Pfsense Newbie / Safe starting point



  • By way of background, I have used several Linux firewalls out of the box for many years.  Each proported to come ready to "plug in and use" without twiddling rules, protecting the LAN.  They appeared to work fine, they kept the bad guys out.

    I am switching to PFSense because I need a little more flexability and features than they provide.

    I know I will need to learn, but I am not qualified to come up with a complete, appropriate rule set balancing security and user functionality.

    I need that initial rule set for PFSense equivalent to what comes pre-configured with the typical Linux firewalls, e.g. Smoothwall, Clark Connect (now ClearOS), Coyote, Endian, etc.

    After a few hours of poking around the website and forums, and a couple skimming through the new book, it is not clear to me what the straight install provides:  Is it too open and I need rules to restrict it, or is is too locked-down and I need to open things up, or is is roughly what a typical network with Windows / Linux / MacOS would nominally need to provide a secure environment that works for typical user Internet use, analogous to the "load-and-go" Linux firewalls?

    In light of this, would someone please tell me how I should think about the default install configuration, and where to move on from there?

    Thank you.

    –Ray



  • Default install blocks everything entering the WAN and permits everything entering the LAN interface, i.e., outbound traffic. If you have more than 2 interfaces, the others won't pass a thing until you permit it. This default configuration is reasonably secure to the extent that you trust the machines and users on your LAN; it's enough to start surfing the web without too much risk of the outside getting in. You may or may not want to consider adding some rules to control what is permitted to pass through the firewall from the LAN segment, and if you have a third or more interfaces you must create at least one rule before they will do you any good.



  • Thanks.  Although a little out of scope, can you tell me / do you know how this "default install" behavior relates in general to the likes of "Smoothwall", "Endian", etc. etc. Linux Plug-and-go firewalls?  Am I on equal footing or starting a little lower [protection]?

    Second, I infer that for other segments (I will have two other), the equivalent thing to do would be to add a "Pass everything" entering those other "OPT" interfaces to allow them to access the Internet, preceeded by a rule or rules specifying how I want them to relate to my LAN.

    After that I will start reading the book more carefully.  Any other resource you would recommend?

    Thanks for your help.

    –Ray



  • I don't know any of the firewalls you mentioned, but default block on WAN, default allow on LAN is pretty standard for consumer router/firewalls.

    For other segments, you're right, you need to create a pass rule before they will move any traffic. If you want to take a whitelist approach, just add rules to pass the traffic that you specifically want to allow; everything else will be blocked. If you want to take a blacklisting approach, add a pass all rule, then add your specific block rules above it. Whilelisting is more secure, while blacklisting is more convenient in most environments (the exception being where you have a small number of machines serving a small number of ports. You can open just those ports to those hosts and be done).

    I've heard the book is great, but I haven't laid eyes on it yet. I find the forum and mailing list both to be very good resources. There's IRC too, but I haven't touched it for this project.



  • Thanks alot, I think I understand my situation.  I can install it as-is and start using it while I fiddle without taking any undue or at least a-typical risks (except for the ones I introduce myself!).

    If anyone else has any comments, especially with regard to where to learn what to do (other than the book, which I will be studying), please tack your comments on.

    –Ray


Log in to reply