Taming the beasts… aka suricata blueprint
-
Still recovering and becoming a regular at the doctors'. Went through everything so far, x-rays, CTs, EMGs, MRIs…(notice the "s" at the end of each one). Still have 2 MRIs to go through, but that's going to take a while, not scheduled for another 4 months or so. Not saying that the guide is going to be delayed until then, but for now, I'm more focused on easing back to my regular life and workflow.
I only ask for your patience for now :). Bone marrow and nerves are slow in recovery...
The upside is that my head is still attached to my neck, that's good!
-
@jflsakfja:
Can I see a screenshot of the floating rule in question?
If you are talking about the "block all" floating rule, it should only apply to traffic destined for pfsense's ports (that's why there is a giant red warning under it).
Thanks for your reply. I guess the post above concerns the same confusion. Don't get me wrong, but you write the following:
Next up Floating tab:
Set up a rule but make these changes:
Action Block
Quick TICKED!!!
Interface Hold CTRL and click on all interfaces EXCEPT LAN(admin) and SYNC
Direction any
Source any
Destination anyIf you read this directly(as I did, since I'm absolute beginner), your rule will block everything in/out on all interfaces, except "LAN".
I did this, and got confused. I could not wrap my head around, how on earth a Floating block ANY ANY ANY to all interfaces would possibly allow any traffic to pass through.
My suggestion is to clarify(maybe more red big letters) that this floating block rule is ONLY for the ports you specify as being web interface and SSH(which makes good sense).
Thanks for your guide, I'm looking forward to following the next steps.
BR Jim
Ahhhhh….thanks for the clarification! I read it that way too.
-
@jflsakfja:
Next up Floating tab:
Set up a rule but make these changes:| Action | Block |
| Quick | TICKED!!! |
| Interface | Hold CTRL and click on all interfaces EXCEPT LAN(admin) and SYNC |
| Direction | any |
| Source | any |
| Destination | any |DON'T CHANGE DESTINATION PORT RANGE!!! Had to add this since I confused a few people already :p
Those are pretty much the only changes you need to make. Save and apply the rule. When adding other floating rules, make sure this rule stays at the absolute top of the list.
I am either missing something or this is truly going over my head and I apologize for resurrecting an old(er) thread.
When I add the Floating rule, all traffic on my network grinds to a halt.
Can someone explain to me how to set it up correctly? I apologize for this, I've looked over the thread several times and can't come to an answer. I tried varying setups and, still, nothing.Here's a link to my current rules:
Floating: http://i.imgur.com/oqVGRyD.png
WAN: http://i.imgur.com/kezi74q.png
LAN: http://i.imgur.com/n7g15kf.pngThanks.
P.S., hope you're alright, jflsakfja. :D
-
you missed the destination admin ports for your pfsense box.
-
you missed the destination admin ports for your pfsense box.
So, they need to be in the LAN and Floating section? Also, I noticed I might've mislabeled the LAN and WAN Imgur links. Sorry.
-
Be careful with chosen ports, not to be used by normal applications because you will cut access to this ports.
You will put restriction rule from LAN only if you want to have specifics designated computers that can access the admin ports.
Attached floating rule for WAN and rule for LAN.
p.s.
you can use as destination: "This firewall (self)" instead of any
 -
Be careful with chosen ports, not to be used by normal applications because you will cut access to this ports.
You will put restriction rule from LAN only if you want to have specifics designated computers that can access the admin ports.
Attached floating rule for WAN and rule for LAN.
p.s.
you can use as destination: "This firewall (self)" instead of anyAppreciate it! Thanks a lot. Kudos.
-
So long and thanks for all the fish.
-
@jflsakfja:
So long and thanks for all the fish.
Oh, NO. r you leaving us? whats happening?
-
@jflsakfja:
So long and thanks for all the fish.
Farewell. Thank you for everything.
Hoping you will return. -
Hi I am trying to create the golden custom rules and need help…
alert tcp $EXTERNAL_NET any -> $HOME_NET ![ports,open,on:firewall] (msg:"Blocked close TCP"; classtype:attempted-recon; sid:9900000; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET ![ports,open,on:firewall] (msg:"Blocked close UDP"; classtype:attempted-recon; sid:9900000; rev:1;)
alert tcp $EXTERNAL_NET [0:1023] -> any [0:1023](msg:"Blocked close TCP"; classtype:attempted-recon; sid:9900000; rev:1;)
alert udp $EXTERNAL_NET [0:1023] -> any [0:1023] (msg:"Blocked close UDP"; classtype:attempted-recon; sid:9900000; rev:1;)the first two are to block incoming to closed ports.
the last two to block incoming from low ports to low ports.How should i adjust them in the msg bit or any other comments on them.
Thanks.
-
Hi everyone. I'm thinking of following the guide here but jumping to the last page I noticed that jflsakfja indicated that he will no longer be on this forum. Is it worth reading 30 pages to get this setup? Is the snort page any better?
LoboTiger
-
My advice is to install Suricata if possible.
Yesterday I just had to uninstall Snort and installed Suricata from one remote site after I seen high CPU load and high CPU temp without traffic. Reason Snort >10-15% CPU - in the same conditions, now it is ok Suricata 1-2% CPU.
The other site had Suricata installed and no problems; both sites are running pfSense 2.2.5 & vpn site to site. -
Hi everyone. I'm thinking of following the guide here but jumping to the last page I noticed that jflsakfja indicated that he will no longer be on this forum. Is it worth reading 30 pages to get this setup? Is the snort page any better?
LoboTiger
I am a absolute beginner and i found this thread very interesting to get some understanding of the principles of good security.
So i wil re-read it and start to implement it. -
Hi everyone. I'm thinking of following the guide here but jumping to the last page I noticed that jflsakfja indicated that he will no longer be on this forum. Is it worth reading 30 pages to get this setup? Is the snort page any better?
LoboTiger
It's probably the best read you'll find on the net about IDS/IPS security. Most of what you need to know is in the first few pages anyway….
-
SO… all quiet on the western front?
Did I miss a memo somewhere about what happened to this project, or the guide v2?
-
Not an expert, but I guess… yes
https://forum.pfsense.org/index.php?topic=88244.0
-
Thats not it….They eventually gave him permission to use a disclaimer and from that point on, the project was under way. But then jflsakfja got into a serious car accident and he's just had to put all of this on pause til he gets better.
-
If that is indeed that case then he has my deepest and genuine sympathies and I wish him a hearty, fast and total recovery.
-
First off, great topic! I am completely new to all of this and I've spent hours reading through this topic and looking out over the internet to try to understand it.
The reason I made an account and posted is because I attempted to type up a How-To for the super-layman.
I attached it here and would love to get your feedback on it. There are certainly fundamental errors in it simply because I do not understand this stuff and my interpretations of what's going on are bound to be incorrect (hopefully not all the time).
If those of you who know what's going on would be so kind as to give me feedback and correct me, I'll revise and re-post the corrected copy. The intent is to have a document that I or someone like myself could pick up and use to setup pfSense in a secure way without any prior knowledge.So I got on eBay and for $130 purchased a SFF HP with an i5-2400, 8GB RAM and 640GB HDD and an Intel PRO/1000 PT dual NIC. I know it's overkill, but it was cheap.
Going through MANY hours of youtube tutorials on pfSense and networking in general I learned that most of what I want to do on pfSense can be achieved by simply following instructions without very much understanding. However, it seemed to me that Firewall rules (what pfSense was actually made for) actually needed to be understood at least on a basic level since it is so specific to what you're using it for. Then I found this thread, I read through it, and didn't understand much. So I read through more, researched things online and started typing up a step-by-step document that I could use to accomplish each task and have some understanding of what I was doing. I didn't accomplish that completely, there are things that I know I don't fully understand, and I'm sure other things that I misunderstand.
It's worth noting that I haven't actually been able to attempt any of this on pfSense yet.Anyways, thank you for what you've done and I'd appreciate any of your expertise and guidance!
@jflsakfja:
Here we go!
Firewalling
Always whitelist, NEVER blacklist…<<<<<everything i="" tried="" to="" understand="" and="" included="" in="" my="" writeup="" thus="" far="" is="" contained="" between="" these="" two="" quotes="" from="" the="" op.="">>>>>> </everything>
…Back to where we left. Nobody likes his internet being down (I grew tired of having to explain that the Internet was designed to survive a nuclear holocaust without it being down, if you can't beat them, join them). So hurry up with the other interfaces as well.