firewall for windows network



  • hi i am new to pfsense and thus have little techical knowledge about pfsense ,
    we have windows network and i am trying to implement pfsense firewall to it.
    can i allow specific programms like google chorome, skype etc to access internet and block all other applicationn



  • Yes and no. You can't easily block or pass based on the name of some application running on a client behind the firewall. You can block based on TCP/UDP port number and/or source and destination IP addresses. pfSense and other professional-level firewalls don't work exactly the same as the Windows firewall does on Microsoft clients.

    Your question leads me to believe perhaps you have very limited experience with IT security when it comes to networking and firewalls. You are setting yourself up for a potential security disaster if you try to configure a perimeter firewall without fully understanding the OSI model and IP networking theory including subnet masks and TCP/UDP ports.

    If you are doing this for a business network, you might want to consider contracting out the set up of the firewall to an IT security professional; or at the very least do a lot of Google research and find tutorials on firewall operation and theory.


  • LAYER 8 Global Moderator

    Well said bmeeks..

    A edge firewall is much different than a host firewall.. But with the right know how it is possible to do some application based filtering with the openappid and snort.

    https://www.netgate.com/blog/application-detection-on-pfsense-software.html

    But yeah that is going to be a steep learning curve for sure, for someone that had to ask the question in the first place.

    If your goal is to prevent applications from doing xyz - that is the place of a host firewall. But normally if your to a point where you want to filter chrome or skype from being used in windows environment you would just prevent those applications from even being installed by users..

    If you can give us more info on your overall network - running AD? Are your window machine user managed - ie sort of BOYD setup? Or are they managed by You/IT dept? What exact sort of scenarios are you wanting prevent?

    Are you wanting to allow for example skype to be used to video call other users in your org/location/family - but not allow free access to anyone? etc..

    This is where the suggestion of hiring the correct staff or company to manage your expectation of security is key.. Actually useful valid security always comes at a price.. Be it in the learning curve if your going to do the work yourself - or in the cost of the appropriate hardware and or licensing of specific software to do what you want to do with your current skillset. While you can for sure do some amazing things with pfsense be with something like OpenAppID or IPS in general or Proxy for filtering categories, etc. etc.. If you do not have the skillset or the staff that can leverage opensource or free/lower cost tools. Then you have to pay for the higher end stuff like like commercial based proxy or NGFW with application mangement like a PaloAlto or etc.. All have license cost that can be prohibitive for the smaller shops - and while they do make doing X much simpler since they do all the background work for you (reason for the license costs) you still need the appropriately skilled staff to manage them, etc.

    Implementation of valid security controls is also going to cost a price with your user community... Be it they could do X before and now it doesn't work, but to do their job (atleast in their minds) they need to do X, etc. etc So there will be learning curve and training required for the user community along with normally higher support hours/cost to manage the expectations and issues that the heightened security will create - atleast in the beginning.


Log in to reply