Simple firewalling rules



  • Hello People,
    I have made my change from openBSD to pfSense, and have some basic understanding and experience of making firewall rules with the packet filter.
    My firewall has 1 onboard network card which is connected to my DSL Modem, and a quad nic, where 1 goes to my basement to my server cabinet where I have my servers running and the others go to my ground- first- and second floor where they supply my accesspoints and network sockets with internet.
    Now, as I'am concerned firewalling rules, I have only 2 main types of rules:

    • Someone on my network wants to access one of my servers e.g. samba share

    • Someone wants to access the internet with a mail client and browser

    In the menu of creating a rule at pfsense, there are so many different ways doing this apparently.
    Back in openBSD & vi, I made a macro of my interfaces that are distributed in my house and I say: Pass any traffic initiated on these NICs destined to this IP on this port.
    Also another aspect that needs to be mentioned is that my pfsense also runs a DHCP server where every nic has different subnets.

    Thank you for your help in advance.
    Now, what is the effective way of creating the rules that cover my needs of the 2 types of network connections that I listed above.


  • Rebel Alliance Global Moderator

    " Pass any traffic initiated on these NICs destined to this IP on this port."

    Exactly the same..  To be honest at a loss here, your saying the firewall rule gui is confusing to you.  When you clearly understand port and dest aspects of a firewall rule?

    What part do you not understand about say the below example of rules?




  • Well, you have the from part. There you can say from the subnet or netmask of an interface, or even a subnet for instance. Here I tought "Ok, I could say that everything initiated from 10.0.x.x to my server 10.0.3.100 on port "whatever" should be passed and the state kept. Therefore I thought that I could put the whole subnet should do the job." But it didn't so I went the other way around and replaced the source with the subnet of each interface which didn't work either.

    So I don't know if I'm on the wrong side of things. That is why.



  • The rules apply to incoming traffic on the interface concerned, passing or blocking it. Maybe you are just putting the rules on the wrong interface tab?
    e.g. to allow all traffic initiated from LAN1 to access LAN2, put a pass rule on the LAN1 tab with source LAN1net, destination LAN2net.



  • Let me put it down with interface names etc. so that I can pinpoint down the problem.
    Interfaces form em0 to em2 supply the house with internet and em3 is the port goes to a switch where the servers are connected.
    And the subnets for these interfaces are the following  accordingly:
    em0 is 10.0.0.0/24
    em1 is 10.0.1.0/24
    and so on.
    And the interface that is connected to the DSL modem is xl0.
    What I did is that I went to my em0 tab and said that I would like to pass any traffic that has been initiated from the network of em0 (need a little explaining of where the difference between the network and subnet of a network interface. In this case em0) destined to a specific IP on a specific port.
    Another way is to go to the interface that goes to the servers and put the rule the other way around.

    Since I have the lack of experience in firewalling, I cannot see the advantages and disadvantages of the two options.
    Here I also need some need some explaining.

    Thanks in advance.


  • Rebel Alliance Global Moderator

    "Another way is to go to the interface that goes to the servers and put the rule the other way around."

    So one of your interfaces would be your LAN, the first one you created should have a any any rule it it - this is the default lan rule.

    But yes - as mentioned all rules are seen as inbound to the interface.

    So if you have em0 network wants to initiate traffic to em1 network, then em0 rules need to allow that.  This will create a state and devices on em1 will be allowed to answer.  If you want em1 to imitate traffic to em0, then rules would be needed on em1 to allow that traffic.

    network and subnet?  I think this is a common issue with people new to networking..  These terms are quite often interchanged network, segment, vlan, subnet..

    So your 10.0.0.0/24 is a network segment, you could also just say network.. It is also a subnet of say 10.0.0.0/8 or 10.0.0.0/16 or even 10.0.0.0/23..  A vlan to me means tagging, but people use it to call out their network segments or subnets ;)

    Different terms should be used depending on the context of the conversation - but when it comes down too it they are exchanged quite often - not always appropriately, but if you say network, or segment or subnet or vlan even – its ok ;)  Also best if you give details of what your talking about -- like your above examples.



  • Ever since I got johnpoz's answers on my questions I felt quite confident in making rules.
    And I recently was discussing with a friend about that subject and he asked me an interesting question:

    If you had:

    • em0 is 10.0.0.0/24, and the ip of em0 is 10.0.0.1

    • em1 is 10.0.1.0/24, and the ip of em1 is 10.0.1.1

    And you made a rule: block port 80 going from the subnet 10.0.0.0/24 going to the subnet 10.0.1.0/24, is that less secure and effective as  the solution on referring to the interfaces?

    Good question right?? ??? ??? ??? ??? ???
    From my gut feeling it is less secure but I cannot explain why. :o 
    So if there is someone to tell me the difference between these 2 aspects of making firewall rules would be really great.


  • Rebel Alliance Global Moderator

    Less secure than what rule?  If your goal is to block 0.0/24 from talking to 1.0/24 on port 80 then that rule is fine.



  • the solution on referring to the interfaces

    You will need to explain what you mean by this - I think no-one has any idea what is "the solution on referring to the interfaces".



  • When referring to the interfaces, I mean creating a rule that starts with: "block out on em0…" and with making a rule with the subnet, I meant something like that: "block out on 10.0.0.0/24...".
    The rule will block the same port the difference is that I used in the last one a subnet in the rule and in the first one I used an interface.



  • pfSense generates the pf rule statements for you and I guess you have been looking at them in /tmp/rules.debug.
    The normal interface rules are all "in" rules - the traffic is filtering coming in to the interface. So you will get "block in" rules all the time. Normally this does everything you need. To get "block out" rules you have to use the Floating tab, and select the "out" direction. Usually that is not needed.
    The "on" keyword only takes an interface name - for example pfSense will make a name "WAN" for the WAN and the rule will look like "block in quick on $WAN"…
    Then there will be "from" and "to" clauses to match particular IP addresses/subents/alias.
    So, a rule for your example would block the traffic coming in on em0 like:
    block in quick on $LAN from 10.0.0.0/24 to 10.0.1.0/24

    Yes, you could also put a Floating rule to "block out on $OPT1 from 10.0.0.0/24 to 10.0.1.0/24" but it is not necessary. Those source/destination pairs are already blocked on the way in.



  • Lets not focus on the "in" and "out" on making firewall rules now, although it is important to know of how to properly make those rules.
    But the core question is, which one is the safer filtering rules:

    • block in from em0 to em1 port http

    • block in from 10.0.0.0/24 to 10.0.1.0/24 port http

    Is it safer to use interfaces or subnets in making those filtering rules?


  • Rebel Alliance Global Moderator

    how are they different, I would assume that only 10.0.1.0/24 is available as a dest network, and 10.0.0.0/24 would be the only source on that interface anyway?

    But normally in a block you wouldn't put a source unless that is only what you wanted to block.  A normal block would be source any to the dest IP or network.  You could only address security if you look at it to what it doesn't block.  But if that something it doesn't exist what does it matter?



  • If you manage the rules entirely by the GUI, you only have the chance to select a single interface (that is, the tab you are adding the rule to). As explained before, this rule is an IN rule. Within the rule, you cannot specify the source as an entire interface, you have to select a specific subnet.

    So the question ends up being "is it more secure to specify the destination subnet as the interface's subnet or leave it just as any?" (source has to be the source subnet as explained before)

    The answer is that "any" is more general and will deal with special cases (like devices with a manually configured address on a different subnet, or multicast traffic).

    In any case, remember the firewall will silently block any traffic not explicitely allowed.

    Regards!



  • Ok that cleared up a lot of things.  :)
    Thank you for your patience guys.  ;D

    Keep up the good work.  :D


  • Rebel Alliance Global Moderator

    ^^ exactly a block would have to be paired with an allow.. since by default everything is blocked.. Unless you have an allow statement paired with that block to limit the allow.  So what allow statement do you have after that rule?