Anticipating the pfSense Presentations in June
-
I was encouraged to see IT Pro TV planning for coverage of pfSense firewall systems right at the point I am finally building and configuring a unit myself. For some background, I am designing with security concepts from the ground up. My system will place the "guest" WAP in the DMZ where it should be (and throttling the bandwidth it doles out), and also has an "admin" interface that will exclude all other connections on my network from accessing that infrastructure.
I look forward to corresponding with the IT Pro TV staff and subscribers to look at these topics prior to and during the presentations...
-
I've got much of my initial pfSense configuration started, but still adding my DMZ and "ADMIN" LANs. Remote management (from locations outside my LAN) took longer to put in place than I would have thought, and I did purchase the Kindle edition of the 2009 book by the pfSense designers. If anyone else wants to talk shop on pfSense (I'm also lurking in their forum), post what you've got running, or want to do, pfSense-wise.
-
I love using aliases to group items, one of the first thingsI did with my pfSense firewall was to create a "BadNets" alias. If I see an IP address (even though it is blocked, creating a log entry) trying to access my network via such things like SSH, and resolving the address (i.e. ARIN, RIPE, APNIC) shows it to be part of a known "bad" subnet (i.e. China Telecom), I add it to my "BadNets" alias. This is a top-level rule that blocks (without logging, as to not overwhelm that data I want to see) traffic from those subnets entirely. Don't create a new firewall rule each time, just add the subnet entry to your alias.
-
I also alias ports and hosts on my networks. Here is an outgoing example (from my LAN at home to our Juniper core router) for defined ports (i.e. SSH on TCP port 22) from specific systems I have ("ManagementHosts"). It is followed by a firewall rule (of lower priority in the hierarchy, rules are applied top to bottom on each interface) that denies all other hosts (any system that someone else may have on my LAN). Notice that both events are logged. The purple circle denotes I have a special condition to even limit the number of simultaneous sessions from my systems (it trapped on me last night, when a session dropped and was still defined as active, I had to modify the rule to two sessions).
I plan to tighten my networks later (you can see the default "anti-lockout rule to the pfSense firewall that will be deactivated), to have a separate "ADMIN" network (you can see the tab for that interface) to administer my equipment separate from the "LAN". This is probably more steps than how my colleagues limit access, but I am building up my networks correctly now that I have a pfSense firewall with those abilities. Another nice side-effect to aliases is that the screen captures often need nothing masked out to show to anyone.
-
David - Have you installed the IP block plugin (can't remember the exact name I think it's called PfBlocker??). It allows you to remove whole countries/continents from accessing your network. I tend to install this as one of my first plugins when doing a fresh install.
-
@Mike_P - Although I will prod during the presentations about the more common and useful pfSense plug-ins, I haven't added any generic blacklist as of yet. I suppose I want more granular control for now (but Thank You for the suggestion), and would still run my "BadNets" alias anyway (there are some "bad" spots within some "good" countries, and the inverse is probably true). It is easy for me - Normally there is no need for someone else to see what is on my home network.
-
I now have my DMZ network and "guest" WAP operational, and will be in the process of locking it down. The pfSense firewall is actually acting as a PPPoE server to the WAP, which is a re-purposed DSL modem. On any client, the connection appears to be through a DSL modem to the Internet, with the web interface having an ACL that is easily put in place.
Guests will believe I allow an open SSID with only a 256Kb uplink...
-
...and my traffic shaper throttling DMZ bandwidth is working to make things s..l..o..w..e..r.. . I do see peaks above the limits I set, but page load time is noticeably crimped and YouTube videos are pixelated and buffer. There does seem to be some effects over to my LAN, I hope I won't have to disable it again.
-
I've increased my traffic shaping rule for the DMZ to 1.5Mbps download (I tried browsing, and thought 256Kbps would have been harsh on my guests). Management of the "Guest" WAP is restricted to what it sees as its "WAN-side" (my pfSense firewall), with another rule for my "ADMIN" network to allow defined hosts to access it on the DMZ network. Here is an image showing the new rule at the bottom (below the rule combination of allowing only my defined "ManagementHosts" to access the pfSense firewall interface):
-
Now I have a second, more-realistic pfSense firewall configured to put in place. Since it is an Athlon 144 I've installed the AMD64 build of 2.2.2, with Gb of PC3200 RAM, and a modest 160Gb HDD. The case is much smaller at 1U, and I plan to power it with a 12VDC source for the DSATX PSU I bought. I'm staying with four interfaces (WAN, LAN, 'ADMIN', and DMZ), I could actually transfer the configuration.
It may be in-place before the presentations, I haven't quite decided the change-out date...