Hardening, Securing and Privacy configuration!
-
Thanks pfSense team for the work you do! New to the firewall but learning fast…I was wondering if I could get some feedback on a few security and hardening configurations in addition to some privacy configurations.
I have the SG2440(4 interfaces) and have dedicated the default LAN for the Web GUI, the configuration is: WAN + 1 interface for Unifi access point(w/additional VLAN for guest) + 1 for Apple TV/Netflix/Hulu + 1 dedicated for Web GUI access). I have VPN set up as a client only on my WAN (UDP protocol - 128CBC, 128key,128bit - Sha1/160), modified AppleTV rules to WAN_DHCP...I know Netflix blocks VPN and I use OpenDNS IPs for DNS Server settings for extra malware/phishing protection(in System->General setup).
I have floating rule that blocks TCP 443 to pfSense gateway IPs(except WAN) to prevent firewall GUI access(source "Any"/destination "Gateway Interfaces") with "Quick rule"
I have a "block RFC alias" individual rule(source "Any"/destination "RFC1918 alias")on each of the interfaces except APPLE, I manually had to add 4 rules and put the "block RFC" below rule #4(see below):
1. (blocking IPv4+6 "Any" source and protocol to LAN net
2. (blocking IPv4+6"Any" source and protocol to Guest net
3. (blocking IPv4+6 "Any" source and protocol to Wifi net
4. Allow AppleTV IP "UDP" only to APPLE IPv4 static Address
5. I then added my block rfc ruleI have Snort on Wifi and Guest
pfBlocker GeoIP (deny both) on all interface (including inbound WAN, where I am getting a lot of noise on my log)
My questions are:
A) Is there a way to see if any scripts have been added to my firewall? Can malicious scripts be added I.e. Remote access, traffic redirect, blocking, spoofing traffic, etc...? Would restoring to factory default remove added scripts? Or is a new image required? Assuming the device might have been physically accessed or more likely remotely accessed due to weak configuration(combined with clicking of an email attachment).
B) How best to prevent remote access to firewall? I believe this is blocked by default but can I restrict it? Maybe require CAs?
C) VPN client setup configuration is working, DNS leaks to OpenDNS which I am ok with. Any reason to set up as a separate interface?
D) The links were helpful for hardening the WEB GUI(see below) but I still have the anti-lock out rule that I'd like to remove, recognizing I don't want and specifically want to block remote access what rule or configuration can I write instead on my "anti-lockout" rule(I do not have any other rule on my LAN except "anti-lock out")? I was thinking of changing the default TCP port (in System-Advanced-Admin Access) will that help, if so what would the new rule allowing me access to web GUI look like?
https://www.netgate.com/blog/securely-managing-web-administered-devices.html
https://doc.pfsense.org/index.php/Restrict_access_to_management_interface
F) Should I remove pfBlocker "Inbound Fire Rules" on the WAN? I believe pfSense blocks these by default.
E) Any other suggestions?I think the configuration is relatively simple and hopefully isolated from each other(not hosting email or web pages) but I am trying for the hardest, most secure and private network I can configure.
Thank you again for any thoughts or feedback!
-
I have floating rule that blocks TCP 443 to pfSense gateway IPs(except WAN) to prevent firewall GUI access
And you are thinking out loud about hardened security with 443 open on WAN?
That's like riding in a bullet-proof car with the windows down (hey, the weather is so nice!).
-
I love the giraffe! Thank you… ;D
No the floating rule is a "block" rule....I have no open ports on my WAN!
Thought?
-
You don't need to write firewall rules to block traffic on your WAN, pfSense is a stateful firewall.
So unless you've written rules to explicitly allow traffic on 443 (say you run a server?), then nothing can enter on your WAN unless something on your network (LAN) sends out a request for something first.
–---
As far as your original question, if you are looking to maximize security & privacy:
Sha1/160
Use SHA2, SHA224 is fine.
Alternatively, switch to pfSense 2.4.0 BETA, it works great for home use and has updated OpenVPN. You can use AES-128-GCM as your VPN server, this is not only faster and less CPU intensive but it also implements its own authentication.I use OpenDNS IPs for DNS Server settings for extra malware/phishing protection
-
Any DNS service is a man in the middle, pfSense by default let's you resolve directly to the root servers. Cut out the MITM, if you want privacy for your DNS then set Unbound to only go out on your VPN interface
-
Use pfBlockerNG & DNSBL to perform the services OpenDNS is providing you, you don't need both
I have Snort on Wifi and Guest
Have you tuned this appropriately or did you just turn it on? Either way are you having issues connecting to things? Are you running it as an IDS or IPS?
pfBlocker GeoIP (deny both) on all interface (including inbound WAN, where I am getting a lot of noise on my log)
From your description it sounds like you just selected a bunch of countries and blocked them.
This is not the intended use for this feature. Don't block the world, see above about pfSense being a stateful firewall.
This is what happens when you do that.-
You type in a website on your desktop
-
Your request passes all of your firewall rules as legitimate traffic
-
pfBlockerNG blocks your legitimate traffic from the website because it is hosted in a country you blocked, say Russia
If you don't have an actual reason to block a country then don't, you are just censoring yourself.
If you don't already know your specific reason to use it, then you probably don't need to use anything at all from the GeoIP section.
DNSBL & IPV4 lists are where you will get a ton of utility out of pfBNG.A) Is there a way to see if any scripts have been added to my firewall?
This just sounds paranoid. If you must, reinstall and restore from config.xml. But I doubt anyone's hacking your firewall from an e-mail you clicked.
B) How best to prevent remote access to firewall?
Use the default HTTPS webconfigurator access and use a key + user/auth for SSH access.
D)… ...I do not have any other rule on my LAN except "anti-lock out"
Since you are only using LAN for webGUI, that's all you need, pfSense blocks everything you don't write a rule to allow.
In general, if you want a really secure network, then whitelist it. This means no "allow any any any…" rules.
This way, nothing you don't allow will traverse your network.
This really isn't as complex as it sounds. Just figure out the ports you need access to, write aliases for them and then write rules for the protocols you want to pass on those ports.
You can further control your network traffic with static IP's.
My network is whitelisted with only a few aliases and a few rules and works great. -
-
As far as your original question, if you are looking to maximize security & privacy:
Sha1/160
Use SHA2, SHA224 is fine.
Alternatively, switch to pfSense 2.4.0 BETA, it works great for home use and has updated OpenVPN. You can use AES-128-GCM as your VPN server, this is not only faster and less CPU intensive but it also implements its own authentication.I'll update the VPN encryption, I'll switch to 2.4.0….I assume I just go to System-Update Settings and then choose "Next major version(HIGHLY EXPERIMENTAL) from the drop down? I am running "Community Edition" on my SG2440.
I use OpenDNS IPs for DNS Server settings for extra malware/phishing protection
-
Any DNS service is a man in the middle, pfSense by default let's you resolve directly to the root servers. Cut out the MITM, if you want privacy for your DNS then set Unbound to only go out on your VPN interface
-
Use pfBlockerNG & DNSBL to perform the services OpenDNS is providing you, you don't need both
Will do thanks!
I have Snort on Wifi and Guest
Have you tuned this appropriately or did you just turn it on? Either way are you having issues connecting to things? Are you running it as an IDS or IPS?
I have it running as IPS, I picked, in the "Snort VRT IPS Policy Selection" "Security", I had quite a few alerts, researched them in this forum and selected the "Red Cross"(in alerts) to "Force-disable this rule…" when it was blocking me(I.e iTunes updates).. Took me a while but slowly it allowed me the ability to connect to things on the WIFI interface. The VLAN for guest(wife) I have set for "Connectivity" but to answer your question yes definite ongoing connection issues especially to retail websites(my wife constantly is on me for that!). I'd like to make the WIFI as tight as I can and the guest as liberal as is secure. I am thinking isolation of interfaces was the best approach, but still concerned the interfaces would talk to each other.
pfBlocker GeoIP (deny both) on all interface (including inbound WAN, where I am getting a lot of noise on my log)
From your description it sounds like you just selected a bunch of countries and blocked them.
This is not the intended use for this feature. Don't block the world, see above about pfSense being a stateful firewall.
This is what happens when you do that.-
You type in a website on your desktop
-
Your request passes all of your firewall rules as legitimate traffic
-
pfBlockerNG blocks your legitimate traffic from the website because it is hosted in a country you blocked, say Russia
If you don't have an actual reason to block a country then don't, you are just censoring yourself.
If you don't already know your specific reason to use it, then you probably don't need to use anything at all from the GeoIP section.
DNSBL & IPV4 lists are where you will get a ton of utility out of pfBNG.I tried to be specific on the countries I blocked, I didn't block countries that I needed to get to, I tuned it by blocking everything and then seeing what didn't work, reviewed the logs and removed the country block(Facebook, Netflix, Hulu, etc have servers in Europe). My main goal was to prevent potential malware on my families devices, that wasn't caught, from "calling home". I was able to see an outbound connection to South East Asia from one of my interfaces when I turned it off…I also have reimaged my mac and my iPhone after seeing this. I'll dig into the DNSBL and IP4 lists again, I currently do not have those in use...I was thinking OpenDNS would block. Remove WAN from "Inbound/Rules Configuration" - "Indound Firewall Rules"? I'll definitely add the DNSBL and whitelist functionality and adjust. As a Gold Member your hangout videos were helpful...going to look again at the Tor blocking.
A) Is there a way to see if any scripts have been added to my firewall?
This just sounds paranoid. If you must, reinstall and restore from config.xml. But I doubt anyone's hacking your firewall from an e-mail you clicked.
I know this sounds paranoid…but this ongoing "invasion/hacking" has been going on for a while...I unfortunately have become a target, including $17k theft and other manipulation. It's not just online but also social engineering calls(not just fake tech calls), social media, etc.... Much more sinister...I'll dig into the fresh install just to be safe.
B) How best to prevent remote access to firewall?
Use the default HTTPS webconfigurator access and use a key + user/auth for SSH access.
Awesome…thanks!
D)… ...I do not have any other rule on my LAN except "anti-lock out"
Since you are only using LAN for webGUI, that's all you need, pfSense blocks everything you don't write a rule to allow.
Awesome…thanks!
In general, if you want a really secure network, then whitelist it. This means no "allow any any any..." rules.
This way, nothing you don't allow will traverse your network.
This really isn't as complex as it sounds. Just figure out the ports you need access to, write aliases for them and then write rules for the protocols you want to pass on those ports.
You can further control your network traffic with static IP's.
My network is whitelisted with only a few aliases and a few rules and works great.Awesome…thanks!
Great stuff and I reallly appreciate the help and what you folks are doing!
-
-
A) Dedicate one of the network interfaces for only management purposes and don't allow anyone else to connect their machines to that interface. Block access to the webgui from any other source than this dedicated management interface. Disable HTTP access to the WebGUI, disable the HTTP->HTTPS redirection also. Use a very long complicated password for the admin login, even if it's hard to remember.
If you must allow some kind of external access to the system use a VPN, if that's not possible use SSH with public key login only.
-
I know this sounds paranoid… ...I unfortunately have become a target, including $17k theft and other manipulation. It's not just online but also social engineering calls(not just fake tech calls), social media, etc…. Much more sinister...I'll dig into the fresh install just to be safe.
Yikes! Yeah I’d be paranoid too, definitely a different ballgame if you are trying to defend against an active attack than just generally securing your system. I would put this info out up front when you post on the forum as it will change the types of responses you get if people know the reason for your increased security.
I'll update the VPN encryption, I'll switch to 2.4.0….I assume I just go to System-Update Settings and then choose "Next major version(HIGHLY EXPERIMENTAL) from the drop down? I am running "Community Edition" on my SG2440.
I’m not sure if you can update this way? If not go to https://snapshots.pfsense.org/amd64/pfSense_master/installer/?C=M;O=D
And download the type of install image you need and the SHA256 authentication file for it, compare the hashes then install.
Before you do this, confirm that it’s the appropriate way for you since you have an Official pfSense product. I’m not sure if there are different images available to you?I have Snort on Wifi and Guest
yes definite ongoing connection issues… ...still concerned the interfaces would talk to each other.
Normally the way you implement an IDS/IPS is to turn it on as an IDS first, then filter out rules as you identify false positives. After you get the FP’s down to a minimum, then turn on IPS. It’s up to you if you want to do it this way or keep the IPS up since you are already being attacked.
I would personally recommend that you switch to suricata. From what I understand suricata and snort function very similarly. The advantage of suricata being that it can utilize both of the cores on your SG-2440’s CPU, while snort can use only one.
If you can, I would also recommend running suricata in inline mode, it might not work on an sg-2440, I don’t know? If it behaves strangely then just put it back into legacy mode for now.When the goal is to outright block traffic between interfaces, using an IPS is about the least efficient and effective way to do it, this is best accomplished via firewall rules.
Say you want to block traffic between OPT1 & OPT2 , write these rules:OPT1: ACTION: REJECT, INTERFACE: OPT1, ADDRESS FAMILY: IPv4+IPv6, PROTOCOL: ANY, SOURCE: ANY, DESTINATION: OPT2 net OPT2: ACTION: REJECT, INTERFACE: OPT2, ADDRESS FAMILY: IPv4+IPv6, PROTOCOL: ANY, SOURCE: ANY, DESTINATION: OPT1 netThis will keep the interfaces from talking to one another.
After you set this up go to your IPS and remove all interfaces except your WAN.Also, here are a couple of custom rules that might be useful to you:
drop tcp $EXTERNAL_NET !$MY_VPN -> any !$MY_PORT (msg:"The Golden Rule, TCP"; classtype:network-scan; sid:9000; rev:1;) drop udp $EXTERNAL_NET !$MY_VPN -> any !$MY_PORT (msg:"The Golden Rule, UDP"; classtype:network-scan; sid:9001; rev:1;)Read more about what’s going on here at this post linked in my signature:
https://forum.pfsense.org/index.php?topic=78062.msg693829#msg693829Basically what these rules do is monitor your WAN for anyone that is trying to connect to your network on a port that you are not using. No legitimate traffic will try to connect to your network on a port that you are not utilizing at all, so it won’t generate any false positives.
Once it detects an IP trying to connect to your network on a port you aren’t using it adds it to a block list. pfSense is already blocking any traffic trying to connect to a port you aren’t using so nothing changes there.
How this is potentially useful to you is, because you are already a target it is likely that your network is being scanned for vulnerabilities, if your attacker scans your ports then their IP will be added to your block list. Now, even if your attacker tries to connect on a legitimate port that pfSense would otherwise pass your IPS will block them no matter what because they are now on your block list.I would recommend setting your blocked hosts interval to 28 days, this will be problematic while your IPS is generating a lot of False Positives, but once you get those worked out then it will decrease your CPU usage by not making it re-block IP’s all the time. While you are still sorting out false positives you will continually have to go in and clear your blocked hosts list to un-block legitimate traffic.
Also, if you can’t use inline mode then check out the thread in my signature about persistent snort2c tables. This will keep your blocked list of IP’s through any reboots, otherwise the list gets wiped every time.Note, these rules generate a lot of traffic and not everything it blocks is your attacker. For example, my home network is not under attack and these two rules generate ~14,000 blocks over a 28 day period. It’s mostly noise from people scanning SSH & Telnet. (Those get scanned a LOT on anyone’s network, which is why you ALWAYS use key based authentication for SSH and why it is useful to switch your SSH port from default 22).
If you start seeing lots of scans on ports other than these, those are likely your attacker. You can use these lists to pass on suspicious IP’s to blacklist databases and/or your ISP.Don’t set these up until after you have effectively implemented whitelisting on your network. You have to know the ports you are using. The rule as I posted it will not work out of the box, you have to setup a few aliases in your IPS first (I can help you do this on suricata, but I don’t know snort).
I tried to be specific on the countries I blocked… ...I was able to see an outbound connection to South East Asia from one of my interfaces when I turned it off... ...Remove WAN from "Inbound/Rules Configuration" - "Indound Firewall Rules"? I'll definitely add the DNSBL and whitelist functionality and adjust. As a Gold Member your hangout videos were helpful...going to look again at the Tor blocking.
I would still recommend turning off country blocking completely. There is legitimate traffic that comes from weird countries and it just isn’t efficient to block entire parts of the world unless you have a specific reason to block a specific region. For most people these lists are probably more useful as whitelists (but I wouldn’t recommend that in your case either). If you must region block I would stick to only the Top 20 spammers page as those are lists of IP’s of known spammers in a region, even these will generate a lot of false positives though as IP’s change rapidly.
Check these threads out to get some quality lists working for you of pfBlockerNG:
https://forum.pfsense.org/index.php?topic=86212.msg508975#msg508975
https://forum.pfsense.org/index.php?topic=102470.msg572943#msg572943
https://forum.pfsense.org/index.php?topic=102470.msg573159#msg573159
https://forum.pfsense.org/index.php?topic=111756.msg622519#msg622519
Note that there is a pending update to pfBlockerNG that will include more integrated feeds.Also, I don’t know if you can easily upgrade the RAM in an SG-2440, but TLD is an interesting feature of DNSBL that you might be interested in, but will need a lot of RAM if you have a lot of lists for it.
DNSBL will block “badwebsite.com” but not “www.badwebsite.com”, TLD will also block “www.badwebsite.com”You don't need pfBNG on WAN.
In general, if you want a really secure network, then whitelist it.
I just want to reiterate this for you since you are actively under attack. Firewall rules are the first and most efficient way to control your network. Static IP’s for all of your clients, Aliases and whitelisting will be really effective in controlling your traffic. If you need any help doing this, please ask!
EDIT: It is also important that you keep all clients on your network up to date, which is no small feat. Keep IOT devices on separate VLANs , disable internet access on things you don't use (smartTV's you aren't using smart feature on, etc. If you have things that are known security issues such as insecure IP cam's, don't allow them access to the internet at all, access this kind of thing remotely only through VPN.
Don't allow unknown devices connection to your normal LAN (Guest network only) and isolate your Guest network.You can very likely make your home network so secure that it is no longer an avenue of attack that your attackers will pursue. But as you mentioned social engineering is probably a much higher threat than actively hacking you. Also, using VPN on your devices when not at home is especially important for you!
-
pfBasic…I humbly thank you for your help! It's going to take me a while to implement and learn this but I am on it....a sincere Thank You!
-
No worries! Please ask if there's anything else you have any questions about while you set up.
-
Update and follow up:
- Upgraded to 2.4(Beta)
I just wanted to update all on my progress:
I have found this forum extremely helpful in getting me this far and have tried to document my efforts and questions in a way that might help other “newbies”. I have made some strides but hoping for some additional thoughts and feedback. If my steps are not correct please feel free to provide any thoughts, I have also included my specific questions.
Harden Web Gui
System/Advanced/Admin Access- Max Process to “1”
- Make sure Secure Shell is disabled
- Change Port for SSH port and TCP port (WebGUI)
- Disabled Antilockout rule in System-Advanced-Anti-lockout-Checked (Making sure to add new rule prior with new port).
- Disabled “Secure Shell Server” in “System-Advanced-Admin Access”
(While I realize not all are major security updates, some were easier to do and I didn't need some of the functionality (I.e. Disable "Secure Shell Server")
My questions:
1. How can I add a key or change the default? Do I need to get this externally from a Comodo or Verisign with my domain? Can I self sign a new certificate?
2. Does removing “User - System: Shell account access” from “System-User Manager-Users-Edit” reduce an attack footprint?
3. How does one turn off HTTP->HTTPS redirect off? Is this on the browser?
(Funny but getting me this far has locked me out my webGUI about 6-7 times!! :-[)Rules, static leases and white listing:
I first created Static IPs by doing the following:- In “Services-DHCP Server-“Each of my interfaces””, I made sure “Deny unknown clients” was unchecked.
- I connected all the devices to the interface.
- I then went to “Status-DHCP Leases” and noted all the MAC addresses.
- I then added them as static lease type.
- I then went back to “Services-DHCP Server-“Each individual interface” and made sure “Deny unknown clients” was checked.
- I then created aliases for each interfaces devices(using the static IPs I created in step 1 in “Firewall-Aliases-IPs”, labelled as “hosts”
- This allowed me very specific “Sources”
- I then went to “Firewall-Rules-“Each of my interfaces”“ and created rules as follows:

SEE ATTACHMENT FOR IMAGE OF RULES
(I also have a floating rule (IPv4+6 TCP/UDP * * Gateway Interfaces Firewall ports * none) to prevent access to firewall)
My questions/Looking for feedback:
1. For my “Very secure interface” I tried getting more granular with the destinations, some of my email providers had 1-2 IPs but google has so many that the list seemed endless. For example, I was able to get port 80 down to 5-6 IPs but again googles list was too big. How can I make this more granular?
2. Is there a way to allow allow google voice and hangouts only?
3. Is there a more restrictive way to write these rules?
4. Is this the right approach?OpenVPN used for privacy to access the web:
- I added a VPN client(based on the VPN providers instructions), then added an Interface.
- I also replicated each existing “WAN rule” in NAT-Manual-Outbound/Manual with a new rule for the “OpenVPN client” and a new rule for the “OpenVPN interface”.
- I then proceeded to delete the “OpenVPN client” rules and “WAN rule” specific rules in the “NAT-Outbound/Manual” section for interfaces that I want to use VPN(WIFI Interface) only (kind of a kill switch) and interfaces I want/need to use WAN(AppleTV) only.
- I added rules in the VPN Interface only(not client) similar to the WAN rules blocking everything(bogon networks, private networks, etc.).
- I modified rules in the internal interfaces(WIFI and VLAN) that I only wanted to access the VPN specifying the "VPN Interface" as the "Gateway"(See my rule attachment image)
My questions/Looking for feedback:
1. I tried adding a self signed certificate on my end but it broke the VPN connection. Similar to the web GUI question, do I need to get this externally from a Comodo or Verisign with my domain? In the logs my vpn provider did not appear to accept it.
2. Does setting up an interface just give me more options? I was able to bypass the “AppleTV” by changing each rule Gateway in the AppleTV interface (Extra Options-Display Advanced-Gateway-WAN) to access the WAN
3. I was unable to SHA2, nor AES-128-GCM working with PIA…is this a PIA limitation? Their instructions were pretty specific on setup so I assume it is…any recommendation for another provider?
4. Do I need rules on OpenVPN Interface? Or are these rules covered in WAN?
5. In the dashboard, my VPN Gateway is showing “Offline” yet when I go online to find my IP it is showing my VPN’s? The graph on my Dashboard seems to show activity as well…
6. Do I need to set up a DHCP server for my VPN Interface?
7. Is this the right approach?Surricata:
Set up “WIFI interface” and “Guest VLAN” interfaces to block offenders. Type of rules I enabled in Services-Suricata-Global settings are(after getting a snort code):- Install ETOpen Emerging Threats rules
- Install Snort VRT rules
- Install Snort Community rules
I periodically have “Force-Disabled” these rules:
- 1:2002157 ET CHAT Skype User-Agent detected
- 1:2002878 ET POLICY iTunes User Agent
- 1:2210000 SURICATA STREAM 3way handshake with ack in wrong dir
Some rules I am currently reviewing are:
- 1:2210054 SURICATA STREAM excessive retransmissions
- 1:2230003 SURICATA TLS invalid handshake message
- 1:2210044 SURICATA STREAM Packet with invalid timestamp
- 1:2010066 ET POLICY Data POST to an image file (gif)
- 1:2210042 SURICATA STREAM TIMEWAIT ACK with wrong seq
- 1:2221028 SURICATA HTTP Host header invalid
- 1:2200094 SURICATA zero length padN option
I currently have my WAN and VPN interface being monitored only.
My questions/Looking for feedback:
1. Why are Suricata rules triggered on the Wifi Interface/Network(The interface) and GuestVLAN(a VLAN on the WIFI interface), when the app is only on the VLAN I.e. Skype alert on WIFI when it is only accessed on VLAN? Is it more secure to setup 2-3 VLANs on the WIFI network I.e. Secure WIFI(VLAN #1), IOTDevices(VLAN #2) and WIFES(VLAN #3)?
2. I have been unable to get my DNSLB working? I think it has something to do with my DNS resolver, my “RFC_1918_nets “ rule, or my OpenDNS IPs, or something in my “General settings”. I am still working on this…
3. How do I add the 2 golden rules detailed above? pfBasic any thoughts?Thank you again for any and all feedback!
 -
- Make sure Secure Shell is disabled
- Change Port for SSH port and TCP port (WebGUI)
- Disabled “Secure Shell Server” in “System-Advanced-Admin Access”
(I.e. Disable "Secure Shell Server")
If you disable SSH then changing the port doesn't do anything. That being said, SSH is very useful to have available and also very secure when using key + user/pass authentication. Moving the SSH port (if you do decide to re-enable it) gices some security through obscurity (useful for script kiddies) but mostly just cleans up your logs, if your SSH is on some random unused port then seeing unexepcted activity being attempted on that port is more useful to you (if you use 22 for SSH then you will see tons of traffic being blocked but it's just useless noise).
My questions:
1. How can I add a key or change the default? Do I need to get this externally from a Comodo or Verisign with my domain? Can I self sign a new certificate?Key for what? You can create keys for SSH using any implementation of OpenSSH. A common program to provide this is PuTTYgen since it is often used for SSH access. Import keys in System / User Manager.
You can self sign certificates, manage CAs and Certificates in System / Cert. Manager.3. How does one turn off HTTP->HTTPS redirect off? Is this on the browser?
I'm not sure what this is? If you are talking about accessing the WebGUI via HTTP or HTTPS then absolutely without question do not ever set WebGUI access to HTTP. Only HTTPS.
My questions/Looking for feedback:
1. For my “Very secure interface” I tried getting more granular with the destinations, some of my email providers had 1-2 IPs but google has so many that the list seemed endless. For example, I was able to get port 80 down to 5-6 IPs but again googles list was too big. How can I make this more granular?
…
4. Is this the right approach?This is too specific for firewall rules. IP addresses can and will change frequently and as soon as that happens your firewall rules are broken and you’re out hunting for more IP’s to whitelist.
Realistic whitelisting of your LAN can control:
The protocol
The traffic type
The source static IP(s) (you’ve already done this)
The source port(s)
The destination port(s)
The gateway(s)
+more in advanced options
Firewall rules are not the place to control the destination IP unless it’s a case where you know the destination doesn’t change.
In most cases blacklisting is better for controlling the destination IP range. This can be done very effectively with pfBlockerNG & DNSBL as they can utilize tons of very well managed IP lists.My questions/Looking for feedback:
1. I tried adding a self signed certificate on my end but it broke the VPN connection. Similar to the web GUI question, do I need to get this externally from a Comodo or Verisign with my domain? In the logs my vpn provider did not appear to accept it.I believe that you are talking about the key pair between your PIA provider and your pfSense box (the client)? If so, you need to use their public key. They are maintaining the private key and publishing the public key for you to use, that is the only key that will work.
3. I was unable to SHA2, nor AES-128-GCM working with PIA…is this a PIA limitation? Their instructions were pretty specific on setup so I assume it is…any recommendation for another provider?
In order to utilize SHA2, you need to setup your PIA client a little differently, instructions are here:
https://www.privateinternetaccess.com/forum/discussion/20387/guide-setup-pfsense-with-strong-encryption-aes-256
PIA does not currently support AES-GCM, I don’t know if they have any plans to do so ever. pfSense doesn’t support GCM until 2.4.4. Do I need rules on OpenVPN Interface? Or are these rules covered in WAN?
No rules are necessary on your VPN client interface(s)
5. In the dashboard, my VPN Gateway is showing “Offline” yet when I go online to find my IP it is showing my VPN’s? The graph on my Dashboard seems to show activity as well…
Try changing your monitor IP to something public such as 8.8.8.8 or 8.8.4.4 under System / Routing / Gateways
6. Do I need to set up a DHCP server for my VPN Interface?
No
Suricata:
Set up “WIFI interface” and “Guest VLAN” interfaces to block offenders. Type of rules I enabled in Services-Suricata-Global settings are(after getting a snort code):You should only need to inspect packets on the WAN interface.
- Install ETOpen Emerging Threats rules
- Install Snort VRT rules
- Install Snort Community rules
Disable the Snort Community Rules, they are included in the Snort VRT rules.
I periodically have “Force-Disabled” these rules:
…Some rules I am currently reviewing are:
…You can disable the entire STREAM category, it generates a ton of FPs for everyone that uses internet for normal (home use) reasons. For other research on rules to disable the IDS/IPS subforum has a ton of great info. A lot of the information is valid on both snort and suricata. Generally speaking though, if a rule breaks something you use, disable it.
My questions/Looking for feedback:
1. Why are Suricata rules triggered on the Wifi Interface/Network(The interface) and GuestVLAN(a VLAN on the WIFI interface), when the app is only on the VLAN…Just disable suricata on all interfaces except WAN.
2. I have been unable to get my DNSLB working? I think it has something to do with my DNS resolver, my “RFC_1918_nets “ rule, or my OpenDNS IPs, or something in my “General settings”. I am still working on this…
Check out the following post and the entire thread is full of great info, BBCan177 is the genius behind the pfBlockerNG and an incredibly patient and helpful individual. Read through that thread, and read through the info blocks on pfBlockerNG, any questions you have after that ask in that sub forum and you will get very good help.
https://forum.pfsense.org/index.php?topic=102470.msg572943#msg572943
My first thought on what you described is your DNS settings since DNSBL works through that, are you using Unbound in resolver mode? That is default for pfSense and what I would recommend. I can’t remember off the top of my head whether or not it is a requirement to use DNSBL?
Also, by reading through that thread & subforum you will get great info on lists to use with pfBlockerNG & DNSBL.3. How do I add the 2 golden rules detailed above? pfBasic any thoughts?
Before adding those rules you need to make sure that you have any aliases you need properly defined in suricata (these are different than Firewall Aliases). Check out this post for more details on that and feel free to ask any questions you may have.
https://forum.pfsense.org/index.php?topic=78062.msg693829#msg693829
Once you have implemented any aliases necessary….
Services / Suricata / Interfaces
Click to edit the interface
Click the “xxx Rules” Tab
On the “Category” drop down, select custom.rules
Add the rules thereThank you again for any and all feedback!
You are very welcome!
-
If I haven't already I wanted to take a post to strongly recommend that you consider purchasing a year of pfSense Gold. I am in no way affiliated with pfSense, I am just a home user like yourself, but I think that it would be very valuable for you to learn the right way to setup your firewall.
Everything you get from me is just stuff I've gleaned from here and other places and from messing around on pfSense. I am not an IT pro, my profession is not at all computer science related.
Everything you get from a Gold Membership (pfSense Book constantly updated, pfSense hangout videos, etc.) comes from the IT Pros behind pfSense.
https://www.pfsense.org/our-services/gold-membership.htmlTo me this is especially important to you because you are already being targeted while you are trying to learn pfSense. My advice is not good enough.
-
Thanks pfBasic…I'll follow up on your advice and input and follow up. I will also included clarification to my questions and unanswered question in a subsequent post.
If I haven't already I wanted to take a post to strongly recommend that you consider purchasing a year of pfSense Gold….I am not an IT pro, my profession is not at all computer science related....My advice is not good enough.
I am already a Gold member…there is some great stuff in there. pfBasic your help has been very invaluable...
-
To clarify my questions and highlight outstanding questions see below:
Clarifying my questions:
My questions:
1. How can I add a key or change the default? Do I need to get this externally from a Comodo or Verisign with my domain? Can I self sign a new certificate?Key for what? You can create keys for SSH using any implementation of OpenSSH. A common program to provide this is PuTTYgen since it is often used for SSH access. Import keys in System / User Manager.
You can self sign certificates, manage CAs and Certificates in System / Cert. Manager.I’ll add back SSH functionality at some point but my question about a key or a CA was specific to the WebGUI. I am thinking a long password and a CA/Key in the browser would enhance security. How is this done in Firefox? I came close by going to “Firefox->Preferences->Advanced->Certificates->View Certificates->Import” I imported a certificate I created in pfSense. The steps I followed were:
System -> Certificate Manager -> Certificates -> “ADD” -> “Create a certificate signing request”….the certificate states: “external - signature pending” in the issuer column (The default webconfigurator states “self-signed”)
System -> Certificate Manager -> “ADD” -> “Create an internal Certificate Authority”
System -> Advanced -> Admin Access - “SSL Certificate” drop down gives me the option to change from web configurator default to ““Create a certificate signing request” certificate I createdMy assumption is a CA certificate(that only I have on my Mac) + large password is stronger then just a long password? Is this correct? What steps am I missing?
3. How does one turn off HTTP->HTTPS redirect off? Is this on the browser?
I'm not sure what this is? If you are talking about accessing the WebGUI via HTTP or HTTPS then absolutely without question do not ever set WebGUI access to HTTP. Only HTTPS.
In “System->Advanced” I changed the default port # and have HTTPS enabled, however the browser still asks me to confirm a redirect and approve exception. This is still HTTPS? I believe this pertains to my CA certificate?
My questions/Looking for feedback:
1. I tried adding a self signed certificate on my end but it broke the VPN connection. Similar to the web GUI question, do I need to get this externally from a Comodo or Verisign with my domain? In the logs my vpn provider did not appear to accept it.I believe that you are talking about the key pair between your PIA provider and your pfSense box (the client)? If so, you need to use their public key. They are maintaining the private key and publishing the public key for you to use, that is the only key that will work.
I was able to setup PIA, downloaded their public key, entered my user name/password but was looking to see how to setup a CA verification only end. I was referencing this video but was unable to get it to work, take note of the internal key that is setup in pfSense and inputed into the OpenVPM client during the initial setup: https://www.youtube.com/watch?v=8jYibgeAV0Y
I will look at other providers to see if it will work but PIA seemed a popular provider, wasn’t sure if anybody managed to set up a “self signed” certificate using PIA as additional authentication.
…Is it more secure to setup 2-3 VLANs on the WIFI network I.e. Secure WIFI(VLAN #1), IOTDevices(VLAN #2) and WIFES(VLAN #3)?
I originally asked this question in the context of Suricata but Thought it best to clarify as a broader pfSense configuration/security question:
I have 1 wireless controller/access point(Which I think needs a direct wireless connection (to configure. change passwords, etc… )which I want to make sure is secure. I also want to make sure I have I have a Guest/Wife/IOT VLAN and a Super secure wireless network. I am thinking the following:
A) Secure WIFI/Wireless Controller + Guest/Wife/IOT(VLAN #2)
Or
B) Secure WIFI (VLAN #1) + Wireless Controller (Connect direct on Interface only i.e no VLAN) + Guest/Wife/IOT(VLAN #2)
Or
C) Secure WIFI (VLAN #1) + Wireless Controller (Connect direct on Interface only) + Guest/Wife(VLAN #2) + IOT(VLAN #3)
I think C) more secure? Thoughts?
My questions/Looking for feedback:
1. Why are Suricata rules triggered on the Wifi Interface/Network(The interface) and GuestVLAN(a VLAN on the WIFI interface), when the app is only on the VLAN…Just disable suricata on all interfaces except WAN.
I compared my alerts on the WAN and VPN interface and they are different…Suricata on WAN and VPN interface(since it is also a gateway)?
Outstanding questions:
Rules, static leases and white listing:
….2. Is there a way to allow allow google voice and hangouts only?
I managed to find the following from Google:
When deploying Hangouts Meet or classic Hangouts, bandwidth planning is vital.
Concurrent usage estimates are required.
Enable UDP ports 19302 to 19309.
Enable TCP and UDP ports 80 and 443.I am able to make outgoing calls using hangouts/google voice(via port 80 and 443) but incoming calls are not coming in via WIFI? Is there a secure way to configure this so as to receive incoming calls on WIFI with out compromising security and opening ports wide open?
OpenVPN used for privacy to access the web:
…2. Does setting up an interface just give me more options? I was able to bypass the “AppleTV” by changing each rule Gateway in the AppleTV interface (Extra Options-Display Advanced-Gateway-WAN) to access the WAN
I am inclined to think the “KISS” approach is best for me. I think adding a VPN interface and deleting and adding “Mappings” rules/configurations in the “Firewall -> NAT -> Outbound -> Manual Outbound NAT” section for each internal interface gives me a lot more flexibility, is this true? By deleting the WAN “Mappings” rule configuration in effect give me a kill switch(When the internal interface rules reference this gateway only)?
Any and all feedback is greatly appreciated!
-
For the first two questions, pfSense automatically sets up a certificate for the webGUI called webconfigurator.
You will get a Certificate error in your browser when using that certiifcate but that's fine you are still secure. You can identify an https website by a green lock in the url address bar, if there's an error the lock won't be green (as in the case of the webconfigurator certificate) this is usually cause for alarm but since you personally know that you can trust the webconfigurator certificate because it was generated on your personal machine then you know it's safe.
As far as maximizing security on the web GUI, I think someone on here already mentioned using a dedicated machine (or at least a dedicated browser) to access the web GUI and nothing else. If you can do something like this with say an old machine that you do a clean install with something free like linux with a GUI or TrueOS then you are extremely secure.
Additionally you can create a management VLAN (I think you already did this) that is the only access point for the web GUI.Combining all of these things is an extreme level of security that is very likely beyond what even you need under a targeted attack, you don't need anything beyond this.
–---
So for the PIA certificate what it sounds like you are saying is that you want to use certificate based authentication in order to access your account instead of or in addition to the username password login?
As far as I know this is not supported.
It is probably also not needed. You would still have a username/password combo that you would use to login to your PIA account at their website and that's all that it's doing over the VPN connection.
Your PIA account should not have any personally identifiable information in it (you'll have to log into your PIA account to check what's in there).
So basically, set a strong password for PIA and enable any two-factor authentication if it's available, use strong, obscured "reset questions" if you have any at all and store it all in some sort of password manager that has an incredibly secure password and two-factor authentication. Basically treat it just like any other online account you have.
The reason you segregate your internal network is to separate devices that either have different purposes, different levels of security, or different levels of trust. So keeping known insecure IOT devices on their own network with minimal access to the internet and the rest of your internal network is important.
Also keeping a guest network isolated from your internal network is important for guests and untrusted devices.I've never used a VLAN at all much less on a WAP so I can't tell you anything about that.
I just use my main WAP for my network and a cheap WAP for Guest access. VLANs are probably fine, but I believe that you are going to need an access point that supports VLANs for that?
I don't think suricata is going to do much of anything for you on your VPN gateway but I might be wrong. Hopefully someone else can answer this!
I don't know anything about google voice/VOIP setup. For any kind of bandwidth planning though you can use the HFSC Traffic Shaper wizard.
I'm pretty sure that if you run suricata in inline mode that it breaks the traffic shaper right now though so you'll have to use legacy mode if you want both.I've never tried to implement security via NAT. I can't tell you whether or not it is effective or efficient. My guess is that you just use firewall rules for this.
-
I haven’t given up!!
I had a lot of cool components with my original effort (VPN, Surricata/Snort, isolations, etc… but I was missing a fundamental component: Good solid Rules, especially with DNS settings! Instead of continuing down the path I was on I decided to scrap my efforts and start again from a default configuration.
I approached my build a little different this time and managed to get the following working on my LAN interface only with “Any, Any, Any” rules…NOT SECURE!:
Siricata monitoring only
pfBlockerNG DNSBL working and showing alerts
A VPN client with PIA and a VPN interfaceWhat rule do I need to put in place on the new interfaces to allow me to use access the internet on VPN and DNS internally via pfBlockerNG?
Any body have some basic rules allow this to work?
Thanks again for any and help…
-
To use your VPN as the gateway for a rle you select your VPN interface gateway under advanced in the rule.
The DNSBL VIP should be automatically configured for you after you setup DNSBL.
BTW, I wanted to mention pfMonitor to you. I'm checking it out right now and it sounds like something that would be really useful for you. Primarily it will give you more information on who your attackers are, and how they are attacking you by giving you summary statistics with something to compare them to, along with notes and links explaining things.
https://forum.pfsense.org/index.php?topic=120972.0
Back on track though, does that answer your question about rules or are you trying to migrate from a blacklist LAN to a whitelist LAN and looking for how to do that?
-
I compared my alerts on the WAN and VPN interface and they are different…Suricata on WAN and VPN interface(since it is also a gateway)?
If you use vpn as a gateway, and you expose services on it, you can enable suricata on vpn like you do on WAN.
Using suricata on "external" interfaces you can monitor/block attackers but you loose NAT informations. If one of your hosts has a malware, you cannot see its address from WAN side.Suricata on LAN shows the correct source/ destination IP addresses. But if you have multiple subnet then you should enable suricata on every one.
And enabling suricata on all interfaces probably kill your CPU ;)You can decide to use pfblocker to stop most of the attackers on WAN/VPN and use suricata on LAN/WIFI
-
Thanks Fabio72…While I get this going I have snort running on my VPN and wan...I want to get to PfBlocker in the long term but today I am still using OpenDNS. While not private I think I am getting some extra security. I need to work out how to get PfBlocker working on my LAN and multiple VLANs. Thanks again for he help...
