Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Taming the beasts… aka suricata blueprint

    Scheduled Pinned Locked Moved
    IDS/IPS
    64
    504
    264.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      shred
      last edited by

      @sheen73:

      Hi All,
      Very new to Pfsense, just started to research snort and suricata. Came to this post  and have read through it but still stuck. I am using Pfsense 2.3.4 and open VPN client with PIA, I have NAT setup to direct lan / wan to the PIA interface. I have a firewall rule for lan on LANnet to use the PIA DHCP gateway.

      As soon as I apply the below instructions, my internet access shuts down. Note only interfaces I have are LAN, WAN, PIA, OpenVPN (not used and does not exist, not sure why its on the list)

      "Next up Floating tab:
      Set up a rule but make these changes:
      Action Block
      Quick TICKED!!!
      Interface Hold CTRL and click on all interfaces EXCEPT LAN(admin) and SYNC
      Direction any
      Source any
      Destination any"

      I think I am misunderstanding this portion

      "Head over to an interface's tab and set up a an allow rule. Source should be the interface's subnet. The destination should be any, and for the ports use the outgoing_ports alias created above. Destination should be any. Otherwise identical to the webgui rule. Warning! This allows any host to access any other host on other interfaces using those ports. If this is not needed (and generally it shouldn't), finish the rule, and head over to the floating rules tab."

      What am I supposed to do here? The floating rule takes precedent over all other rules 1st, any rule after this would still be blocked no? I added another LAN firewall rule and set source to LANNet and destination ports to the outbound port alias and no luck.

      Any tips?
      Thanks!

      I’m also confused by this part of the first post in the thread. I realize it’s pretty old but I’m sure a lot of new folks start searching around to learn about setting up their firewall and end up reading this thread. That being said, is there any reason to setup a floating rule that blocks all traffic? It seems like a better way is to simply delete the rule that’s automatically created on the LAN interface that allows outbound traffic to ‘any’. By doing that, aren’t you blocking all traffic both in (by default based on how pfSense is designed) and out of your network? From there, simply create rules on the interface for your specific needs (i.e. HTTP, HTTPS, DNS, IMAP, etc.). If I’m understanding this correctly, this would only allow traffic that I specify outbound.

      So again, what is the purpose of setting up a floating rule to block all traffic versus the method I mentioned above? The only thing I can possibly think of is that it would block outgoing traffic if it wasn’t originating from your LAN, but for a basic home setup with only one router (subnet), I don’t think it would matter since that’s the only interface outbound traffic would be coming from.

      Edit:
      I think I figured it out after watching more YouTube videos and doing more reading. I posted an explanation of my understanding of basic firewall rules on the pfsense reddit forum (https://www.reddit.com/r/PFSENSE/comments/79xzqi/basics_on_firewall_rules/?utm_content=title&utm_medium=hot&utm_source=reddit&utm_name=PFSENSE).

      One thing that still doesn't make sense on the very first post is this section:

      Next up Floating tab:
      Set up a rule but make these changes:
      Action Block
      Quick TICKED!!!
      Interface Hold CTRL and click on all interfaces EXCEPT LAN(admin) and SYNC
      Direction any
      Source any
      Destination any

      My understanding is that you would want 'Quick' to be NOT SELECTED (i.e. un-ticked). Otherwise, no matter what rules you create, it's always going to see that floating rule first and the frame/packets stop there (unless they are automation rules or NAT rules which will occur before any user defined rule). In other words, none of your user defined rules will be executed. If 'Quick' is NOT SELECTED, this would still assess that rule first, but it wouldn't apply it until all of your user defined rules have been assessed and none of them were applicable.

      J 1 Reply Last reply Reply Quote 0
      • T
        TDJ211
        last edited by

        In your firewall rules you need to set the destination port range to the webgui ports you just changed

        1 Reply Last reply Reply Quote 0
        • RangoR
          Rango
          last edited by

          Thank you for this great guide. Question though. If one is on Openvpn how does that change this configuration and would interface of vpn provider be treated as wan or just set same rules on vpn interface.

          How is the security effected by using openvpn as related to this topic.

          1 Reply Last reply Reply Quote 0
          • J
            jasonraymundo31 @shred
            last edited by jasonraymundo31

            @shred yup, I've been there, I also got confuse about that. but that rule is to block other interface to access management port. some of the link or pictures of this guide did not retrieve when netgate upgrade their forum.

            02268e4d-4c47-4b6c-b5ed-0cdbe7ee2a20-image.png

            1 Reply Last reply Reply Quote 0
            • NollipfSenseN NollipfSense referenced this topic on
            • First post
              Last post