Pfsense troubleshooting firewall/package issues
-
I’ve just installed pFSense for the first time a few days ago, and mostly have it working the way I want it to. I’ve watched numerous youtube tutorials etc, but I'm still learning.
One thing I’d like assistance with is troubleshooting blocking issues.
On pFSense I have the following packages installed:
-
pfBlockerNG (set to block incoming from Asia, Russia etc)
-
Squid (including https, and antivirus)
-
ntopng
The issues I’m having with this config are:
-
If I have antivirus running, it blocks crahsplan
-
some https pages/ iPhone apps like google voice/ ebay do not load on initial attempt; pressing reload once or twice seems to makes them work
-
some https pages like eBay no longer display images of auctions on safari; work well on firefox
To trouble shoot current procedure:
- I’ve looked at firewall logs, filtered for IP address of server
- I assume that logs would show all firewall logs including pfBlockerNG, but in case it didn’t I disabled it too and reran test
- I couldn’t find logs for Squid or AV from interface, so I disabled it and reran tests; I thought it would disable antivirus but it didn’t
My questions:
1. How do you troubleshoot? I followed procedure above but I think I’m missing some simple steps
2. For Crashplan. how can I add a rule to bypass virus protection for that IP address
3. For eBay, google voice etc is it a good idea to add them domain to whitelist or is there another solution like just enabling certain apps?
4. Are there reports I can add to dashboard that would show things going out that are being blocked by firewall, AV, or squid?
5. Are there any other recommended packages to install that you would recommend either to troubleshoot or better accomplish what I'm doing
Thanks in advance for your time
-
-
You have a lot going on…maybe too much for just starting!
Feel free to look thru my other posts that document my ongoing "journey".... :-[. Its a learning curve to say the least!
Some thoughts:
- Careful with "...mostly working the way I want..."....its what I don't know that scares me the most!
- Regarding logging: Not all pfBlocker rules showed up in my firewall rules, I look in my pfBlocker "Alert" tab AND in my firewall log. I tried squid but never had much luck...kept breaking things. I use the Snort package and pfBlocker instead. Maybe 1 day I'll be able to incorporate squid but it shut me down as well.
- Learn how to create fixed IPs for your clients, learn how to create aliases, specifically port alias and devices aliases(with fixed IPs)...knowing this, you can make some tight rules. Its pretty easy...I was advised early to get my rules right as they are the critical element in a firewall.
- Get your rules down first...the default "Any rules" that come preset, IMHO, are pretty liberal...I wanted a tighter setup and restricted the ports and devices. I set up aliases for ports I want to allow access to and devices I want to allow.
- When you want to deinstall a package, make sure you do so correctly, some have "Save settings" which makes some of the features and rules "linger" even after you uninstall the package. Install squid again and look for this "check box" click save, reload or update(Cron event for pfBlocker...not sure if squid has this) and then uninstall again.
- As mentioned I replaced my default "Allow Any" rules with the specific ports I wanted to allow access to, the most common being 53(DNS), 80(http) and 443(https), however I later discovered by looking at my firewall and missing google voice calls that other ports were needed for my Google voice. I suspect Crashplan has some specific ports needed as well(I don't trust any cloud services by the way but thats a seperate post!).
- I too am looking for a good "dashboard", some one recomended "Security Onion" as a good solution but it is not a pfSense package, I believe it requires exporting your data to another program. Never done it...apparently this is a gap with opensource software. If you find a good package let me know...how is ntopng working for you?
- Learn how to do an "Easy rule" from your firewall log, it adds a rule that will allow you to pass or block an alert. Keep in mind, in my experience you need to go back to the interface, that the rule is added too and move it up the priority list(remember pfSense looks at rules in the order they are placed on the interface i.e. top then moves down). The easy rule also allows you to go back and modify.
I suspect if you do #5 above and uninstall squid correctly you will be functional again.
Consider Snort in monitoring/"IDS" mode to start, after you monitor the alerts you are getting(similar alert tab as you find with pfBlockerNG), switch to "IPS" i.e. kill nasty connections.
pfBlocker has some cool filtering functionality but a little tricky to get fully going(sounds like you enabled geo blocking only)...learn how to set up DNSBL and IPv4 lists in pfBlocker.
Hope this helps... Just my 2 cents, open to feedback, alternatives and rude remarks from the community if my suggestion is wrong!