Basic config

_JT

I have installed my first pfSense box and so far it looks pretty cool. What I was wondering if what I need to do to get it ready and safe to connect to teh internetz. I have gone through the wizard en configured both interaces too. I have Googled and found several tutorials but none that go over any needed steps to make the server ready for use as a basic firewall and router besides going through the wizard and configuring the interfaces. Is it true I am already done to use pfSense in a safe way as router and firewall? Next step would be to add OpenVPN server for which I can find enough tutorials but for now I need to get it up and running and functioning just like any router with firewall.

phil.davis

By default there are no pass rules on WAN - all incoming connect attempts are blocked. So you are safe from outside-originated things.
If you want to control what things your internal users connect to in the outside world, then you need to put some appropriate mix of block and pass rules on LAN (rather than the default pass all).

_JT

Ok, thanks, I read about all incoming traffic being blocked by default. I do not want to control any outgoing connection, my aim is to create our own cloud. I will use a Synology NAS for the cloud service and as an LDAP server. So if my install is now ready for basic routing and firewalling then the next step would be to setup VPN services including all associated certificate stuff like a CA and certificates per user. I read that the certificates need to have the same CN as the LDAP user so I think I'm ok. Only need to find out how I can block users accessing any other devices than the NAS.

johnpoz

You would setup the rules you want to limit your vpn users to on the vpn tab.

_JT

Ok, thanks. I'll see how far I can manage on my own, it looks quite easy!

kejianshi

It comes ready for the web.  Very secure.

But with a LITTLE knowledge, and a lot of work, you can make it unsecure…  (-:

Be careful making pass rules and NAT rules.

_JT

Yeah. I understand what you mean. I think I have at lease basic understanding of NAT en firewalling. It's just that I had to do so little I started to question myself wether I did enough :P

_JT

I have found log entries that I can't really understand.

Act 	Time 				If 		Source 								Destination 				Proto
block	Dec 22 17:38:15 	LAN 	[fe80::c553:f712:d08e:c24a]:52859 	[fec0:0:0:ffff::2]:53		UDP
block	Dec 22 17:38:15 	LAN 	[fe80::c553:f712:d08e:c24a]:52859 	[fec0:0:0:ffff::3]:53		UDP
block	Dec 22 17:38:15 	LAN 	[fe80::c553:f712:d08e:c24a]:55029 	[fec0:0:0:ffff::1]:53		UDP
block	Dec 22 17:38:15 	LAN 	[fe80::c553:f712:d08e:c24a]:50661 	[fec0:0:0:ffff::2]:53		UDP
block	Dec 22 17:38:16 	LAN 	[fe80::c553:f712:d08e:c24a]:55029 	[fec0:0:0:ffff::3]:53		UDP
block	Dec 22 17:38:17 	LAN 	[fe80::c553:f712:d08e:c24a]:55029 	[fec0:0:0:ffff::2]:53		UDP
block	Dec 22 17:38:17 	LAN 	[fe80::c553:f712:d08e:c24a]:50661 	[fec0:0:0:ffff::1]:53		UDP
block	Dec 22 17:38:17 	LAN 	[fe80::c553:f712:d08e:c24a]:50661 	[fec0:0:0:ffff::2]:53		UDP
block	Dec 22 17:38:17 	LAN 	[fe80::c553:f712:d08e:c24a]:50661 	[fec0:0:0:ffff::3]:53		UDP
block	Dec 22 17:38:19 	LAN 	[fe80::c553:f712:d08e:c24a]:60143 	[fec0:0:0:ffff::1]:53		UDP
block	Dec 22 17:38:19 	LAN 	[fe80::c553:f712:d08e:c24a]:60143 	[fec0:0:0:ffff::2]:53		UDP
block	Dec 22 17:38:19 	LAN 	[fe80::c553:f712:d08e:c24a]:60143 	[fec0:0:0:ffff::3]:53		UDP
block	Dec 22 17:38:19 	LAN 	[fe80::c553:f712:d08e:c24a]:52859 	[fec0:0:0:ffff::1]:53		UDP
block	Dec 22 17:38:19 	LAN 	[fe80::c553:f712:d08e:c24a]:52859 	[fec0:0:0:ffff::2]:53		UDP
block	Dec 22 17:38:19 	LAN 	[fe80::c553:f712:d08e:c24a]:52859 	[fec0:0:0:ffff::3]:53		UDP
block	Dec 22 17:38:19 	LAN 	[fe80::c553:f712:d08e:c24a]:55029 	[fec0:0:0:ffff::1]:53		UDP
block	Dec 22 17:38:19 	LAN 	[fe80::c553:f712:d08e:c24a]:55029 	[fec0:0:0:ffff::2]:53		UDP
block	Dec 22 17:38:19 	LAN 	[fe80::c553:f712:d08e:c24a]:55029 	[fec0:0:0:ffff::3]:53		UDP
block	Dec 22 17:38:21 	LAN 	[fe80::c553:f712:d08e:c24a]:50661 	[fec0:0:0:ffff::1]:53		UDP
block	Dec 22 17:38:21 	LAN 	[fe80::c553:f712:d08e:c24a]:50661 	[fec0:0:0:ffff::2]:53		UDP
block	Dec 22 17:38:21 	LAN 	[fe80::c553:f712:d08e:c24a]:50661 	[fec0:0:0:ffff::3]:53		UDP
block	Dec 22 17:38:23 	LAN 	[fe80::c553:f712:d08e:c24a]:53189 	[fec0:0:0:ffff::2]:53		UDP
block	Dec 22 17:38:23 	LAN 	[fe80::c553:f712:d08e:c24a]:49836 	[fec0:0:0:ffff::2]:53		UDP
block	Dec 22 17:38:23 	LAN 	[fe80::c553:f712:d08e:c24a]:55029 	[fec0:0:0:ffff::1]:53		UDP
block	Dec 22 17:38:23 	LAN 	[fe80::c553:f712:d08e:c24a]:55029 	[fec0:0:0:ffff::2]:53		UDP
block	Dec 22 17:38:23 	LAN 	[fe80::c553:f712:d08e:c24a]:55029 	[fec0:0:0:ffff::3]:53		UDP
block	Dec 22 17:38:24 	LAN 	[fe80::c553:f712:d08e:c24a]:53189 	[fec0:0:0:ffff::1]:53		UDP
block	Dec 22 17:38:24 	LAN 	[fe80::c553:f712:d08e:c24a]:49836 	[fec0:0:0:ffff::1]:53		UDP
block	Dec 22 17:38:25 	LAN 	[fe80::c553:f712:d08e:c24a]:53189 	[fec0:0:0:ffff::3]:53		UDP
block	Dec 22 17:38:25 	LAN 	[fe80::c553:f712:d08e:c24a]:49836 	[fec0:0:0:ffff::3]:53		UDP
block	Dec 22 17:38:27 	LAN 	[fe80::c553:f712:d08e:c24a]:53189 	[fec0:0:0:ffff::1]:53		UDP
block	Dec 22 17:38:27 	LAN 	[fe80::c553:f712:d08e:c24a]:53189 	[fec0:0:0:ffff::2]:53		UDP
block	Dec 22 17:38:27 	LAN 	[fe80::c553:f712:d08e:c24a]:53189 	[fec0:0:0:ffff::3]:53		UDP
block	Dec 22 17:38:27 	LAN 	[fe80::c553:f712:d08e:c24a]:49836 	[fec0:0:0:ffff::1]:53		UDP
block	Dec 22 17:38:27 	LAN 	[fe80::c553:f712:d08e:c24a]:49836 	[fec0:0:0:ffff::2]:53		UDP
block	Dec 22 17:38:27 	LAN 	[fe80::c553:f712:d08e:c24a]:49836 	[fec0:0:0:ffff::3]:53		UDP
block	Dec 22 17:38:27 	LAN 	[fe80::c553:f712:d08e:c24a]:59761 	[fec0:0:0:ffff::2]:53		UDP
block	Dec 22 17:38:27 	LAN 	[fe80::c553:f712:d08e:c24a]:55885 	[fec0:0:0:ffff::2]:53		UDP
block	Dec 22 17:38:28 	LAN 	[fe80::c553:f712:d08e:c24a]:59761 	[fec0:0:0:ffff::1]:53		UDP
block	Dec 22 17:38:28 	LAN 	[fe80::c553:f712:d08e:c24a]:55885 	[fec0:0:0:ffff::1]:53		UDP
block	Dec 22 17:38:29 	LAN 	[fe80::c553:f712:d08e:c24a]:59761 	[fec0:0:0:ffff::3]:53		UDP
block	Dec 22 17:38:29 	LAN 	[fe80::c553:f712:d08e:c24a]:55885 	[fec0:0:0:ffff::3]:53		UDP

These all seem to be IPv6 adresses. My guess would be that this is a portscan of some sort. But then I don't understand why if says "LAN" instead of "WAN"?

stan-qaz

I'm clueless about IPv6 addresses so I'm no help on them but port 53 and UDP sounds like an attempted DNS lookup to me.

phil.davis

That is a client using IPv6 looking hard for a DNS server:

A set of three well-known site-local IPv6 addresses are reserved
for autodiscovery of DNS servers.  These addresses may be used as
unicast addresses, assigned to different servers, or as anycast
addresses with one of them being assigned to all DNS servers in
the site, or any combination of anycast and unicast addresses.  In
any case, host routes are propagated in the site's routing tables.
This document proposes that these three addresses be
fec0:0:0:ffff::1, fec0:0:0:ffff::2, and fec0:0:0:ffff::3.  This
list of three addresses may be hardcoded into a host.

from: http://www.ietf.org/proceedings/52/I-D/draft-ietf-ipngwg-dns-discovery-03.txt
(and I suspect there are later versions of that draft standard)

_JT

Learned something new today guys, awesome. Thanks. Kind of weird that it is being blocked; I have no rules prohibiting any traffic inside the lan. I do not want to put up any restrictions inside the network. Should I create a firewall rule that says allow LAN <-> LAN?

phil.davis

You might need to go to System->Advnced, Networking tab, and check "Allow IPv6". Otherwise there is a block all IPv6 rule put in by the firewall that is probably the reason for that blocking.

_JT

Gonna take a look at that when I'm at the location again, thanks. I think I might just disable ipv6 inside the network completely; I'm guessing it has no added value whatsoever but the adresses are harder to remember :D