PfSense - basic firewall rules for a simple home setup?

craptakular · 23 Oct 2016 at 12:38

Can anyone recommend a guide that will allow me to setup some basic firewall rules for a simple home setup?

I am running openvpn on it and just set up snort in connectivity mode, which I think is enough for my simple needs.

However, it has just dawned on my I don't understand one bit of the firewall rules.

Can someone help a noob out?

Moley · 23 Oct 2016 at 12:42

http://pfsensesetup.com - very good blog resource. Look at the sitemap for lots of well named posts.

craptakular · 23 Oct 2016 at 12:51

Thanks, I'll have to spend some time this week reading up on firewalls.

Caged · 23 Oct 2016 at 13:43

Block all inbound connections other than ones related to outbound sessions should pretty much do it.

craptakular · 23 Oct 2016 at 15:39

Caged said:
Block all inbound connections other than ones related to outbound sessions should pretty much do it.

Could you give me an example? This is all new to me.

ov_sjo · 23 Oct 2016 at 17:12

NAT or No NAT?

craptakular · 23 Oct 2016 at 18:40

What do you mean by NAT or no NAT?

Andy_82 · 24 Oct 2016 at 12:22

pfsense already blocks all incoming connections, and allows outgoing connections by default.

Nat outbound mode is setup by default to automatic rule generation.

just remember though, when portforwarding you need a pass firewall rule to, although this should be generated by default if you haven't altered the settings in general > advanced.

joeyjojo · 24 Oct 2016 at 12:50

craptakular said:
What do you mean by NAT or no NAT?

You have a lot more reading to do.

Network address translation and IP masquerading are used in most routers to 'hide' several IPs in one IP space (e.g. your personal devices in private 192.168.x.x space) from others (the internet) while still allowing communication. It does this by translating each packet's source (address/port) etc. on the fly as needed.

Uhtred · 24 Oct 2016 at 23:50

The WAN tab is for rules which allow connections from outside to inside, this is set to deny by default. Unless your hosting services from your network then you're not likely to use this.

The LAN tab is for connections originating from your network to outside and this is set to 'any any' by default.

Try to add a rule to the LAN tab (less dangerous) to deny DNS (UDP 53) from any source to any destination. If you drag the new rule so that it's above the default any any rule and apply then you'll have just lost the ability to browse the web

Now drag the rule so that it's below the any any rule and apply. Now the rule does nothing because the priority is lower than the any any.

In my network I've created a rule to deny DNS from any address to any address, but above that I have a rule to allow the pfsense firewall itself to perform lookups. All my devices now have to talk to pfsense to operate, which it a nice last line defense against anything going rouge. I've done the same for NTP, SMTP and a few others.

Ideally you'd want to deny everything by default and only allow the stuff you want to go through (egress filtering). In practice though this is a pain in the **** because of the number of custom application ports.

Sin_Chase · 25 Oct 2016 at 02:53

craptakular said:
What do you mean by NAT or no NAT?

You need a somewhat sound knowledge of networking to work with pfSense safely.

Do some reading if you really want to use it.

ov_sjo · 25 Oct 2016 at 16:10

This would be a good starting point: