Best practice rules/setup for icmp and NTP?

Velcro

I have attached my rules for reference. I have been functioning well with out them but best practice states I should have them. Why do I even need these rules anyway?

My question is what is the best way to setup ICMP rules and NTP(port 123) rules/Configuration? I would prefer as little traffic out my firewall as possible.

Any thoughts or recommended settings would be appreciated….

V

johnpoz

not seeing any rules.

Out of the box lan rules are any any.. What did you change them too?  Are you talking intervlan traffic, are you talking to the internet?

Example here are rules on my psk segment - this is like nest thermostat, echo dot, smart plugs and lightbulbs, etc.  I do mean to segment these devices more - but have not broken out the devices to different vlans as of yet via mac address based vlans now that unifi has that working on psk networks.

But can see I allow to ping pfsense IP on that interface - this is for connectivity testing
I allow dns to anywhere, I allow dns to my pihole on my dmz network segment
I allow ntp to my ntp servers (I run my own stratum 1 and a backup on, etc)
I then reject and don't long traffic from my domotz device that is monitoring - it has no reason to talk snmp to pfsense on this interface - I allow it on a different vlan and don't want it spamming my logs on this interface so it does not log that traffic

I then reject all traffic to any other IP on pfsense, wan, other segments and log this traffic
I then reject and log all traffic to any other of my segments via a rfc1918 alias
I then allow them to go where they want on the internet via not rfc1918 address alias.

When you post up your rules happy to discuss them on what they are allowing or not allowing, etc.

I often log the last rule so I know exactly where the iot devices are going, etc.  But I have it turned off currently to lower the log spam while I was looking at something else.. Will for sure turn that back on once I break out the devices to their own vlans based on type, etc.

Velcro

Thanks Johnpoz…sorry I thought I had attached them.

Some notes about my rules:

1. "IOTDev" is an alias for all my fixed IP devices
2. "MacandIPh" is for my Mac and iPhone and "AMMAppTV" is for my Amazon and Apple TV
3. "AppleWhatsAppBasic_Ports" is whats app ports, 5223 for my Mac and port 80 and 443
4. "Basic_Internet_Ports" is an alias for 80 and 443
5. I have some other restricted VLANs with select devices...similar rule order with different aliases for devices
6. I have a Unifi AP

Everything is working as I want but I get a lot of noise with ICMP and port 123 and I am not sure if I should allow access or what access to allow.

I don't have a  NTP server (I think?) however I have also attached a screenshot of my Services->NTP->Settings screenshot. My Time servers are Canada, US and Switzerland.

Not a big fan of my devices talking to the internet even with a ping or NTP if at all possible but I still want to configure my firewall right. I am concerned some of my devices are more chatty then needed :-X

Any thoughts or advice would be surely appreciated...

V


Grimson

@V3lcr0:

I don't have a  NTP server (I think?) however I have also attached a screenshot of my Services->NTP->Settings screenshot. My Time servers are Canada, US and Switzerland.

Guess what the NTP service is, it's an NTP server. If you want to force all NTP traffic to go to your local one you can use: https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense just adjust the port and protocol.

johnpoz

Why would you setup your ntp pointing to different pools like that.. US and CA is somewhat understandable - but why not just use the na pool?  But why are you also pointing to ch pool?  Which is Switzerland..  It would be more common to just point to different address in your pool for the region of the world your in.

Say
0.us.pool.ntp.org
1.us.pool.ntp.org
2.us.pool.ntp.org
3.us.pool.ntp.org

But since you have both us and ca, maybe just the NA pool.
0.north-america.pool.ntp.org
1.north-america.pool.ntp.org
2.north-america.pool.ntp.org
3.north-america.pool.ntp.org

Also your allowing dns to looks like googledns but not to pfsense - but your description says unbound on it?  Doesn't make sense.

Your running ntp on pfsense, but not letting any of your clients talk to it for ntp?  Again no sense.  So yeah if your logging default block your going to see lots of noise to whatever the clients are trying to use for ntp, be it pfsense or some other internet ntp.

Velcro

Grimson/Johnpoz,
Thanks for the follow up….

I adjusted the NTP servers to:

0.north-america.pool.ntp.org
1.north-america.pool.ntp.org
2.north-america.pool.ntp.org
3.north-america.pool.ntp.org

The logic was some geographic diversity with switzerland...

Grimson you suggest a port forward for port 123...
Johnpoz I have followed your rule logic from prior posts and looking at your current setup you also have a rule on the interface.

In the spirit of understanding port forward, rules and best practices....are these just 2 ways to accomplish the same thing? Port forward or interface rules? Not trying to stir a pot but simply trying to understand why one way might be better then the other.

Using interface rules(and not a port forward) I would be inclined to add the following rule to allow NTP traffic(See attached with an updated rule).

@johnpoz:

Also your allowing dns to looks like googledns but not to pfsense - but your description says unbound on it?  Doesn't make sense.

Regarding this rule, I have AppleTV and AmazonTV which barf at VPN (All my DNS traffic goes out the VPN on my network)…I set up an alias with OpenDNS and google and use that instead of port 53 for this interface.

Thank you again for any thoughts...

V


Grimson

@V3lcr0:

In the spirit of understanding port forward, rules and best practices….are these just 2 ways to accomplish the same thing? Port forward or interface rules? Not trying to stir a pot but simply trying to understand why one way might be better then the other.

Your current rule setup simply blocks attempts to use an outside NTP server. Which is fine if you can configure an NTP address on all devices, or if you don't care if some devices can't sync the time via NTP because they try to reach a fixed server on the Internet.

By using a port forward all NTP traffic will be redirected at pfSense. So every device will be able to sync the time, no matter what outside server it actually tries to reach.

johnpoz

Why would you port forward between network that are not natting?  Lan segment do not nat between them.. So why would you port forward?

A port forward would be required when you had multiple clients sharing the same IP via a NAPT (network address port translation).. Like what you have between typical wan and lan setup in pfsense.

Still don't get your first rule?  Your allowing dns to only what is in that alias - google_opendns?  But call it access to unbound?  And state no wan leak??

Then your other rule where you block access to firewall is going to block way more than just dns.. It would block all access to any port on on any IP on the firewall… So webgui, sure dns.. but would also block say proxy access or pinging

You do understand that letting a client talk to google or open would be a dns wan leak ;)  Google or open would see the query coming for your wan IP.. So your note on that real makes no sense to me at all.

Velcro

Thank you both…

From what I get from this is:

• A port forward would work in the absence of VLAN on this interface (This rule would apply to all devices on a non-VLAN Interface)
• With VLANs a rule in the interface is a better approach for VLANs

I also updated my "allow" rules with a "!RFC1918" as the destination...I assume this would segregate/harden my VLANs further from each other each other?

Regarding my first rule, fair challenge regarding my note "Allow DNS access to Unbound(NO_WAN_LEAK)", I replaced the note with "By pass Unbound and allow access to OpenDNS/Google(NO_WAN_LEAK)".

Regarding the "NO_WAN_LEAK" I am doing what I understand to be "Policy Filtering", specifically I have "NO_WAN_LEAK" text in the interface "Tag" field of this rules, and a corresponding floating rule(Interface=WAN, Direction=OUT, Tagged="NO_WAN_LEAK"). This is my effort to push everything thru the VPN...

I have "Don't pull routes" checked on my VPN clients and my "Outgoing Network Interfaces" in Unbound only has my VPN selected(No WAN).

Thoughts?

Velcro

Update…

I tried both port forward and an interface rule and I still get blocks on port 123! Using an interface rule my Firewall log showed Source= Apple TV to Destination = 17.253.24.253:123 (Blocked)

When I tried the port forward I recieved a block: Source= Apple TV to Destination = 127.0.0.1 (Blocked)

KOM

The logic was some geographic diversity with switzerland…

You don't want geographic diversity with NTP.  You want lowest possible response time with the lowest jitter.  That almost always means using a source that is geographically closest to you from a network standpoint.

johnpoz

"I tried both port forward"

What?  There is NO scenario when you would use a port forward out your wan from your lan side.. .You mean you tried to redirect it to a local instance of ntp running on pfsense?

If you have floating rules - lets see them, they are applied before interface rules.

Velcro

I ended up rebuidling my firewall…no floating rules.

I do however still get the following blocks to the following destination:

17.253.24.253:123 (From Apple TV)
239.255.255.250:1900 (From Amazon TV)

Both are blocked by my "Block all other rules" on the IOT interface(last block "ALL" rule)...

What the F...is this Apple and Amazon sending my info back? As an FYI both devices are working...I am really struggling with changing my last 2 rules to "ANY" ports if I don't have to.

(Thanks KOM...went local now with my NTP)

johnpoz

Without you posting your rules for us to see its pointless for you to post up this info.

That 2nd thing is multicast… So yeah depending on how your rules are it would be blocked.

NogBadTheBad

@V3lcr0:

I ended up rebuidling my firewall…no floating rules.

I do however still get the following blocks to the following destination:

17.253.24.253:123 (From Apple TV)
239.255.255.250:1900 (From Amazon TV)

Both are blocked by my "Block all other rules" on the IOT interface(last block "ALL" rule)...

What the F...is this Apple and Amazon sending my info back? As an FYI both devices are working...I am really struggling with changing my last 2 rules to "ANY" ports if I don't have to.

(Thanks KOM...went local now with my NTP)

17.253.24.253:123 (From Apple TV).    << NTP
239.255.255.250:1900 (From Amazon TV).    << SSDP

If you do a host time.apple.com does it come back with 17.253.24.253 ?

I'm in Europe so it's resolving to EU based IP addresses.

mac-pro:~ andy$ host time.apple.com
time.apple.com is an alias for time-osx.g.aaplimg.com.
time-osx.g.aaplimg.com has address 17.253.54.125
time-osx.g.aaplimg.com has address 17.253.52.253
time-osx.g.aaplimg.com has address 17.253.52.125
time-osx.g.aaplimg.com has address 17.253.34.125
time-osx.g.aaplimg.com has address 17.253.34.253
mac-pro:~ andy$

If you do a packet capture you'll see the ATV doesn't request NTP via a DHCP option, iPhones & iPads are the same too and you can't set the NTP server, the server can be changed in Mac OS.

https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol

If you're really paranoid  ;) this may be of some help :-

https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense

Velcro

Thanks NogBadTheBad (Love the name!)…

To your point the logs I see are from my Apple devices...Johnpoz had mentioned in previous posts that his light bulbs talk to other NTP servers(despite his efforts to curb this). I figured Apples were likely doing the same...

2 questions:

1. How would I do a "...host time.apple.com does it come back with 17.253.24.253 ?" where do I go for this?

2. I am definitely paranoid! I just had a Phishing page presented to me the other day...I think the issue is still with my DNS configuration, unless there is another way for an attacker to do this. While I am likely to give up "privacy" I am thinking additional "security" might be better route...the thought is to use OpenDNS or another provider.

My current configuration follows this pfSense doc guideline: https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers

Would a port forward as you provided: https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense enhance my DNS security?

Thanks again for any thoughts...

V

johnpoz

Lets be clear to the term guideline.. That is a doc how to do something - it by no means is an sort endorsement or encouragement of how to setup your network.

You can redirect something that resolves to a name to something else like ntp.. So for example time.apple.com could redirect to internal ntp server via a simple host override where time.apple.com resolves to the internal or pfsense local IP its listening for ntp on.

Letting iot device out for ntp shouldn't be a concern.. My whole issue with those which I did redirect the uk.pool.ntp.org fqdn they were using because its just moronic to use a UK pool for ntp when the device is in the US..  Proper use for iot that want to use the pool, is to register their own pool name for ntp with ntp.org

NogBadTheBad

@V3lcr0:

1. How would I do a "…host time.apple.com does it come back with 17.253.24.253 ?" where do I go for this?

2. Would a port forward as you provided: https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense enhance my DNS security?

1. On the pfSense router, connect via ssh or via Diagnostics -> Command Prompt

2. Some devices could be hard coded for google, my Panasonic TV is, if I wanted to force my TV to use my pfSense box this would be the only method.