Help with Firewall Rules
-
Hey guys,
Noob here
I need help with firewall rules, here’s my setup.
PFsense 2.0 RC3,
No packages, tried Snort caused issues, tried HV antivirus and it hung the system over and over. So at this time I have no packages installed. System is running fine, so far no issues. I just want to make sure it’s secure.
Wan = DHCP enabled > Cable modem
LAN = IP 192.168.1.1, DHCP Disabled > Netgear GS108T switch Static IPNetgear GS108T switch >Media Server static IP
>Desktop Static IP
>Laptop Static IP
>WRT54G running Tomato, Wi-Fi access point, Static IPOn the WRT54G >Media Center Static IP
>Laptop static IPOPT1 = IP 192.168.2.1, DHCP enabled > WNR2000v3 Wireless Router dedicated to my 12 years old son.
On the WNR2000v3 Wireless Router >Laptop
>Gaming Desktop
>XboxMy son is where my worries are. He doesn’t do porn or anything like that, but he is a dedicated online gamer and social network type, along with uploads and downloads from YouTube. I’ve snoop him many times and I have never really had an issue with his online activities. The issues are the hackers and viruses he might unknowingly bring into the system. I think, I have him segregated from the LAN network but would like some suggestions for what firewall rules and how to put them in-place to cover my butt. The rules would be for his connection and the overall network. I’m a noob with the firewall rules and PFsense.
Thanks for the help
-
Hey guys,
Noob here
I need help with firewall rules, here’s my setup.
PFsense 2.0 RC3,
No packages, tried Snort caused issues, tried HV antivirus and it hung the system over and over. So at this time I have no packages installed. System is running fine, so far no issues. I just want to make sure it’s secure.
Wan = DHCP enabled > Cable modem
LAN = IP 192.168.1.1, DHCP Disabled > Netgear GS108T switch Static IPNetgear GS108T switch >Media Server static IP
>Desktop Static IP
>Laptop Static IP
>WRT54G running Tomato, Wi-Fi access point, Static IPOn the WRT54G >Media Center Static IP
>Laptop static IPOPT1 = IP 192.168.2.1, DHCP enabled > WNR2000v3 Wireless Router dedicated to my 12 years old son.
On the WNR2000v3 Wireless Router >Laptop
>Gaming Desktop
>XboxMy son is where my worries are. He doesn’t do porn or anything like that, but he is a dedicated online gamer and social network type, along with uploads and downloads from YouTube. I’ve snoop him many times and I have never really had an issue with his online activities. The issues are the hackers and viruses he might unknowingly bring into the system. I think, I have him segregated from the LAN network but would like some suggestions for what firewall rules and how to put them in-place to cover my butt. The rules would be for his connection and the overall network. I’m a noob with the firewall rules and PFsense.
Thanks for the help
Did I ask the worng question? I just need to make sure I have the proper firewall rules in-place to protect my network.
Any help ith the best rules to set would be greatly appreciated!
-
Install antivirus software to your sons machine and maintain it.
On LAN interface: apply this before defaul allow
block * lan subnet * opt1 subnet *on opt1 interface: apply this before allow to anu
block * opt1 subnet * lan subnet *this should work
-
You hardly can block viruses and trojans on your sons's PC with are firewall. If you son should be able to browse the web he needs port 80 and 443 (http and https) open in the firewall. So every trojan or viorus which connects to the internet will use these ports to.
So the best way is to use an AntiVirus application and maintain it, like Metu69salemi said.The other thing Metu69salemi mentioned is neccessary, too.
You are using to interface (LAN and OPT1). So if you want to block that you son's PC or viruses on this PC can not connect to you other subnet, you need to add a firewall rule on OPt1 (son's network) which blocks all traffic to your LAN subnet. So it will not be able for your son or viruses on his PC to establish a connection to YOUT LAN subnet.The rule on your LAN subnet like Metu69salemi said is not neccessary if you are sure, that the risk comes from you son's subnet ;-)
When you add firewaall rules you should remember, that they will be applied from top to down. The first matching rule will be used.
PS: HAVP could be an option to scan files before they reach your son's PC
Perhaps this will help you setting this up.
http://doc.pfsense.org/index.php/HAVP_Package_for_HTTP_Anti-Virus_ScanningPPS:
Another solution a friend told me is OpenDNS.org. They are using a filter on DNS basis. Domains which are using violence etc. will be blocked by the OpenDNS DNS-Servers. So you can provide you son this DNS server. But not sure if you need to sign-in at OpenDNS to use this service. -
Guys thanks for your help!
I purchased the book and have done alot of reading with this and your guys help I starting to understand how everything works!
I still have an issue I don't understand. The Default Lan rule is basically set to allow everything. I'm working on trimming this down, to only pass what I need. But, I've run into a problem. Of course if I disable this it shuts down the Lan from accessing anything, OK, but I have added rules for HTTP, HTTPS, and it still won't allow an internet connecting, I applied the changes and reset the states, still nothing, I continued adding Protocals and ports until I had a long list and still no connection. After disabling all the new rules and enabling the default rule everything works again. What am I missing!
-
Please post a screenshot of your firewall rule(s).
By the way. If there isn't any visible rule on the firewall then there is still a default BLOCK rule. There is always a default BLOCK rule at the end of every firewall list but not visible.
Please provide a screenshot and tell us what you want to realize.
-
Guys thanks for your help!
I purchased the book and have done alot of reading with this and your guys help I starting to understand how everything works!
I still have an issue I don't understand. The Default Lan rule is basically set to allow everything. I'm working on trimming this down, to only pass what I need. But, I've run into a problem. Of course if I disable this it shuts down the Lan from accessing anything, OK, but I have added rules for HTTP, HTTPS, and it still won't allow an internet connecting, I applied the changes and reset the states, still nothing, I continued adding Protocals and ports until I had a long list and still no connection. After disabling all the new rules and enabling the default rule everything works again. What am I missing!
Rules used
TCP
LAN net
80 (HTTP)
*
*
*
none
TCP 80 (HTTP) from LAN subnet to anywhere
–------------------------------------------------------
TCP
LAN net
443 (HTTPS)
*
*
*
none
TCP 443 (HTTPS) from LAN subnet to anywhere
TCP
LAN net
21 (FTP)
*
*
*
none
TCP 21 (FTP) from LAN subnet to anywhereNone of these worked, I had to go back to the default rule to gain internet access.
Default Lan rule
LAN net
*
*
*
*
none
Default allow LAN to any rule -
Please post a screenshot of your firewall rule(s).
By the way. If there isn't any visible rule on the firewall then there is still a default BLOCK rule. There is always a default BLOCK rule at the end of every firewall list but not visible.
Please provide a screenshot and tell us what you want to realize.
In work!
-
Firewall Rules Images attached.
-
Just took a shot look on the screens.
All your rules are "wrong". You have to use the ports in DESTINATION PORT.
If you establish a connection to a webserver you start the connection with destination IP and destination port (80). Then the webserver answers you on your source port. But this source port is randomly generated.
So correct your rules - I will have a look on them again and post back if I found more "errors" ;)
Please post back if it works. -
Just took a shot look on the screens.
All your rules are "wrong". You have to use the ports in DESTINATION PORT.
If you establish a connection to a webserver you start the connection with destination IP and destination port (80). Then the webserver answers you on your source port. But this source port is randomly generated.
So correct your rules - I will have a look on them again and post back if I found more "errors" ;)
Please post back if it works.If I understand you, you mean for instance the Source HTTP port 80, should also read Destination HTTP port 80?
-
All your rules with destination "WAN net" are unneccessary. You do not need to block ports if they are not allowed by default.
Your intention is to only allow special ports like FTP (21), http(80), https(443), you need DNS (53). So if you only allow these few ports, than there is no need to block these ports. If they aren't allowed they are blocked.
The block rule OPT1 subnet to LAN subnet, this is useful.
-
SOURCE Port ist in nearly 99.999% of all scenarios "any" " * "
Just move your ports from "source" to destination. -
SOURCE Port ist in nearly 99.999% of all scenarios "any" " * "
Just move your ports from "source" to destination.If I have it correct, I still have no access.
 -
(…)
Your intention is to only allow special ports like FTP (21), http(80), https(443), you need DNS (53). So if you only allow these few ports, than there is no need to block these ports.
(…) -
(…)
Your intention is to only allow special ports like FTP (21), http(80), https(443), you need DNS (53). So if you only allow these few ports, than there is no need to block these ports.
(…)Yes, I miised DNS 53 on the screen shot, but it has been added and still no connection.
-
Still no connection.
 -
change destination IP "WAN net" to any.
DNS works with TCP,too, but in general it uses UDP.
If you like to ping servers on the internet, you need to allow ICMP.
-
change destination IP "WAN net" to any.
DNS works with TCP,too, but in general it uses UDP.
If you like to ping servers on the internet, you need to allow ICMP.
"BINGO" it worked, I can't thank you enough for taking the time to help me, Thanks! I changed DNS to TCP/UDP or should it just be UDP? And concerning the ICMP should that be setup the same as the other rules? Also whats is the best order to have these in or soes it matter for these specific rules?
Thanks again!
-
Hi,
ICMP is setup as the other rules. ICMP is something "special". ICMP is not using ports. just chose protocol: ICMP and source/destination IP "any".
an additional port for FTP is port 20 TCP.
for getting e-mails via an e-mail client like outlook you need additional ports for POP3 and SMTP (check google or wikipedia for the ports).
To make it easier for you to maintain your rules you could create an alias.
create a Port-Alias e.g. called "InternetPorts" and then put all your ports in this alias.
after this create a rule with protocol "TCP/UDP", source/destination IP: any, source port: any and destination port your Alias "InternetPorts". So you only have to maintain one or two firewall rules instead of many. And if you need more ports like for gaming you can put them into the alias and thats all.But this is up to you. The order of the rules in your case is unneccessary.
–--edit----
Again to your son. If he is playing many online games than there will be many ports you need to allow. This will be some work to do. Finding the ports the game uses and so on. If he is using a VoIP software like skype or TeamSpeak there are surely additional ports to open. But so you can check what he is playing and which software he is using ;-)
And as I told you in some posts before - a virus or trojan is using common ports like port 80 or port 443 which aren't blocked in most environments - and aren't in yours, too.Separating the networks is a really good solution. Only allowing some ports is the best you can do but takes the moste time to configure and maintain.