HA more secure firewall rules



  • pfSense's documentation [1] states to setup a firewall rule for the HA sync interfaces to allow traffic to any.
    Why is that? I don't want someone who just connects himself to the HA port illegitimately to have access to locally connected networks or even to the internet.
    The documentation states that these rules can be made more secure but every attempt to do so results in sync errors popping up.
    Can someone please give me a hint how such more secure rules might look like?

    Thank you

    [1]
    https://docs.netgate.com/pfsense/en/latest/highavailability/configuring-high-availability.html


  • LAYER 8 Moderator

    @pmisch said in HA more secure firewall rules:

    The documentation states that these rules can be made more secure but every attempt to do so results in sync errors popping up.

    So what are you doing to "secure" them? How about just simply using "sync_net" as source and destination? Also are you running the Sync Interface over a switch instead of directly attached between the two devices? Or how can "someone just connect to the HA port"? If physical security to your firewall is compromised (someone can unplug it), a firewall rule won't do much to change that, too.



  • @JeGr
    The HA ports are directly connected to each other, no switch in between.
    I created two rules allowing

    1. pfsync with destination firewall_itself and
    2. https with destination firewall_itself
      Giving me sync errors.

  • LAYER 8 Netgate

    If you don't have physical security of your firewalls it is pretty much game over.

    That said, you can limit the rules to only that which is required on the sync interface.

    That is, in general, the pfsync protocol from the other node and what would amount to the webgui from the primary to the secondary.

    Giving me sync errors.

    Then your rules are wrong. Or maybe provide the exact errors you are getting.



  • Of course I have physical security even quite a good one but I don't stop there.
    Obviously no one is actually concerned with nonrestrictive rules for local interfaces.
    I will fiddle around some more and give a screenshot if I figure things out just in case someone else shares my concerns.


  • LAYER 8 Moderator

    @pmisch said in HA more secure firewall rules:

    Obviously no one is actually concerned with nonrestrictive rules for local interfaces.

    Of course we are. But that depends of the scope of the setup. Also it has something to do with filtering. As we do inbound filtering, the packet - for a direct connection to be exploited with a "pass any rule" - has to come from the other firewall's sync interface. Actually we set the IF up with "from: sync_net" to "sync_addr" but you'd also have to setup HA with unicast so no multicast address is used. Of course you also need the right port for https if you modified the WebUI port and need pfsync protocol like @Derelict explains.


Log in to reply