Wanting to move back to PFSense



  • A number of years ago, I moved from PFSense to Sophos UTM. I did this because Sophos had more security features. After fighting with bugs, and general arrogant stupidity from the Sophos developers, I'm ready to move on. One of the features that got me to move to Sophos is the Anti-Portscan feature. While it detects a portscan fine, it just doesn't do anything intelligent with that information. Can PFSense now do something about portscans?

    I know, I've seen arguments about how it's irrelevant, and that a distributed attack will bypass detection. I've never had a DDOS attack, and simply want to make it as hard as possible for hackers. I have a lot of devices with opened ports (IP Cameras, remote power devices, etc) that I don't have much control over as far as security goes. If it's hidden on a random port, and portscans fail (Because anti-portscan drops attempts), 99% of hackers won't even know they exist. I don't expect anti-portscanning to be the best, or only security solution. I just don't believe in being low hanging fruit.

    Thanks!


  • Netgate

    If you're concerned about security drop the port forwards and use OpenVPN or IPsec instead.



  • I actually do use OpenVPN. It just isn't practical, or needed in every situation.

    So, can PFSense block port scans?



  • @RChadwick:

    I actually do use OpenVPN. It just isn't practical, or needed in every situation.

    So, can PFSense block port scans?

    WAN port, default deny all rule, drop  silently.


  • Banned

    If you have Snor6t running it has portscan detection and can block the scanner's IP.

    Very useful.



  • Closing all ports and connecting to the pfSense over VPN should blow away all this needs!
    Today each smartphone and tablet is capable of VPN and so you can easily connect from everywhere
    to your pfSense and also site-to-site VPN tunnels should be not the problem at this days it becomes even
    more common.



  • I use VPN all the time, but it's cumbersome and slow to connect, and in bad signal areas, won't connect at all. Sometimes I just need to turn on my office air conditioner quick, not fiddle with my phone for 20 minutes. This is why I'm asking about anti-portscan, not a substitute.

    Also, I use VOIP, and need to open a number of ports for my provider. I'm not sure I can convince them to connect to my router with VPN. Not sure I would want them to.

    Is snort now built into PFSense? From my recollection, I was EXTREMELY happy with the stability of PFSense, but not the plugins.



  • I use VPN all the time, but it's cumbersome and slow to connect, and in bad signal areas, won't connect at all.

    Yep, now I know why? But only opens some ports would be not really wise, others could also come and play
    with your internal equipment at home or the office.

    Sometimes I just need to turn on my office air conditioner quick, not fiddle with my phone for 20 minutes. This is why I'm asking about anti-portscan, not a substitute.

    Ah, ok but a VPN APP would be really better so you can configure a task called "office"
    and then you will only to open the App and chose the task office to connect well. After the VPN connection
    is alive you can also work with perhaps another second APP offered from the conditioner vendor.

    Also, I use VOIP, and need to open a number of ports for my provider.

    Create a DMZ and then place there a small appliance sorted with Asterisk PBX and then
    you could use this also over VPN if you are connected.

    Is snort now built into PFSense? From my recollection, I was EXTREMELY happy with the stability of PFSense, but not the plugins.

    Snort & Suricata are available as plugins or so called packages to install on pfSense.



  • Snort is useful, but I'd also make sure as you dont/cant use vpn's of sorts, is put the devices that need open ports on their own isolated vlan or network interface (optX).

    This way firmware like for some webcams cant be updated and then be used to start probing and attacking your network from within as the brute force approaches becomes easier if the next hop from the compromised device is just to your firewall and another of your network segments.

    Also make sure those devices have explicit rules to prevent them from logging into pfsense if on your lan interface, at the very least.

    If you know that access to these devices is only going to be taking place with ip addresses from a certain provider, like say the ip address blocks assigned to your smart phone provider when you access your webcam, you can also put blocks in places to stop any ip address not assigned to your smart phone provider from accessing your webcam.

    At the very least pfblockerNG which blocks ip addresses at the country level could be useful if noone overseas is expected to have access.

    However I will say, as it invariably occurs, if access from abroad is going to take place like for a business trip or holiday, more common in Europe than say the US by virtue of land mass, you can still use pfblockerNG to allow access to those countries.

    I've done this for customers going on business trips abroad, but always make sure you know if they are taking any connecting flights in a foreign country as they will invariably check email, office cams whilst waiting for the connecting flight so making sure you know the IP address of the airport(s) is useful. This can also be automated with your own apps thats control the pfsense or a simple cron job in some cases depending on how you approach it.

    Food for thought….