Locking down pfSense



  • I have just started using the pfSense firewall.  I am moving from both Watchguard and Sonicwall.  With the WG and SW, I like to configure them to only alllow specific ports outbound.  I currently am running the default configuration with a WAN interface and a LAN interface.  I have tried to configured it to lockdown everything except myspecific ports, and end up with no access outbound at all everytime.  I end up going back to the default configuration to get internet access again.  Can I have some screen shots of the necessary changes to allow the lockdown?  I can figure out how to do the rules after I can get basic http access while blocking everything else.  I have read through the forums and tried the things I have read.  The things I find seem to be for more complicated setups.  I feel really dumb for asking for this, but I just can't seem to figure it out.  Help would be much appreciated.



  • I suspect you used in your rules ports in the source-port field, or set as source address instead of subnet. (The most common errors i see).

    Easiest way:
    *Delete the default rule on the LAN.
     –> No rules at all on the LAN.

    • Create an alias containing all the ports you want to allow (firewall --> alias) (21, 22, 23, 25, 53, 80, 110, 143, 443, 465, 993, ect.)
    • Create a rule on LAN:
      Protocol: TCP/UDP
      Source: LAN-subnet    (not address)
      Source-port: any
      Destination: any
      Destination-port: YourAliasName
      Gateway: default


  • I will try that when I get home.  I do believe I was using the interface.  Thank you.  I'll reply back when I have had a chance to test it.



  • Thank you very much!  That was exactly what I was missing.  What is the difference between LAN and LAN subnet?  I am trying to learn this firewall.  I appreciate your insight.  Again, thank you.



  • LAN-address means exactly that.
    The address of the pfSense on the LAN interface.

    LAN-subnet means exactly that.
    The subnet which is connected to the LAN interface.



  • Gruens, I followed your instructions but I keep losing connectivity. Then i switch back to the default.

    In 'Alias' I chose:

    Type: ports(s)
    Port(s): 80, 443, 68, and 53

    In 'Firewall: Rules: LAN' I chose:

    Action: pass
    Interface: LAN
    Protocol: any
    Source: type: LAN subnet
    Destination: type: Single Host or Alias
                    Address: nameofmyalias

    What am I doing wrong?



  • You have a port-alias in an address-field.
    Reread my generic example above.



  • @GruensFroeschli:

    Easiest way:
    *Delete the default rule on the LAN.
     –> No rules at all on the LAN.

    • Create an alias containing all the ports you want to allow (firewall --> alias) (21, 22, 23, 25, 53, 80, 110, 143, 443, 465, 993, ect.)
    • Create a rule on LAN:
      Protocol: any
      Source: LAN-subnet    (not address)
      Source-port: any
      Destination: any
      Destination-port: YourAliasName
      Gateway: default

    Gruens, I reread your original instructions (above).
    I keep loosing the connection every time I enable the configuration method you suggested. I tried several times, making small changes one by one. Nothing worked. I was so happy earlier today when I was teaching myself regular expression and succeding. Then I attempted to configure this router again….

    There is nothing on the Firewall Rules > LAN page that says "Destination-port".
    When I set the Source to any I cannot put anything into the "Address" field.

    What should I put in each of these fields?

    Action:

    Interface:

    Protocol:

    Source:
    Type:   
    Address:

    Source port range:

    Destination:
    Type:   
    Address:

    Anything else I need to do?
    Should I reboot the router after saving the changes?

    Thank you so much for your help!




  • d'oh.
    Set as protocol TCP/UDP ^^"
    Otherwise you dont have the option to specify ports (since not all protocols feature ports).



  • I tried what you said.

    Still did not work…....

    Every time I added the alias the Internet connection failed.

    I have tried a couple of other things and now the router is completely hosed....



  • Screenshot of your rules configured according to GruensFroeschli please?



  • Eugene, I had to start all over from scratch.
    Can you tell me how to do it in an easy to understand way? Thanks.



  • P.S. what is the next step in hardening pfsense after configuring certain ports with an alias?



  • To harden your setup more:
    Set the WebGUI to https.
    Set the WebGUI to a different port than 443 (i usually use 444 :D ).
    Disable the anti-lockout rule (under system–>advanced) and allow access only from a source you control.
    Or even better: dont allow access to the webGUI at all besides via a VPN (OpenVPN comes to mind).

    Run as few packages/services as possible.

    But these are just generic "security measures".
    pfSense is with the default settings already pretty safe.


Log in to reply