficulities trusting something that calls itself a firewall but does not disclose the rules that are in effect in the gui. So what I want to achieve is to have all rules displayed in the gui. Plus, I want to harden the system as the default rules do not limit the communication to the internet. It might have been OK to do that in the previous millenium, however, current threats to network security usually come from inside the network. I can understand the pfSense philosophy to allow everything out of the box to make it easier for home users, however, I do not like the fact that this default behaviour is hidden somewhere under the hood.
I have worked out how i can create rules that negate the effect the default rules, but i find it stupid to create rules that negate the default rules when i could just delete the default ruleset.
@doctornotor: Thanks, found that. And indeed it is very difficult to understand as it is no ruleset but a script that actually builds the ruleset. I could invest some time to tweak it for my needs, however, what will happen after an update, my guess is all my modifications are overwritten.
you can see all the rules with
What exactly do you not like in there? That pfsense can talk to the internet? Or that there is a any any default for the lan. This click click and its gone..
I too would like it if all the rules where shown in the gui, for example the one that allows dhcp when you enable dhcpd on an interface. But in the big picture its not something I loose sleep over ;)
The feature that annoyed me most is that pfSense can talk to the internet out of the box, however, all default rules should be visible - and changeable - if needed (like, say, an advanced button in the gui where you can see all rules)
If I am not cool with the default rules it is very difficult to achieve the ruleset I actually want. That should be easier.
But pfsense needs to talk to the internet to check for updates and package updates. Also needs to be able to check for dns for the clients that ask it for dns, etc.
Rules that prevented pfsense itself from talking to the internet would break all that - and users have a hard enough time with opt interfaces that have zero rules on them, etc.
As to making it easier for advanced users to disable - ok, seems like a reasonable request.. Put in a feature request, or change the code yourself and submit it, etc.
I do understand that pfSense needs some communication to function properly, however, it is poorly implemented. pfSense can access the internet via an any any rule while communication is required only to a very specific subset, like to the update servers and the configured dns servers, maybe time server, etc.
As I haven't worked with community software before can you point me to the places where I can actually put up a feature request or share code I did modify?
The feature request to show default rules on the GUI is already there. As for feature request to mess with them, I wouldn't bother, people have better things to do with their time than debugging PEBKAC issues caused by clueless users.
With dok here, there is pain enough now trying to help the pebkac issues with simple port forwarding.. Or in general them not saying they are running vm, or they modified the default outbound nat or put in some firewall rules and removed the default any any.. Pretty much every post is missing info that would help point out their problem and then you have to pull teeth to get some info to work with.
Some user dicking with the default rules, I can for sure see them removing the dhcp rules that get placed on the interface when you enable dhcp server and then asking asking why dhcp server isn't working.. I can see the posts not "I think I found a bug" – I think many of them believe there is some prize for finding a bug or something.. So lots of posts yeah this PEBKAC issue I brought upon my self -- turns into a bug post..
I can see posts about bug in unbound because dns is not working... 12 posts into the thread you will finally find out they had deleted the default rule that let pfsense talk on 53..
While I can understand the principle of min access required to perform the function, this is a tenet of security sure.. So why can pfsense not be locked down to only be able to talk on 53 and or 80/443 with limits only to the pfsense IP space.. What about 3rd party packages like pfblocker for example that grabs lists from remote locations, etc. So should the package edit these default rules when it installs - or will that be left to the user of pfsense to manipulate?
So your running pfsense as your firewall.. I would take it that means you "trust" them.. So since pfsense is your trusted device.. What does it matter that it can talk outbound any any... Why don't you watch your traffic and see where it goes ;) The only possible concern I can see with such a rule is that you don't trust pfsense for some reason, or that your installing other software on your firewall that you don't trust, etc.
You definitely have to trust someone at some point, that is true. And I do trust pfSense - otherwise it would be unwise to install it in the first place. Trust does not necessarily mean I agree with all communications that might or might not occur. But with an interface that hides certain rules I lose control over the system. pfSense is based on freeBSD and might (does) contain bugs that can be used to compromise security. Depending how bad it is we might end up being part of a botnet of all pfSense boxes around the world. I just want to make it more obvious for me to see whether rules have changed so my goal is to bring all rules into the gui.
I have to trust my ISP as well as they control the network I am connecting to. I have a router provided by them and with pfSense in its current default configuration it does not add any value on top of the ISP router.
Saving support effort by allowing everything is not what I consider a good practise. I can understand it as I am working in support myself but from the security perspective it is not what a firewall should be.
People will always mess with the rules anyway, if not changing the default rules they might add rules that negate the effect of the default rules, so the support issues will basically be the same.
The feature that annoyed me most is that pfSense can talk to the internet out of the box
Only the LAN interface any others don't have any rules apart from the default hidden drop any.
he is talking about pfsense itself.. If he feels that pfsense gets him nothing that his isp device, then just use your isp device.. Can tell you for sure it can do anything it wants and you have no control over it at all.
I don't see it as a problem to be honest - like I said its a "trusted" device, I know what is running on it. I can see what its connecting to if I want. Locking down a trusted devices access outbound doesn't buy me much if you ask me. While I will agree in principle min access required is a valid tenet of security..
I think if you want to lock down pfsense itself from talking on the internet you could place floating rules outbound on the wan interface with a source of this firewall that could stop such traffic. Or you could prob edit the outbound nat rules to only nat the localhost address to specific destinations and ports.
I think if you want to lock down pfsense itself from talking on the internet you could place floating rules outbound on the wan interface with a source of this firewall that could stop such traffic.
Yes, I did that and it works, but the reason I started this threat was I did find it a bit strange to create a rule to negate the effect of the default rules if you could just delete the default rules you do not need. I wasn't aware that changing the default rules is that complicated.