• Hello!

    So I'll be installing pfSense tomorrow and I was wondering, what do you guys like to do on a fresh install?
    What's recommended to do for security and overall just good habits to get myself in?


  • LAYER 8 Global Moderator

    Setup your firewall rules how you want them..

    To be honest out of the box pfsense is ready to go.. What sort of specific question do you have?  Firewall rules would be unique to every network..

    Without some knowledge of your network and your wants for security its almost impossible to suggest something.

  • I don't have anything specific in plan, I heard I should probably change a lot of default ports for things. Which I believe makes sense, by the way what packages do you recommend? I know of Squid and Snort being big ones.

  • LAYER 8 Netgate

    Depends on what you're doing with the tool. As for changing default ports, a better solution is to identify source IPs and just pass those. An even better solution is to close everything and use OpenVPN to manage.

    It depends.

  • LAYER 8 Global Moderator

    Why should you change default ports?  Where did you hear or read that - that is freaking NONSENSE…  Please post link to this source..

    I don't recommend any packages without some insight to what your wanting to do... Do you really want/need to run a proxy??  Why?  Do you have young kids your wanting to block from porn sites?  As to snort -- yeah would not recommend that at all to someone that has to ask what they should setup..  Snort can be a complicated monster with shit load of false positives (noise).. I really would not suggest anyone without good grasp of firewalls and networking in general.

    Are you going to have more than 1 network segment, like a isolated wireless segment?  What is going to provide wireless some card in pfsense or true AP?  Router as AP?  Does your switch support vlans?

    edit: Are you going to use pfsense openvpn to allow access into your network?  If so then I would suggest you install the openvpn client export util package.  But again if your not going to do that - then there is no need to install that package.

  • I unfortunately can't find that post that said to change default ports, I was looking for it before even posting this. Also I have very little knowledge so Snort will be bad for me. (I'll just stay away)

    I'll be using an old router as an AP, also for Squid I was going to play with it just for caching, unless if there's a better way or to just not bother with it.

    Really should I just leave it stock and use some basic network monitoring until I gain more knowledge or just play with the basics early on?

  • LAYER 8 Global Moderator

    Caching for why??  The net is mostly all dynamic these days.. Your browser would be caching all the images you use already, etc.  Do you have multiple machines that all go to the same sites and you have a really limited internet connection with really restrictive cap that saving a couple of KB for an image is going to help you??

    So are you going to setup this old router as AP on same network as your other stuff or do you want to isolate it and have say a guest wifi network and normal network for your devices?  Does your old router support vlans for wifi, does it support 3rd party firmware that you could do that with?

  • Good point on the caching, I was thinking for using it let's say I join a source game server and they use fastDL and it takes forever, my friends come over and they have to download the same junk. I thought it'd be useful for that, but that seems incredibly inefficient now that I think of it.

    The AP doesn't have Vlan to my knowledge but it'll just be for my private network, just a basic AP.
    I think I'll just remain stock with pfSense until I can find a reason to grab anything else.