Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HowTo Hardening PfSense firewall?

    Firewalling
    7
    14
    25.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Snailer
      last edited by

      Go to the bottom of this message to jump to the main questions.

      Intro
      I am using PfSense about now for a week. And I must admit that it has more promises compared to Smoothwall. Well done.
      However I have noticed that with the default setup, the firewall rules are -more or less- solely depending on the NAT to keep the LAN/DMZ out of harms way.

      This is also a small criticism towards the developers. I have the impression that the developers, are somewhat overlooking to cover the '(advanced) basic firewall harding'.  While being distracted to adding more and better features. :-\ No offense intended.  :)
      A tiny example: Netbios is is'nt blocked. (no default rule). 2nd example, which is partly my question, even Smoothwall offers to activate these functions by GUI:

      Also there are some interesting SmoothMod's, like adding the blacklists/blocklists of Spamhaus and DShield. But from what I have understood, these are upcoming features in the next release of PfSense. Isn't? (the so called aliases). Although I wonder if PfSense can handle all kinds of blocklists formats that (may) exists.

      I am at home, with a typical M$ lan/pc's. (I am planning to add a couple of small linux/*bsd servers).

      My main questions are:

      • How do I harding PfSense?

      (You know what they say: security by obscurity).

      • Wich firewall rules are recommend to add?

      • Concerning netbios: is it safe to block netbios, while family members are connecting by PPTP?

        • same question for IPSEC?
        • do i need or have to block it at LAN side and/or WAN side (only)?
      • Because there a no default rules present at the WAN, does this mean that the GUI and SSH ports etc are open?

      Secondary question:

      • Is there a pfsense anit-rootkit check package etc available? Just in case…

      • If PfSense is installed on a hard drive, does it still use a ramdisk, and no logging etc is being written to the hard disk?

      Thanks ahead:)

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by

        @Snailer:

        This is also a small criticism towards the developers. I have the impression that the developers, are somewhat overlooking to cover the '(advanced) basic firewall harding'.  While being distracted to adding more and better features. :-\ No offense intended.  :)

        Why should "blocking ping" which is nothing more than an ICMP rule have its own checkbox?

        Same goes for IGMP.  Why reinvent a new checkbox when the firewall rules handles it?

        Enable plug in play in services -> upnp.

        Syn cookies… Why change this setting?  What is your concrete reasoning behind this?  And no "Because smoothwall does it" is not a valid response.

        Your criticisms are no-ops in my opinion.

        1 Reply Last reply Reply Quote 0
        • S
          Snailer
          last edited by

          @ sullrich
          Well, u are the expert here.  ;D
          It was just a example in a figural way.
          What I was trying to say: there a properly a lot of tweaks available at the kernel which could improve security and only needs to turn on, or off. Like, another stupid example:```
          echo "1" > /proc/sys/net/ipv4/tcp_syncookies

          (syn_cookies, I am told, helps to prevent or reduce ddos attacks).
          
          But I shall not wine longer about this subject. I am trying just to think along for improvements…  :)
          1 Reply Last reply Reply Quote 0
          • S
            sullrich
            last edited by

            Syn cookies are already enabled by default.

            Thanks for trying to come up with improvements but contrary to what you think we do think a LOT about every aspect of this project and we have done our homework prior.

            1 Reply Last reply Reply Quote 0
            • S
              Snailer
              last edited by

              Still open-standing questions are:

              * How do I harding PfSense?
                * Wich firewall rules are recommend to add, to improve overall security?
                * Concerning netbios: is it safe to block netbios, while family members are connecting by PPTP?
                    - same question for IPSEC?
                    - do i need or have to block it at LAN side and/or WAN side (only)?
                * Because there a no default rules present at the WAN, does this mean that the GUI and SSH ports etc are open?

              1 Reply Last reply Reply Quote 0
              • S
                sullrich
                last edited by

                @Snailer:

                Still open-standing questions are:

                * How do I harding PfSense?
                  * Wich firewall rules are recommend to add, to improve overall security?
                  * Concerning netbios: is it safe to block netbios, while family members are connecting by PPTP?
                      - same question for IPSEC?
                      - do i need or have to block it at LAN side and/or WAN side (only)?
                  * Because there a no default rules present at the WAN, does this mean that the GUI and SSH ports etc are open?

                1.  pfSense defaults to block all that is not allowed.  Only allow needed ports.
                2. Yes.
                3. Yes
                4. See #1.  pfSense rules are applied to the incoming interface.
                5. No.  See #1.

                1 Reply Last reply Reply Quote 0
                • C
                  cmb
                  last edited by

                  @Snailer:

                  Like, another stupid example:```
                  echo "1" > /proc/sys/net/ipv4/tcp_syncookies

                  (syn_cookies, I am told, helps to prevent or reduce ddos attacks).
                  

                  pfsense is FreeBSD, not Linux. We've been through all the appropriate security settings and done what we can, but FreeBSD doesn't leave big gaping holes open by default like many Linux distros do, hence we're "secure by default", and don't need check boxes to "lock things down".

                  Agree w/Scott, adding checkboxes for things that should be permitted or not permitted via firewall rules is silly. Want to allow ping? Add a WAN rule. Don't want to? You're fine by default. Ditto for anything/everything else. What if you only want to allow ping from certain IP's on the Internet? That checkbox isn't going to help you. Lots of similar situations.

                  chkrootkit works on pfsense, though it's not a package in the GUI. If you enable SSH, SSH in, open a shell, and run the following you can run it.

                  pkg_add -r chkrootkit

                  rehash

                  chkrootkit

                  Note that if you don't religiously keep chkrootkit up to date, it'll report false positives after OS updates.

                  1 Reply Last reply Reply Quote 0
                  • J
                    Juve
                    last edited by

                    I think here is a good example of two different worlds trying to understand each other.
                    The first one is where you know what you want to do, what you do and how you have to do it.
                    The second one is where you rely on checkboxes, hopping the developper knew what you will want to do ;-)

                    1 Reply Last reply Reply Quote 0
                    • T
                      tacfit
                      last edited by

                      If you'd like checkboxes, there's a great little product called Microsft ISA 2004. I'm migrating off it. I'll sell you my licenses :)

                      1 Reply Last reply Reply Quote 0
                      • H
                        hoba
                        last edited by

                        Checkboxes always remind me of

                        Yes

                        No

                        Don't care

                        ;D

                        1 Reply Last reply Reply Quote 0
                        • S
                          Snailer
                          last edited by

                          :+ :D Just a small comment on the comments relating the checkboxes: I am very delighted that two checkboxes are pressent in order to activate preset default firewall rules about denying non-standard wan-traffic. Three if u count the Snort 'autoblock' checkbox.
                          A fourth, lets call it a 'paranoid-idiot-fool-and-newbie-high-security's-firewall-proof' checkbox,  ;D would be for me like a wet boy's dream has come true.  :P :+

                          1 Reply Last reply Reply Quote 0
                          • H
                            hoba
                            last edited by

                            I think all the devs agree with me that we don't want "checkbox" behaviour. It's really all about firewallrules.

                            1 Reply Last reply Reply Quote 0
                            • S
                              sullrich
                              last edited by

                              @hoba:

                              I think all the devs agree with me that we don't want "checkbox" behaviour. It's really all about firewallrules.

                              Yes, fully agree.  There is no reason that this person cannot learn how to craft firewall rules properly.

                              1 Reply Last reply Reply Quote 0
                              • J
                                jeroen234
                                last edited by

                                @Snailer:

                                A fourth, lets call it a 'paranoid-idiot-fool-and-newbie-high-security's-firewall-proof' checkbox,  ;D would be for me like a wet boy's dream has come true.  :P :+

                                so that checkbox will remove all rules on the wan port

                                same as youre virgin pfsense  ;D

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.