HowTo Hardening PfSense firewall?

Snailer

Go to the bottom of this message to jump to the main questions.

Intro
I am using PfSense about now for a week. And I must admit that it has more promises compared to Smoothwall. Well done.
However I have noticed that with the default setup, the firewall rules are -more or less- solely depending on the NAT to keep the LAN/DMZ out of harms way.

This is also a small criticism towards the developers. I have the impression that the developers, are somewhat overlooking to cover the '(advanced) basic firewall harding'.  While being distracted to adding more and better features. :-\ No offense intended.  :)
A tiny example: Netbios is is'nt blocked. (no default rule). 2nd example, which is partly my question, even Smoothwall offers to activate these functions by GUI:

Also there are some interesting SmoothMod's, like adding the blacklists/blocklists of Spamhaus and DShield. But from what I have understood, these are upcoming features in the next release of PfSense. Isn't? (the so called aliases). Although I wonder if PfSense can handle all kinds of blocklists formats that (may) exists.

I am at home, with a typical M$ lan/pc's. (I am planning to add a couple of small linux/*bsd servers).

My main questions are:

• How do I harding PfSense?

(You know what they say: security by obscurity).

• Wich firewall rules are recommend to add?

• Concerning netbios: is it safe to block netbios, while family members are connecting by PPTP?

• • same question for IPSEC?
• • do i need or have to block it at LAN side and/or WAN side (only)?

• Because there a no default rules present at the WAN, does this mean that the GUI and SSH ports etc are open?

Secondary question:

• Is there a pfsense anit-rootkit check package etc available? Just in case…

• If PfSense is installed on a hard drive, does it still use a ramdisk, and no logging etc is being written to the hard disk?

Thanks ahead:)

sullrich

@Snailer:

This is also a small criticism towards the developers. I have the impression that the developers, are somewhat overlooking to cover the '(advanced) basic firewall harding'.  While being distracted to adding more and better features. :-\ No offense intended.  :)

Why should "blocking ping" which is nothing more than an ICMP rule have its own checkbox?

Same goes for IGMP.  Why reinvent a new checkbox when the firewall rules handles it?

Enable plug in play in services -> upnp.

Syn cookies… Why change this setting?  What is your concrete reasoning behind this?  And no "Because smoothwall does it" is not a valid response.

Your criticisms are no-ops in my opinion.

Snailer

@ sullrich
Well, u are the expert here.  ;D
It was just a example in a figural way.
What I was trying to say: there a properly a lot of tweaks available at the kernel which could improve security and only needs to turn on, or off. Like, another stupid example:```
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

(syn_cookies, I am told, helps to prevent or reduce ddos attacks).

But I shall not wine longer about this subject. I am trying just to think along for improvements…  :)

sullrich

Syn cookies are already enabled by default.

Thanks for trying to come up with improvements but contrary to what you think we do think a LOT about every aspect of this project and we have done our homework prior.

Snailer

Still open-standing questions are:

* How do I harding PfSense?
  * Wich firewall rules are recommend to add, to improve overall security?
  * Concerning netbios: is it safe to block netbios, while family members are connecting by PPTP?
      - same question for IPSEC?
      - do i need or have to block it at LAN side and/or WAN side (only)?
  * Because there a no default rules present at the WAN, does this mean that the GUI and SSH ports etc are open?

sullrich

@Snailer:

Still open-standing questions are:

* How do I harding PfSense?
  * Wich firewall rules are recommend to add, to improve overall security?
  * Concerning netbios: is it safe to block netbios, while family members are connecting by PPTP?
      - same question for IPSEC?
      - do i need or have to block it at LAN side and/or WAN side (only)?
  * Because there a no default rules present at the WAN, does this mean that the GUI and SSH ports etc are open?

1.  pfSense defaults to block all that is not allowed.  Only allow needed ports.
2. Yes.
3. Yes
4. See #1.  pfSense rules are applied to the incoming interface.
5. No.  See #1.

cmb

@Snailer:

Like, another stupid example:```
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

(syn_cookies, I am told, helps to prevent or reduce ddos attacks).

pfsense is FreeBSD, not Linux. We've been through all the appropriate security settings and done what we can, but FreeBSD doesn't leave big gaping holes open by default like many Linux distros do, hence we're "secure by default", and don't need check boxes to "lock things down".

Agree w/Scott, adding checkboxes for things that should be permitted or not permitted via firewall rules is silly. Want to allow ping? Add a WAN rule. Don't want to? You're fine by default. Ditto for anything/everything else. What if you only want to allow ping from certain IP's on the Internet? That checkbox isn't going to help you. Lots of similar situations.

chkrootkit works on pfsense, though it's not a package in the GUI. If you enable SSH, SSH in, open a shell, and run the following you can run it.

pkg_add -r chkrootkit

rehash

chkrootkit

Note that if you don't religiously keep chkrootkit up to date, it'll report false positives after OS updates.

Juve

I think here is a good example of two different worlds trying to understand each other.
The first one is where you know what you want to do, what you do and how you have to do it.
The second one is where you rely on checkboxes, hopping the developper knew what you will want to do ;-)

tacfit

If you'd like checkboxes, there's a great little product called Microsft ISA 2004. I'm migrating off it. I'll sell you my licenses :)

hoba

Checkboxes always remind me of

Yes

No

Don't care

;D

Snailer

:+ :D Just a small comment on the comments relating the checkboxes: I am very delighted that two checkboxes are pressent in order to activate preset default firewall rules about denying non-standard wan-traffic. Three if u count the Snort 'autoblock' checkbox.
A fourth, lets call it a 'paranoid-idiot-fool-and-newbie-high-security's-firewall-proof' checkbox,  ;D would be for me like a wet boy's dream has come true.  :P :+

hoba

I think all the devs agree with me that we don't want "checkbox" behaviour. It's really all about firewallrules.

sullrich

@hoba:

I think all the devs agree with me that we don't want "checkbox" behaviour. It's really all about firewallrules.

Yes, fully agree.  There is no reason that this person cannot learn how to craft firewall rules properly.

jeroen234

@Snailer:

A fourth, lets call it a 'paranoid-idiot-fool-and-newbie-high-security's-firewall-proof' checkbox,  ;D would be for me like a wet boy's dream has come true.  :P :+

so that checkbox will remove all rules on the wan port

same as youre virgin pfsense  ;D