Rule help?

Velcro

I was hoping to get some feedback on my rules, including order, rules needed, redundant rules, any feedback on reducing rules yet maintain isolation? etc…

I have a number of interfaces and VLANs with similar rule set, I want to keep the interfaces and devices isolated.

Any thoughts would be appreciated....

johnpoz

All of your block rules could be put into 1 rule that use an aliases for.  Looks like you already have a rfc1918 alias.  Just use that, I would assume all your other networks you have listed fall into rfc1918.

Also unless you have downstream networks, your source should be locked to the network for this interface.  IOTvlan, would be the only logical possible source address unless there is downstream networks?

Velcro

Thanks Johnpoz…

"All of your block rules could be put into 1 rule that use an aliases for.  Looks like you already have a rfc1918 alias.  Just use that, I would assume all your other networks you have listed fall into rfc1918."

1 - My top 6 rules are intended to block any communication with the other interface, I have similar rules on each interface. Would I need to create an alias for each interface? For example the alias to use in the iotvlan would consist of all nets except the iotvlan net?

"Also unless you have downstream networks, your source should be locked to the network for this interface.  IOTvlan, would be the only logical possible source address unless there is downstream networks?"

2 - just so I am clear(I updated my image with numbers so you know what rules I am referring to), rules 1-6 should have a source of "IOTVLAN NET"?

3 - Do I need rule 10?

johnpoz

1)  Why would could it not just be all of them.. Just put it below where you allow 53.. to your interface

2. unless you have downstream networks, your source should always just be the network of that interface.  Doesn't really matter in the big picture.  But unless you have downstream network it should be impossible for other than iotvlan netework to be the source of traffic coming into your iotvlan interface.

3. Not unless you turned off default rule logging?  And you want traffic into this interface logged.  I default logging off, and create rules to log where I want to see blocked traffic.  For example on my wan I only block tcp syn and log it.  The default rule blocks everything else but have no desire to see that noise, UDP, out of state traffic, etc.

Velcro

1. I just made the change to my rule set…see attached, I made some note on the attachment so I am clear. From what I gather about the logic of this rule set is: a request for dns is made via port 53(rule 1), rule #2 blocks access to firewall, rule 3 blocks all access to other interfaces, rule 4 allows internet access, rule 5 blocks everything else?

Thanks again...I am trying to make sure my rules are secure but also follow the rule logic.

2. Not sure what a downstream network is but I think so...don't think I have one. The interfaces are connected to devices/clients only.

3. I need to look into the logging more...definitely want to reduce the noise.

Thanks again...

johnpoz

A downstream network would be if you had a L3 switch or router downstream of pfsense on a transit network.  Most likely no you do not have one ;)

Your rules look fine.  Your firewall rule and blocking of rfc1918 could also be joined.  But the firewall blocks all IPs on firewall, even the wan.. So this prevents someone from this network from access say your pfsense web gui via the wan IP on the inside.  If your pfsense wan was rfc1918 you could just get by with your rfc1918 alias block.

Again your last rule isn't really need there is a default deny on every interface - but it if helps you understand the flow of the rules, nothing wrong with it.

Velcro

Thanks Johnpoz again for your help…