Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall Feedback

    Scheduled Pinned Locked Moved Firewalling
    21 Posts 6 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • NollipfSenseN
      NollipfSense
      last edited by NollipfSense

      Here is my LAN firewall that was inspired by the thread "Taming the Beast." However, I notice privilege ports, just the TCP is seeing traffic...could the default rule below maybe overriding...did I get it wrong or I just don't have any UDP traffic now? I disabled IPv6 addresses.

      Screen Shot 2019-08-05 at 12.01.35 AM.png

      pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
      pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        Use an application that actually uses UDP ;)

        715abcaf-81d5-4207-867e-4cb8710d0ad8-image.png

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        NollipfSenseN 1 Reply Last reply Reply Quote 0
        • NollipfSenseN
          NollipfSense @Gertjan
          last edited by NollipfSense

          @Gertjan Thank you Gertjan for responding...got traffic now!

          Screen Shot 2019-08-05 at 7.15.21 AM.png

          pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
          pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

          1 Reply Last reply Reply Quote 0
          • NogBadTheBadN
            NogBadTheBad
            last edited by

            Do you have a device on the LAN subnet providing DNS or is it done by pfSense, I'm guessing its pfSense as there are hits from * to Lan net ?

            1565007427355-screen-shot-2019-08-05-at-7.15.21-am.png

            I'd change it to This Firewall or LAN Address if you're using pfSense to provide DNS.

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            NollipfSenseN 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              I really don't see the point to some of those rules.. Your allowing privout and then all the above ports, but then under that you have any rule.. Your not logging those - so what exactly do you think the point of those are?

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              NollipfSenseN 2 Replies Last reply Reply Quote 1
              • NollipfSenseN
                NollipfSense @NogBadTheBad
                last edited by NollipfSense

                @NogBadTheBad Thanks NogBadTheBad...that's the kind of feedback I am seeking...yes, it'd done by pfSense; so, I'll make the change.

                Screen Shot 2019-08-05 at 7.52.09 AM.png

                pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                1 Reply Last reply Reply Quote 0
                • NollipfSenseN
                  NollipfSense @johnpoz
                  last edited by

                  @johnpoz Thanks Johnpoz for responding...actually, I had been thinking about that and glad you point it out. So, would it be best to disable the any rule? How you could tell that those (privout and UDP) aren't logged? Is it by the traffic of the default any rule?

                  pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                  pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                  1 Reply Last reply Reply Quote 0
                  • NollipfSenseN
                    NollipfSense @johnpoz
                    last edited by

                    @johnpoz Okay Johnpoz, I disabled the any rule and move up the block all.

                    Screen Shot 2019-08-05 at 10.35.23 AM.png

                    pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                    pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      @NollipfSense said in Firewall Feedback:

                      How you could tell that those (privout and UDP) aren't logged?

                      Because they don't have the log icon next to them..

                      I would of just gone the other way and removed those rules.. And left the any... With your current rules you can not even ping anything not even pfsense own lan IP.

                      I can think of a few UDP ports that your blocking, NTP and QUIC or HTTP/3 that could be causing you issue going forward with such rules. ESP and AH come to mind as well that could be causing your clients issue.

                      If your wanting to lock down to only used ports/protocols - its prob better to log your any rule for a while and then figure out what is being used on your network, and then create the rules to allow what you want.

                      Also since your not logging the block rule you have there - you will not know what clients are banging on the door to let them out ;) Which just becomes unwanted noise on your network, which might be better to reject or turn off such protocols/applications your not going to allow out off on the client side, etc.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      NollipfSenseN 1 Reply Last reply Reply Quote 0
                      • NollipfSenseN
                        NollipfSense @johnpoz
                        last edited by

                        @johnpoz said in Firewall Feedback:

                        @NollipfSense said in Firewall Feedback:

                        How you could tell that those (privout and UDP) aren't logged?

                        Because they don't have the log icon next to them..

                        I would of just gone the other way and removed those rules.. And left the any... With your current rules you can not even ping anything not even pfsense own lan IP.

                        I can think of a few UDP ports that your blocking, NTP and QUIC or HTTP/3 that could be causing you issue going forward with such rules. ESP and AH come to mind as well that could be causing your clients issue.

                        If your wanting to lock down to only used ports/protocols - its prob better to log your any rule for a while and then figure out what is being used on your network, and then create the rules to allow what you want.

                        Also since your not logging the block rule you have there - you will not know what clients are banging on the door to let them out ;) Which just becomes unwanted noise on your network, which might be better to reject or turn off such protocols/applications your not going to allow out off on the client side, etc.

                        Okay Johnpoz, I really appreciate your input...I turned on logging; however, I was able to ping pfSense lan IP!

                        Screen Shot 2019-08-05 at 11.17.45 AM.png
                        Screen Shot 2019-08-05 at 11.11.23 AM.png

                        I am curious about the NTP (TCP/UDP) as well as the other UDP ports such ESP and AH (1701, 4500)...wouldn't they get covered by the privout and the UDP outgoing? In the pic below, is that an example of noise that you mentioned? Should I allow a rule with NTP protocol?

                        Screen Shot 2019-08-05 at 11.42.52 AM.png

                        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by johnpoz

                          Your pinging pfsense from itself - no shit you can do that ;) heheheheeh Ping it from a client on your lan.. Your rules do not allow it.

                          No they wouldn't ntp is port 123 UDP, which you have set to 1204 and above. QUIC, or now called http/3 is UDP 80, etc.

                          You need to understand you can not stop the firewall from talking outbound.. looking at pfsense talking to ntp out of the internet has zero to do with your client on your lan network talking to pfsense for ntp or some other ntp server, etc.

                          esp and ah are not udp ports, they are other protocols that would be blocked by only allowing tcp and udp.. So if your clients wanted to use those for a vpn outbound, they would be blocked.

                          I personally do not get why users want to put in rules that are more than likely only cause them grief and extra work when something doesn't work..

                          I take it your allowing all ports out 1-1023 that your calling privileged ports... What do you think would be talking outside of that? A game for sure.. So you play no games? Plex is 32400 by default, so you don't talk to any plex servers? You limiting the ports to under 1024 for tcp is going to break quite a few things I would image.. Unless all you do is browse the internet... If that is the case why do you not just lock it down to 80/443 for we traffic?

                          Are you trying to herd a bunch of cats behind your firewall? Or are the devices behind the firewall all under your control?

                          Lets say you fire up some new app/game and it uses port XYZ.. But you have it blocked - what does that cost you other than pain and extra work? If you do not trust the game/app - why did you run it in the first place.. If its bad software that somehow ran on your box, its going to talk out the standard ports 80/443 - why would it choose some random high port - that could be blocked if in work network for example.. Why not just hide in among all the other web traffic, etc.

                          What is the reasoning behind you wanting to be restrictive? What does it actually get you other than extra work? The default rules on pfsense are any any for a reason ;) If you have a need to lock that down, sure - but before go doing this and that.. You might want to make sure you understand the plus and minuses to doing such stuff.. Its not all up side for sure. And to be honest way more down side than any sort of extra "security"

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          NollipfSenseN 1 Reply Last reply Reply Quote 1
                          • NollipfSenseN
                            NollipfSense @johnpoz
                            last edited by NollipfSense

                            @johnpoz said in Firewall Feedback:

                            heheheheeh Ping it from a client on your lan.. Your rules do not allow it.

                            Okay Johnpoz, I am getting your points, and no...you're correct!

                            rnollisuzs$ ping 192.168.1.1
                            PING 192.168.1.1 (192.168.1.1): 56 data bytes
                            Request timeout for icmp_seq 0
                            Request timeout for icmp_seq 1
                            Request timeout for icmp_seq 2
                            Request timeout for icmp_seq 3
                            Request timeout for icmp_seq 4
                            Request timeout for icmp_seq 5
                            Request timeout for icmp_seq 6
                            Request timeout for icmp_seq 7
                            Request timeout for icmp_seq 8
                            Request timeout for icmp_seq 9
                            Request timeout for icmp_seq 10
                            Request timeout for icmp_seq 11
                            Request timeout for icmp_seq 12
                            Request timeout for icmp_seq 13
                            ^C
                            --- 192.168.1.1 ping statistics ---
                            15 packets transmitted, 0 packets received, 100.0% packet loss

                            @johnpoz said in Firewall Feedback:

                            I personally do not get why users want to put in rules that are more than likely only cause them grief and extra work when something doesn't work

                            Well, as I had said, I was following the thread "Taming the Beasts...aka Suricata Blueprint." The goal was to make things easy for Suricata. I had planned VPN and figured I would add that later. I also run Plex but not often or since my pfSense box. Also, I am not really a gamer but could have guests who do, and it would be cool to accommodate in the safest way.

                            @johnpoz said in Firewall Feedback:

                            Or are the devices behind the firewall all under your control?

                            Yes, I have a Mikrotik behind the pfSense. LAN boss for clients/devices...I was even thinking how I could have a double gate when I am ready to set up VPN later. So, could I setup aliases for those you said I would be locking out? pfSense is WAN boss and I understand things have surely changed since the author crafted "Taming the Beasts"...that's what I thought when I saw the any any default rule but incorporate it though.

                            pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                            pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              @NollipfSense said in Firewall Feedback:

                              I could have a double gate when I am ready to set up VPN later

                              huh? You just policy route out of pfsense for stuff you want or don't want to use your vpn.. Not sure what this taming the beast guide is - my initial thought if they told you to do what you have setup is just a giant facepalm ;)

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              NollipfSenseN 1 Reply Last reply Reply Quote 0
                              • bmeeksB
                                bmeeks
                                last edited by bmeeks

                                @NollipfSense :
                                The "Taming the Beast" thread for Suricata is an old thread that was all about how to structure Suricata rules and suppression lists for maximizing detection of bad things with as few false positives as possible. Not really sure how that relates to what you are doing here with all those firewall rules. I'm with @johnpoz here, you are way over complicating your setup - especially if this is for a home network.

                                NollipfSenseN 1 Reply Last reply Reply Quote 0
                                • J
                                  jasonraymundo31
                                  last edited by jasonraymundo31

                                  try this

                                  36e64482-0f54-40f4-bf58-43153d287166-image.png

                                  NollipfSenseN 1 Reply Last reply Reply Quote 0
                                  • NollipfSenseN
                                    NollipfSense @jasonraymundo31
                                    last edited by

                                    @jasonraymundo31 Thank you Jasonraymundo31 for responding...I had to laugh aloud...so clean...

                                    pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                                    pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                                    1 Reply Last reply Reply Quote 0
                                    • NollipfSenseN
                                      NollipfSense @johnpoz
                                      last edited by

                                      @johnpoz Hey Johnpoz, this is how it is now...I understand what you were saying about the default any-any rule...I could not do without it as Internet radio breaks...I suspect it uses the lower UDP ports.
                                      Screen Shot 2019-08-06 at 12.48.30 AM.png

                                      My double-gate idea I mentioned was about the obvious VPN gate at pfSense, then another gate at the Mikrotik...the fun part will be at the Mikrotik...seems doable though.

                                      pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                                      pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by johnpoz

                                        So a double nat? Yeah pointless ;) Or 2 firewalls inline with only your edge doing nat? Again pretty pointless and just added complexity and work and hassle for like zero benefit.

                                        If your moving a shitton of traffic and you need a downstream/core router and possible firewall between your local networks.. Sure ok, then have a edge router/firewall... But in a home setup - its over complication and cost for no added value.

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        NollipfSenseN 1 Reply Last reply Reply Quote 0
                                        • NollipfSenseN
                                          NollipfSense @bmeeks
                                          last edited by

                                          @bmeeks In the first part of that thread (Taming the Beasts), the author specified to create the firewall rules to make things easy...the second part was to structure Suricata rules and suppression lists for maximizing detection of bad things with as few false positives as possible. I'll be opening a thread with your section on the fourteen rules I had implemented. Lots of stuff had moved to pfBlockerNG too.

                                          pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                                          pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                                          1 Reply Last reply Reply Quote 0
                                          • NollipfSenseN
                                            NollipfSense @johnpoz
                                            last edited by

                                            @johnpoz said in Firewall Feedback:

                                            So a double nat? Yeah pointless ;) Or 2 firewalls inline with only your edge doing nat? Again pretty pointless and just added complexity and work and hassle for like zero benefit.

                                            If your moving a shitton of traffic and you need a downstream/core router and possible firewall between your local networks.. Sure ok, then have a edge router/firewall... But in a home setup - its over complication and cost for no added value.

                                            Well, right now it is double-natted...I'll turn off the Mikrotik nat rule though, and let the edge pfSense handle it. I have the pfBlockerNG and that by default added the nat. The thing is I was introduced to Mikrotik first and had for seven years before being introduced to pfSense late 2017. So, I just incorporated the two in my network...why throw away a good working kick-ass Mikrotik RB450G.

                                            Yes, its way overkill...it is really recycling not too old equipment I had; so, cost already depreciated...the value to my home-office-lab network is tremendous and rival most small business, some medium-sized business network.

                                            pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                                            pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.