Firewall understanding



  • Hi guys,
    i am trying to firewall the LAN as well so the Machines behind the Pfsense will have a restricted LAN, only allowed rules will be allowed.
    so i created a LAN to WAN firewall to block all,
    and allowed the ports than makes sense ( 80, 443,25,.. ) from the Lan to WAN,
    is this the correct way of configuring this ?

    Thank you



  • Keep source port as *

    Rules at the top of the list are applied first.

    couple hints I can think of off the top…



  • i am trying to understand the firewall rules
    what is the most practicale,
    block all incoming and open just the allowed
    or block the outgoing and allow just the allowed
    or both Lan and WAN restricted?



  • There is an unseen "block all" rule for everything on every interface in pfSense. But it is kind of nice to see your own block rule anyway, IMHO.
    Block everything on WAN, and just pass the specific things that you want to allow from the big bad internet.
    LAN is a bit more difficult, because actually you usually want (or have to) let your users have access to a lot of stuff - that is kind of the point of the internet. The theory is to block everything and then allow just what is needed. But in practice that becomes a whole list of bits and pieces to allow, so lots of people go the easier path of blocking just the definitely not wanted stuff any allowing everything else. It's up to you!



  • @phil.davis:

    There is an unseen "block all" rule for everything on every interface in pfSense. But it is kind of nice to see your own block rule anyway, IMHO.
    Block everything on WAN, and just pass the specific things that you want to allow from the big bad internet.
    LAN is a bit more difficult, because actually you usually want (or have to) let your users have access to a lot of stuff - that is kind of the point of the internet. The theory is to block everything and then allow just what is needed. But in practice that becomes a whole list of bits and pieces to allow, so lots of people go the easier path of blocking just the definitely not wanted stuff any allowing everything else. It's up to you!

    Thank you Phil for your answer and explination,
    if one of my user got some kind of trojan the idea is the trojan won't sent request back to the hacker , this the idea of blocking the outgoing traffic.



  • In a ideal world you would have a white-list of all the known-good web sites/services on the internet and their IP addresses (and the ports they offered their service on - 99% HHTP/HTTPS on 80/443). You would make a rule(s) on LAN to pass traffic to all of those IP address/port combinations. Then block everything else.
    Then some user with a "phone home" trojan/virus would have the "phone home" traffic blocked - because the "phone-home" IP address would not be on the white-list.
    In practice such a thing is usually unworkable - new good sites appear all the time, so the white-list has to be constantly updated, some sites have good content mixed with bad content so do you white-list the IP address or not?
    So for many installs it ends up being done the reverse way - get lists of "bad" sites/IP addresses and block them, then let everything else through. Of course that means new bad sites are accessible until someone realises and updates the black-list.
    Or use content-filtering solutions (Sqiud+SquidGuard, DansGuardian…) to try and make on-the-fly decisions about what content to allow past.

    Anyway, yes, blocking on LAN is intended to help protect against trojans getting out of your LAN, as well as people accessing sites full of viruses and...