Help with Firewall Rules



  • Hey guys,

    Noob here

    I need help with firewall rules, here’s my setup.

    PFsense 2.0 RC3,

    No packages, tried Snort caused issues, tried HV antivirus and it hung the system over and over. So at this time I have no packages installed. System is running fine, so far no issues. I just want to make sure it’s secure.

    Wan = DHCP enabled > Cable modem
    LAN = IP 192.168.1.1, DHCP Disabled > Netgear GS108T switch Static IP

    Netgear GS108T switch >Media Server static IP
                                            >Desktop Static IP
                                            >Laptop Static IP
                                            >WRT54G running Tomato, Wi-Fi access point, Static IP

    On the WRT54G >Media Center Static IP
                                >Laptop static IP

    OPT1 = IP 192.168.2.1, DHCP enabled > WNR2000v3 Wireless Router dedicated to my 12 years old son.

    On the WNR2000v3 Wireless Router >Laptop
                                                                >Gaming Desktop
                                                                >Xbox

    My son is where my worries are. He doesn’t do porn or anything like that, but he is a dedicated online gamer and social network type, along with uploads and downloads from YouTube. I’ve snoop him many times and I have never really had an issue with his online activities. The issues are the hackers and viruses he might unknowingly bring into the system. I think, I have him segregated from the LAN network but would like some suggestions for what firewall rules and how to put them in-place to cover my butt. The rules would be for his connection and the overall network. I’m a noob with the firewall rules and PFsense.

    Thanks for the help



  • @Highroller:

    Hey guys,

    Noob here

    I need help with firewall rules, here’s my setup.

    PFsense 2.0 RC3,

    No packages, tried Snort caused issues, tried HV antivirus and it hung the system over and over. So at this time I have no packages installed. System is running fine, so far no issues. I just want to make sure it’s secure.

    Wan = DHCP enabled > Cable modem
    LAN = IP 192.168.1.1, DHCP Disabled > Netgear GS108T switch Static IP

    Netgear GS108T switch >Media Server static IP
                                            >Desktop Static IP
                                            >Laptop Static IP
                                            >WRT54G running Tomato, Wi-Fi access point, Static IP

    On the WRT54G >Media Center Static IP
                                 >Laptop static IP

    OPT1 = IP 192.168.2.1, DHCP enabled > WNR2000v3 Wireless Router dedicated to my 12 years old son.

    On the WNR2000v3 Wireless Router >Laptop
                                                                 >Gaming Desktop
                                                                 >Xbox

    My son is where my worries are. He doesn’t do porn or anything like that, but he is a dedicated online gamer and social network type, along with uploads and downloads from YouTube. I’ve snoop him many times and I have never really had an issue with his online activities. The issues are the hackers and viruses he might unknowingly bring into the system. I think, I have him segregated from the LAN network but would like some suggestions for what firewall rules and how to put them in-place to cover my butt. The rules would be for his connection and the overall network. I’m a noob with the firewall rules and PFsense.

    Thanks for the help

    Did I ask the worng question? I just need to make sure I have the proper firewall rules in-place to protect my network.

    Any help ith the best rules to set would be greatly appreciated!



  • Install antivirus software to your sons machine and maintain it.

    On LAN interface: apply this before defaul allow
    block * lan subnet * opt1 subnet *

    on opt1 interface: apply this before allow to anu
    block * opt1 subnet * lan subnet *

    this should work



  • You hardly can block viruses and trojans on your sons's PC with are firewall. If you son should be able to browse the web he needs port 80 and 443 (http and https) open in the firewall. So every trojan or viorus which connects to the internet will use these ports to.
    So the best way is to use an AntiVirus application and maintain it, like Metu69salemi said.

    The other thing Metu69salemi mentioned is neccessary, too.
    You are using to interface (LAN and OPT1). So if you want to block that you son's PC or viruses on this PC can not connect to you other subnet, you need to add a firewall rule on OPt1 (son's network) which blocks all traffic to your LAN subnet. So it will not be able for your son or viruses on his PC to establish a connection to YOUT LAN subnet.

    The rule on your LAN subnet like Metu69salemi said is not neccessary if you are sure, that the risk comes from you son's subnet ;-)

    When you add firewaall rules you should remember, that they will be applied from top to down. The first matching rule will be used.

    PS: HAVP could be an option to scan files before they reach your son's PC
    Perhaps this will help you setting this up.
    http://doc.pfsense.org/index.php/HAVP_Package_for_HTTP_Anti-Virus_Scanning

    PPS:
    Another solution a friend told me is OpenDNS.org. They are using a filter on DNS basis. Domains which are using violence etc. will be blocked by the OpenDNS DNS-Servers. So you can provide you son this DNS server. But not sure if you need to sign-in at OpenDNS to use this service.



  • Guys thanks for your help!

    I purchased the book and have done alot of reading with this and your guys help I starting to understand how everything works!

    I still have an issue I don't understand. The Default Lan rule is basically set to allow everything. I'm working on trimming this down, to only pass what I need. But, I've run into a problem. Of course if I disable this it shuts down the Lan from accessing anything, OK, but I have added rules for HTTP, HTTPS, and it still won't allow an internet connecting, I applied the changes and reset the states, still nothing, I continued adding Protocals and ports until I had a long list and still no connection. After disabling all the new rules and enabling the default rule everything works again.  What am I missing!



  • Please post a screenshot of your firewall rule(s).

    By the way. If there isn't any visible rule on the firewall then there is still a default BLOCK rule. There is always a default BLOCK rule at the end of every firewall list but not visible.

    Please provide a screenshot and tell us what you want to realize.



  • @Highroller:

    Guys thanks for your help!

    I purchased the book and have done alot of reading with this and your guys help I starting to understand how everything works!

    I still have an issue I don't understand. The Default Lan rule is basically set to allow everything. I'm working on trimming this down, to only pass what I need. But, I've run into a problem. Of course if I disable this it shuts down the Lan from accessing anything, OK, but I have added rules for HTTP, HTTPS, and it still won't allow an internet connecting, I applied the changes and reset the states, still nothing, I continued adding Protocals and ports until I had a long list and still no connection. After disabling all the new rules and enabling the default rule everything works again.  What am I missing!

    Rules used

    TCP
    LAN net
    80 (HTTP)

    none
    TCP 80 (HTTP) from LAN subnet to anywhere
    –------------------------------------------------------
    TCP
    LAN net
    443 (HTTPS)

    none
    TCP 443 (HTTPS) from LAN subnet to anywhere


    TCP
    LAN net
    21 (FTP)

    none
    TCP 21 (FTP) from LAN subnet to anywhere

    None of these worked, I had to go back to the default rule to gain internet access.

    Default Lan rule

    LAN net

    none
    Default allow LAN to any rule



  • @Nachtfalke:

    Please post a screenshot of your firewall rule(s).

    By the way. If there isn't any visible rule on the firewall then there is still a default BLOCK rule. There is always a default BLOCK rule at the end of every firewall list but not visible.

    Please provide a screenshot and tell us what you want to realize.

    In work!



  • Firewall Rules Images attached.










  • Just took a shot look on the screens.

    All your rules are "wrong". You have to use the ports in DESTINATION PORT.

    If you establish a connection to a webserver you start the connection with destination IP and destination port (80). Then the webserver answers you on your source port. But this source port is randomly generated.

    So correct your rules - I will have a look on them again and post back if I found more "errors" ;)
    Please post back if it works.



  • @Nachtfalke:

    Just took a shot look on the screens.

    All your rules are "wrong". You have to use the ports in DESTINATION PORT.

    If you establish a connection to a webserver you start the connection with destination IP and destination port (80). Then the webserver answers you on your source port. But this source port is randomly generated.

    So correct your rules - I will have a look on them again and post back if I found more "errors" ;)
    Please post back if it works.

    If I understand you, you mean for instance the Source HTTP port 80, should also read Destination HTTP port 80?



  • All your rules with destination "WAN net" are unneccessary. You do not need to block ports if they are not allowed by default.

    Your intention is to only allow special ports like FTP (21), http(80), https(443), you need DNS (53). So if you only allow these few ports, than there is no need to block these ports. If they aren't allowed they are blocked.

    The block rule OPT1 subnet to LAN subnet, this is useful.



  • SOURCE Port ist in nearly 99.999% of all scenarios "any" " * "
    Just move your ports from "source" to destination.



  • @Nachtfalke:

    SOURCE Port ist in nearly 99.999% of all scenarios "any" " * "
    Just move your ports from "source" to destination.

    If I have it correct, I still have no access.

    ![Lan 2.jpg](/public/imported_attachments/1/Lan 2.jpg)
    ![Lan 2.jpg_thumb](/public/imported_attachments/1/Lan 2.jpg_thumb)



  • @Nachtfalke:

    (…)

    Your intention is to only allow special ports like FTP (21), http(80), https(443), you need DNS (53). So if you only allow these few ports, than there is no need to block these ports.
    (…)



  • @Nachtfalke:

    @Nachtfalke:

    (…)

    Your intention is to only allow special ports like FTP (21), http(80), https(443), you need DNS (53). So if you only allow these few ports, than there is no need to block these ports.
    (…)

    Yes, I miised DNS 53 on the screen shot, but it has been added and still no connection.



  • Still no connection.

    ![Lan 3.jpg](/public/imported_attachments/1/Lan 3.jpg)
    ![Lan 3.jpg_thumb](/public/imported_attachments/1/Lan 3.jpg_thumb)



  • change destination IP "WAN net" to any.

    DNS works with TCP,too, but in general it uses UDP.

    If you like to ping servers on the internet, you need to allow ICMP.



  • @Nachtfalke:

    change destination IP "WAN net" to any.

    DNS works with TCP,too, but in general it uses UDP.

    If you like to ping servers on the internet, you need to allow ICMP.

    "BINGO" it worked, I can't thank you enough for taking the time to help me, Thanks! I changed DNS to TCP/UDP or should it just be UDP? And concerning the ICMP should that be setup the same as the other rules? Also whats is the best order to have these in or soes it matter for these specific rules?

    Thanks again!



  • Hi,

    ICMP is setup as the other rules. ICMP is something "special". ICMP is not using ports. just chose protocol: ICMP and source/destination IP "any".

    an additional port for FTP is port 20 TCP.

    for getting e-mails via an e-mail client like outlook you need additional ports for POP3 and SMTP (check google or wikipedia for the ports).

    To make it easier for you to maintain your rules you could create an alias.
    create a Port-Alias e.g. called "InternetPorts" and then put all your ports in this alias.
    after this create a rule with protocol "TCP/UDP", source/destination IP: any, source port: any and destination port your Alias "InternetPorts". So you only have to maintain one or two firewall rules instead of many. And if you need more ports like for gaming you can put them into the alias and thats all.

    But this is up to you. The order of the rules in your case is unneccessary.

    –--edit----
    Again to your son. If he is playing many online games than there will be many ports you need to allow. This will be some work to do. Finding the ports the game uses and so on. If he is using a VoIP software like skype or TeamSpeak there are surely additional ports to open. But so you can check what he is playing and which software he is using ;-)
    And as I told you in some posts before - a virus or trojan is using common ports like port 80 or port 443 which aren't blocked in most environments - and aren't in yours, too.

    Separating the networks is a really good solution. Only allowing some ports is the best you can do but takes the moste time to configure and maintain.



  • Thanks for your help, it not only solved my problem but also educated me on the proper use of the Firewall rules. If you ever need a port list look at the link below they have a "HUGE" list of Games and application port list.

    http://portforward.com/cports.htm



  • Great!

    As you can see there. There are many games (Battlefield" and so on which are using ports 80 and 443 to establish their connection because the developers know that most of the other ports are blocked.
    This is the same as "virus-developers" think ;-)



  • @Nachtfalke:

    Great!

    As you can see there. There are many games (Battlefield" and so on which are using ports 80 and 443 to establish their connection because the developers know that most of the other ports are blocked.
    This is the same as "virus-developers" think ;-)

    I know this isn't the proper thread but, you are very knowledgable. Have you got SNORT and HAVP antivirus to work correctly in vs 2.0 RC3? Everytime I have tried either of them the both cause issues with the system or don't properly work at all.



  • Hi,

    I do not use SNORT or HAVP. I know that snort isn't easy to configure and not so many people are using it because of its complexity.

    HAVP shouldn't be so hard to configure but I do not have any pfsense box here to test.
    So the best way would be that you create a new thread and asking for help to configure HAVP and then someone who knows HAVP can help you or you provide screenshots of the configration pages so that we can help you with this.


Locked