Plain-language newbie security instructions



  • Hi all,

    I'm just setting up a pfSense machine and would like some plain-language help in configuring my system.

    I have successfully installed pfSense on a dedicated machine, with WAN, LAN, etc. configured.  Now I want to start setting up firewalls, port-blocking, etc.

    Though I am very comfortable with computers, networks are like the dark side of the moon to me.  I have reviewed multiple web-sites, watched hours of Youtube videos, and feel like I'm reading technical service manuals for a new car, when all I want to do is setup the radio.

    I know the very minimal basics - E.g. IP address, MAC address, etc, but have no clue (nor do I have the time to learn) all about PPOE, OWA, SSH, or web proxies, etc.

    I have a home network, with multiple computers running multiple OSes, networked printer, networked blue-ray/Netflix player going through an unmanaged switch, and I need to be able to access a corporate system via a VPN.

    What I'd like to learn to do (with plain-language instructions) is harden my network:
    1. Block all unnecessary ports, while still having access to HTTP, HTTPS, email and the  VPN.

    2. Block a list of IP addresses that I've accumulated from each of the home computers over years.  (I.e. Block inbound connections from these sites, and Reject outbound requests to these sites).

    3. Set any other configuration settings that make my pfSense device as tight as possible for the setting described.

    4. Keep logs of which IP addresses the devices are accessing.  E.g. is my TV/Blue-ray player calling home?

    I don't want to have to manually enter firewall information for each of the thousands of sites in my block list.  For some of the sites, I'd like to be able to block a range of addresses at once (both IPv4 and IPv6).  I am aware of pfBlockerNG, but would rather script my own list of sites into pfSense if this is possible.

    Again I know next to nil about networks or the lingo of networks, though I'm very comfortable with programming.  If just want to know how to set up pfSense to do what I want.

    Can you help out?

    Cheers in advance!



  • @Pelagic:

    Again I know next to nil about networks or the lingo of networks…  If just want to know how to set up pfSense to do what I want...

    Can you help out?

    Yes! Most of the help you need is to take an entirely different approach to what you want to do.

    I don't want to have to manually enter firewall information for each of the thousands of sites in my block list.  For some of the sites, I'd like to be able to block a range of addresses at once (both IPv4 and IPv6)I am aware of pfBlockerNG, but would rather script my own list of sites into pfSense if this is possible.

    Again I know next to nil about networks or the lingo of networks, though I'm very comfortable with programming.  If just want to know how to set up pfSense to do what I want.

    So you have no idea what you're doing, and you are well aware there is an excellent tool that does what you want…. but you want to script it on your own, and you want the community to tell you exactly how to do that in lamens terms?

    Yeah, just use pfBlockerNG. If you want to script it yourself, go ahead, but the key is do it yourself. I don't think anyone on here's going to hold your hand through that one when pfBlockerNG is going to do a better job than you'll be able to. That's the right tool for the job, use it.

    @Pelagic:

    1. Block all unnecessary ports, while still having access to HTTP, HTTPS, email and the  VPN.

    2. Block a list of IP addresses that I've accumulated from each of the home computers over years.  (I.e. Block inbound connections from these sites, and Reject outbound requests to these sites).

    3. Set any other configuration settings that make my pfSense device as tight as possible for the setting described.

    4. Keep logs of which IP addresses the devices are accessing.  E.g. is my TV/Blue-ray player calling home?

    1. that's whitelisting. you can search the forum for that. it isn't very difficult for most home networks. but i think you'll find it fairly useless in terms of security. ports 80 & especially 443 are going to stay open anyways, so the spybots in your home will just get out that way. The security you're looking for is baked into pfSense by design, it's a stateful firewall that blocks all incoming connections until something within your network makes a request for it, or you write a rule specifically allowing it.

    2. this is probably useless. you're describing what sounds like either an unmanaged or poorly managed list (even if it is a good list - pfBlockerNG). you can get professionally managed lists for free (pfblockerng again), or use free professionally written (or write your own custom rules) on suricata / snort to capture specific traffic and even maintain lists based on these rules - but that's something you'll need to learn and it will take you some time. the forum is here to help though!

    3. since you know next to nil about networking you are honestly best off leaving default settings until you find a very good reason to change them. if you think you should change something but don't know A. exactly what you are doing by changing it AND B. the reason why changing it is better, then don't change it.
    This might sound counter-intuitive for something that seems like it's for a tinkerer - but it's how you're going to keep a stable and secure network until you know what is going on.

    4. almost certainly useless and not worth your time, but this is snort with a MiTM attack against all your own http/s traffic. again, a somewhat in depth setup that you'll need to take the time to learn.

    in short,
    you need to learn networking at some level in order to effectively manage - a network - , even if it is just your home.
    Also, don't get overzealous with "hardening pfSense" it isn't necessary, and you can't do it effectively until you know something about networking.
    Finally, don't try to reinvent the wheel. the tools are already made and this forum already contains the information.

    What you need to do is start reading this forum (search the forum when you run into something you don't understand - then search google). AFTER you have put in the effort to at least have an idea of what is going on, then come back to the relevant subforum and ask Specific questions.

    I know this isn't the answer you're looking for - but it's the answer that you need  ;).
    The forum (myself included) are still here to help, but you need to put in some effort too.

    You just stated you don't know what you're doing, AND you don't want to use the right tools for the job, AND want to do several things that can each be pretty involved (and that you almost certainly won't actually need/want once you figure out what's going on).

    That trifecta is not going to garner much help unless you're willing to do some (significant) self learning.



  • Thanks!

    I much appreciate your advice - very helpful.
    You are right of course, that more skill will come with time.  For now though, the goal is to get the firewall up and running.

    So… I have activated pfBlockerNG, and installed several block lists.  Step 1 complete.

    I'd still like to add the custom list of sites that I want to block.

    I've read on-line how to create and then load a custom list from a webserver, but I do not have a webserver.
    Is there a simple way of loading pfBlockerNG with a list from either a computer on the LAN, or from a flash drive connected to my pfSense machine?

    Cheers!


  • Netgate

    pfBlockerNG and your custom lists has nothing at all to do with "getting the firewall up and running."



  • yes, your firewall is up and running from the moment you install it and plug it in. It runs out of the box for almost all network configurations, and is secure in that configuration.

    As far as uploading files to your box, yes you can do it from the webgui, or from SSH. It's as simple as creating a new file and copying the list of IPs into the new file. Then point pfBlockerNG to that file, it might be done with DNSBL? I'm sure you could also import the list as an alias and just use that on firewall.
    I've never imported a list to an alias before and don't have a pfsense box to look at right now but I'm almost certain there is a webgui button for it?

    If you named the list "BAD_IP" then the rule would be something along
    BLOCK any_source_ip on any_source_port > BAD_IP

    Again, I've never done it that way but am pretty sure that will work. I don't know how you're compiling your list but the problem with most self-maintained lists of bad IP's is that IP's are dynamic and will change over time. So after enough time you'll eventually not be blocking bad guys anymore but will be blocking whatever computer or service is now behind that IP.

    Depending on what you are trying to block with this personal list, you can probably either find a maintained list that covers it and is updated by a service, or use an IDS/IPS to block the IP's.