PfSense with pfiprep, some firewall rules, and Snort



  • Here is a fairly complete and simplified guide to setting up pfSense with pfiprep, some firewall rules, and Snort geared more towards people just getting started with pfSense.

    Pfiprep is a script made by BBcan17 for downloading blocklists which consolidates and de-duplicates the lists.

    You can get it here: https://gist.github.com/BBcan17/67e8c456cb399fbe02ee

    Using webgui, go to:
    System>Advanced>Firewall/NAT.

    Change: Firewall Maximum States 1000000 (1,000,000)
      Firewall Maximum Tables 10000000 (10,000,000)
      Firewall Maximum Table Entries 10000000 (10,000,000)

    Some of the dependencies of the script don't seem to be available using the “pkg_add -r” command, so you need to fetch them from the archive.

    Using SSH (or command prompt with webgui)

    cd /tmp/
    fetch ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/amd64/8.3-RELEASE/packages/Latest/grepcidr.tbz
    fetch ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/amd64/8.3-RELEASE/packages/Latest/perl.tbz
    fetch ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/amd64/8.3-RELEASE/packages/Latest/GeoIP.tbz
    fetch ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/amd64/8.3-RELEASE/packages/Latest/unzip.tbz
    fetch ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/amd64/8.3-RELEASE/packages/Latest/ipcalc.tbz
    fetch ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/amd64/8.3-RELEASE/packages/Latest/rsync.tbz
    

    then:

    pkg_add grepcidr.tbz
    pkg_add perl.tbz
    pkg_add GeoIP.tbz
    pkg_add unzip.tbz
    pkg_add ipcalc.tbz
    pkg_add rsync.tbz
    

    After that:

    Head over to Diagnostics>Command Prompt.
    (using webgui)
    1) Use the upload part to both parts of the pfiprep (pfiprep & pfiprepman). After hitting upload, look
    to the top to see where the file ended up. It should show something like "Uploaded file to
    /tmp/pfiprep".
    2) Using SSH or Command Promptmkdir /home/badipsthen```
    ls -la /home/badips

    **2)** Using SSH or Command Prompt```
    mv /tmp/pfiprep* /home/badips/
    

    3) Then```
    chmod +x /home/badips/pfiprep*

    **4)** Also```
    ls -la /home/badips/
    ```and make sure the owner is root and group wheel.
    **5)** Then using SSH or Command Prompt```
    mkdir /usr/local/www/badips
    ```and```
    ls -la /usr/local/www/badips
    ```to make sure its drwxr-xr-x, owner root, group wheel.
    **6)**Last using SSH or Command Prompt```
    mkdir /usr/local/www/aliastables
    ```for the script's tier functionality.
    
    Then:
    Head over to Diagnostics>Edit File> /home/badips/pfiprep and change userfolder= and pfdir= to
    “userfolder=/home/badips”  “pfdir=/usr/local/www/badips/”
    While editing the script, read through the comments and make any necessary
    changes (other than userfolder and pfdir). The first time you run the script change "bypass=no" TO "bypass=yes",
    (Otherwise the script will fail to run.)
    
    SSH into your pfSense,```
    cd /home/badips
    

    then try to run the script with```
    ./pfiprep

    
    After the script is finished head over to Diagnostics>Edit File> /home/badips/pfiprep and change "bypass=yes" back to "bypass=no".
    
    If you don't have the Cron package installed, install it now by going to System>Packages>Available Packages and click the plus button next to Cron.
    
    Now head to Services>Cron and add a new Cron entry as shown below:
    minute  40
    hour  * mday  * month  * wday  *
    who root
    command /usr/bin/nice -n20 /home/badips/pfiprep >> /home/badips/download.log 2>&1
    ![](http://i.imgur.com/kUYydaH.png)
    
    For the pfiprep widget go to [https://gist.github.com/BBcan17/67e8c456cb399fbe02ee#file-pfip_reputation-widget-php](https://gist.github.com/BBcan17/67e8c456cb399fbe02ee#file-pfip_reputation-widget-php) and download the raw file.
    Upload it using webgui (Diagnostics>Command) in /usr/local/www/widgets/widgets.
    Then on the webgui Dashboard add it by clicking the + sign in the uper lefthand corner and click on PfIP Reputation 2.
    ![](http://i.imgur.com/UdHXuL2.png)
    
    Firewall
    Now create the firewall rules:
    
    Using SSH or Diagnostics>Command (webgui)
    

    ls /usr/local/www/aliastables

    
    The output should be:
    

    $ ls /usr/local/www/aliastables
    IR_IB
    IR_Match
    IR_PRI1
    IR_PRI2
    IR_PRI3
    IR_SEC1
    IR_SEC2
    IR_SEC3
    IR_TOR

    
    Now head over to Firewall>Aliases>URL and create a URL Table for everything listed under /usr/local/www/aliastables (in the previous command) with:
    
    Name: IR_IB (or IR_Match, IR_PRI1 etc)
    Description:
    Type: URL Table
    URL: https://127.0.0.1:443/aliastables/IR_IB
    
    click Save.
    ![](http://i.imgur.com/K3GbVMG.png)
    
    Do the same for the remaining aliases putting the aliastable name in "https://127.0.0.1:443/aliastables/" after /aliastables/.
    
    Now head over to Firewall>Rules>Floating and create rules for all of the aliases that were just created.
    
    Action:         Block
    Disabled: NOT TICKED!
    Quick: Ticked
    Interface: WAN
    Direction: any
    TCP/IP Version: IPv4
    Protocol         any
    Source:         not is Not Ticked.
            For type, select "Single host or alias" and type IR_IB
    Destination: not is Not Ticked.
            For type select “Any”.
    Log: Ticked
    Description: IR_IB inbound
    
    Save and apply.
    ![](http://i.imgur.com/zLenghW.png)
    
    Action:         Block
    Disabled: NOT TICKED!
    Quick: Ticked
    Interface: WAN
    Direction: any
    TCP/IP Version: IPv4
    Protocol         any
    Source:         not is Not Ticked.
            For type select “Any”.
    Destination: not is Not Ticked.
            For type, select "Single host or alias" and type IR_IB
    Log: Ticked
    Description: IR_IB outbound
    
    Save and apply.
    ![](http://i.imgur.com/f2YOmG3.png)
    
    Do this for all of the aliases that were created.
    
    For the paranoid who want to make sure the firewall is completely locked only allowing ntp, ftp, http & https, through you can create some more firewall rules.
    
    Create a rule blocking ports 1-19, 22-52, 54-79, 81-122, 124-442, and 444-65535\. _(I would suggest doing this on your computer.)_
    ![](http://i.imgur.com/Pm7fj0J.png)
    
     **1.** Now install Snort by heading to  System>Packages>Available Packages and click the plus button next to Snort.
    
    **2.**  When the installation completes, click on Snort under the Services menu.  This will open the Snort main setup page.
     **3.**  Click the Global Settings tab and perform the following:
    
        Change the "Update Rules Automatically" drop-down to 12-hours.
        Near the bottom of the page, click the box for "Keep Snort settings after deinstall"
    
    At the top of the page you have three choices for Rule Sets to activate.  I recommend strongly that you obtain your own Oinkcode from Snort.org by clicking the URLs under the radio button for "Install Basic Rules or Premium Rules".  You can sign up for a free "Registered User" account, or pay $29 annually for a "Subscriber Account".  The paid account gets rule updates at least twice per week, and sometimes more.  Registered User free accounts only get rules as they age past 30 days.  That means your rules are 30 days old.  That's why the paid account is preferred.
    
    Another option is the free Emerging Threats Rule Set.  This one contains quite current rules and is quick to adapt to new threats, but it does not offer the easy pre-defined policies the Snort VRT rules do.  For beginners, the choices in the Emerging Threats rules can be a bit overwhelming.  I recommend the Snort VRT rules, and this means you need either a free or paid Oinkcode.
    
    Now back to the setup –
    
    **4.**  Click the radio button to "Install Basic Rules or Premium Rules".
    
    **5.**  Assuming you followed my advice above, paste your new Oinkcode in the text box provided.  Paste just your Oinkcode itself.  Do not include URL or filename!  Snort handles those using built-in values.
    ![](http://i.imgur.com/HnqTWA0.png)
    
    **6.**  Click Save.
    
    **7.**  Next, go to the Updates tab and click the Update button to download your rules.  Don't worry when it warns you about no configured interfaces.  We will set that next.
    
    **8.**  Click the Snort Interfaces tab and then click the plus "+" icon to add a Snort interface.
    
    **9.**  On the If Settings tab, click the Enable checkbox.
    
    **10.**  In the drop-down, choose the interface.  The WAN interface is the default and is a good first choice.
    
    **11\.** In the Description textbox, enter a name (WAN again, is fine here).
    
    **12.**  Click the checkbox to "Send alerts to the main System logs".
    
    **13.**  You can leave the other settings at their defaults, but one setting you can usually safely enable is the "Checksum Check Disable" box.
     **![](http://i.imgur.com/uxQ1AR8.png)
    14.**  Click Save and you will be returned to the main Snort Interfaces tab.
    
    **15.**  Click the small "e" next to your interface to edit more settings.
    
    **16.**  Click the Preprocessors tab.
     **17\.** Scroll down into the General Preprocessor Settings area and then check (or enable) all of the preprocessors listed in that section EXCEPT the Sensitive Data preprocessor.  It can cause a lot of alerts and is best used after you gain some experience with Snort.
    ![](http://i.imgur.com/vGptrQN.png)
    
    **18.**  Click Save at the bottom of the page.
    
    **19.**  Now click on the Categories tab.  This is where we will choose a threat detection policy and associated rules.
    
    **20.**  If you followed my advice for Snort VRT rules, this page is easy.  Just click the check box for "Use IPS Policy" and then select "Connectivity" in the drop-down.  Click Save and you're done!  Once you gain some experience with Snort, you can come back and choose one of the other two more restrictive policies.  I personally run "Balanced", but it will require some tuning if run in blocking mode.
    ![](http://i.imgur.com/poFhIjQ.png)
    
    **21.**  Go back to the main Snort Interfaces tab.
     **22.**  Click the red icon under the Snort column for your interface.  After several seconds it will turn into a green icon if Snort starts up.
     **![](http://i.imgur.com/g5x23IP.png)
    23.**  Congratulations!  You have an operable Snort IDS (Intrusion Detection System).  Alerts can be viewed on the Alerts tab.  After you gain experience, you can put Snort in blocking mode (IPS) by checking the "Block Offenders" box on the If Settings tab for the interface.
    
    **24.**  If Snort failed to start for you, click Status and System Logs from the pfSense menu to examine the system log.  You should find a clue for Snort not starting in there.  Probably one of the most common reasons for failing to start is a preprocessor dependency in an enabled rule.  Stated another way, an enabled rule contains a rule option or content option that relies on a preprocessor that is currently disabled.  This is why I recommend turning on pretty much all of the preprocessors back up in Step 17\. That avoids these kinds of FATAL ERROR problems on Snort startup.  As you gain experience and knowledge with Snort, you can selectively disable preprocessors you truly do not need.  For an explanation of preprocessors and their associated rule options, have a look at the Snort Manual at http://manual.snort.org/node17.html
    
    For getting started with rules I would suggest reading https://forum.pfsense.org/index.php?topic=64674.msg414255#msg414255
    
    Original tutorials:
    https://forum.pfsense.org/index.php?topic=78062.msg426009#msg426009
    https://forum.pfsense.org/index.php/topic,61018.0.html
    https://forum.pfsense.org/index.php?topic=64674.msg414255#msg414255
    
    Credit due to **BBcan17**,**jflsakfja** and **bmeeks**.
    ![pfiprep-cron.png](/public/_imported_attachments_/1/pfiprep-cron.png)
    ![pfiprep-cron.png_thumb](/public/_imported_attachments_/1/pfiprep-cron.png_thumb)
    ![pfiprep-alias.png](/public/_imported_attachments_/1/pfiprep-alias.png)
    ![pfiprep-alias.png_thumb](/public/_imported_attachments_/1/pfiprep-alias.png_thumb)
    ![pfiprep-widget.png](/public/_imported_attachments_/1/pfiprep-widget.png)
    ![pfiprep-widget.png_thumb](/public/_imported_attachments_/1/pfiprep-widget.png_thumb)
    ![pfiprep-inbound_firewall_rule.png](/public/_imported_attachments_/1/pfiprep-inbound_firewall_rule.png)
    ![pfiprep-inbound_firewall_rule.png_thumb](/public/_imported_attachments_/1/pfiprep-inbound_firewall_rule.png_thumb)
    ![pfiprep-outbound_firewall_rule.png](/public/_imported_attachments_/1/pfiprep-outbound_firewall_rule.png)
    ![pfiprep-outbound_firewall_rule.png_thumb](/public/_imported_attachments_/1/pfiprep-outbound_firewall_rule.png_thumb)
    ![pfiprep-additional-firewall-rules.png](/public/_imported_attachments_/1/pfiprep-additional-firewall-rules.png)
    ![pfiprep-additional-firewall-rules.png_thumb](/public/_imported_attachments_/1/pfiprep-additional-firewall-rules.png_thumb)
    ![pfiprep-snort_global.png](/public/_imported_attachments_/1/pfiprep-snort_global.png)
    ![pfiprep-snort_global.png_thumb](/public/_imported_attachments_/1/pfiprep-snort_global.png_thumb)
    ![pfiprep-snort_general_preprocessors.png](/public/_imported_attachments_/1/pfiprep-snort_general_preprocessors.png)
    ![pfiprep-snort_general_preprocessors.png_thumb](/public/_imported_attachments_/1/pfiprep-snort_general_preprocessors.png_thumb)
    ![pfiprep-snort_interface.png](/public/_imported_attachments_/1/pfiprep-snort_interface.png)
    ![pfiprep-snort_interface.png_thumb](/public/_imported_attachments_/1/pfiprep-snort_interface.png_thumb)
    ![pfiprep-snort-categories.png](/public/_imported_attachments_/1/pfiprep-snort-categories.png)
    ![pfiprep-snort-categories.png_thumb](/public/_imported_attachments_/1/pfiprep-snort-categories.png_thumb)
    ![pfiprep-snort-status.png](/public/_imported_attachments_/1/pfiprep-snort-status.png)
    ![pfiprep-snort-status.png_thumb](/public/_imported_attachments_/1/pfiprep-snort-status.png_thumb)


  • I'm a new user trying to set up Firewall Rules for the first time for my home network. I'm attempting to use this guide, but find the link to the script is dead. Would someone please repost or revise the link? TIA

    Or, if you could provide a recommendation of a post that lists basic FW rules for a home network for a non-IT person that would help get started. I've searched the forum and abroad for a clear, concise set of basic rules and a how-to set them up and find there's a lot of different scenarios that depend on you having a basic set and working FW already in place.


  • Moderator

    The script pfIPRep is now replaced by the package pfBlockerNG.

    https://forum.pfsense.org/index.php?topic=86212.0
    https://forum.pfsense.org/index.php?topic=102470.0