Locking down pfsense with specific rules - need help



  • Shouldn't there always be a Rule to Block (ALL from WAN to LAN) ? Since all connections originate from a computer on the LAN  behind the firewall and  if there is no use for remote connections from WAN to LAN.

    and how would you create a Rule to only allow specific ports(services) from LAN to WAN such as only what I need:

    TCP Port 80 - http
    TCP Port 443 - HTTPS
    FTP Port- 21 - FTP
    TCP/UDP Port - 53 DNS

    so I could then create a rule to Block ( ALL from LAN to WAN) then all ports and services would be blocked except what are defined in the rule(s).



  • @propel:

    so I could then create a rule to Block ( ALL from LAN to WAN) then all ports and services would be blocked except what are defined in the rule(s).

    This ^^

    Create a rule on your LAN interface that defaults to blocking, then put your exceptions to allow before the deny.



  • https://doc.pfsense.org/index.php/Example_basic_configuration

    This is how you do it. I wouldn't worry about the outbound dmz though.

    By the way don't disable the anti lockout rule until you have finished making your allow rules for TCP 443 or whatever port you have chosen for access to the web gui.

    All of them start like this. For the source IP just put LAN NET, then protocol such as TCP or UDP and then the destination port and destination address which is any in most cases.  I recommend making an alias with your TCP connection ports just to make your rules list as neat as possible. You may even want to screenshot it for further reference and on top of that always back up your config.



  • I created a Alias for ports: TCP 80,443,53,21

    Created two rules:

    IPv4 TCP –> LAN net --> Alias(ports) --> Destination * --> Port * --> Gateway *

    IPv4 UDP --> LAN net --> 53 (DNS) --> Destination * --> Port * --> Gateway *

    and I now have no internet access

    does pfsense need to use some extra port? or are the rules configured wrong?



  • I changed the rules to this and now have internet access:

    Pv4 TCP –> LAN net --> * --> Destination * --> Alias(ports) --> Gateway *

    IPv4 UDP --> LAN net --> * --> Destination * --> 53 (DNS) --> Gateway *

    not exactly sure if this is the correct way to have the rules though.



  • For    DNS try this:

    Go to System menu

    Then General Setup

    Go to where it says DNS servers

    Add the DNS servers that you prefer. You should only need two of them.

    Next

    Create a stand alone DNS rule with destination port 53 TCP/UDP.
    Then for Source address select LAN net.
    For Destination select              LAN address

    Doing this will exclusively allow pfsense to use it's own DNS which is 127.0.0.1.
    You don't have to enter that address. So basically what I believe this allows Pfsense to do is to check for things like cross site scripting and quite a few other checks like DNS cache poisoning attempts etc…  Other people please feel free to chime in on what this does.

    You could do it either way though. That's just how I do it.

    so basically your alias for internet connectivity should look something like this.

    TCP 80,443,21 and I would also include email ports which will be TCP as well. That's only if you use an email program.

    Have your DNS rule as stand alone.

    Also depending on your graphics card and I don't know what you have but Nvidia needs a few ports open for Shadowplay but you will have to find these on your own because they do change but eventually you will get them all.

    To do that open task manager/performance tab/resource monitor/  Then the fun part begins. Look at the PID'S for nvidia and write them in notepad.

    Then open powershell or cmd.exe. Type netstat -ano and look for the PID'S associated with Nvidia and look at the ports that they require. That's only if you want to use Shadowplay though. I also find that I have less system crashes by adding those ports.

    I'll give mine just to make it less troublesome. If you have AMD then you will have to look them up if there is an equivalent to shadowplay which is used for recording games and also it can be used for instructional videos. The other feature of it is that it can stream live to certain websites.

    TCP  9990, 23401, 65000, 65001, 47984, 49159, 23403

    UDP 54434, 54435, 5353, 48401, 56946

    Maybe that was a bit much but you can search all day and never find that information from Nvidia.



  • I removed the anti-lockout rule. Thus everything is blocked by default.

    • The below starts off assuming a new device connects, has no IP address and needs to request an IP (Hence the source is ANY and not WirelessNET).

    • The second rule assumes now you have an IP and need a DNS request (source is now WireleessNET).

    • The third rule, I allow all traffic to Webports(80/443/22), however the destination is NOT wireless address. Means internet but no access to the firewall

    I copy/pasted only the rules you need given your scenario. However keep in mind this is my wireless network, I did not want them to be able to log into the firewall, so if you need webgui access you will need to add a rule for yourself to access it.



  • Go see what the gods gave to the world  ;D :P ;)

    https://forum.pfsense.org/index.php?topic=78062.0



  • @Cmellons:

    I've read it and for the most part it was useless for me. Also I could feel rage coming through his words while trying to teach something. Yep, once you let your ego in there things start to lose their meaning. The WAN floating rule for instance is not even necessary nor does it work the way that he described it. I could rip on the entire article but it would be a waste of everyone's time including mine.

    What according to you is wrong if I may ask?



  • I thought about it some more and it could've been that I was using vmare. After doing the rule like he said  pf had no internet access. Maybe it was the any direction part that was wrong or it was something about a CARP sync interface etc.. Maybe that's what it was because I don't feel a need to use CARP. So perhaps it was a misunderstanding on my part. I was already steaming up about the red pill and the blue pill.  Then again maybe I just needed some sleep.  There's more to focus on today. Thanks for the input.

    I think the main reason that this rule baffled me was because of my inexperience in using SYNC. So when he said SYNC I was thinking click on all of the interfaces except for LAN and SYNC.  I then selected the WAN interface because it was not included in LAN and SYNC as far as I know. Then again maybe it's because I don't know what SYNC is. But I did select the WAN interface in the floating rule so it quite logically blocked the interface from getting to the internet.

    "Next up Floating tab:
    Set up a rule but make these changes:
    Action Block
    Quick TICKED!!!
    Interface Hold CTRL and click on all interfaces EXCEPT LAN(admin) and SYNC
    Direction any
    Source any
    Destination any"


  • Netgate

    Do TCP and UDP 53 for DNS.



  • @Cmellons:

    I thought about it some more and it could've been that I was using vmare. After doing the rule like he said  pf had no internet access. Maybe it was the any direction part that was wrong or it was something about a CARP sync interface etc.. Maybe that's what it was because I don't feel a need to use CARP. So perhaps it was a misunderstanding on my part. I was already steaming up about the red pill and the blue pill.  Then again maybe I just needed some sleep.  There's more to focus on today. Thanks for the input.

    I think the main reason that this rule baffled me was because of my inexperience in using SYNC. So when he said SYNC I was thinking click on all of the interfaces except for LAN and SYNC.  I then selected the WAN interface because it was not included in LAN and SYNC as far as I know. Then again maybe it's because I don't know what SYNC is. But I did select the WAN interface in the floating rule so it quite logically blocked the interface from getting to the internet.

    "Next up Floating tab:
    Set up a rule but make these changes:
    Action Block
    Quick TICKED!!!
    Interface Hold CTRL and click on all interfaces EXCEPT LAN(admin) and SYNC
    Direction any
    Source any
    Destination any"

    There is a giant red warning just under what you have quoted, that you missed. That rule was meant to lock down access to the pfsense ports (webgui+ssh), applied to all interfaces that have nothing to do with those ports. If you blocked pfsense's internet access, then you made a mistake somewhere.

    The SYNC interface applies to CARP clusters (interface they use to keep their states in sync).