Differences

This shows you the differences between two versions of the page.

--- pfsense:install_pfsense:create_firewall_rules [2021/01/05 17:12] – [CLEAR Firewall Rules] peter
+++ pfsense:install_pfsense:create_firewall_rules [2022/10/20 09:12] (current) – [IOT Firewall Rules] peter
@@ Line 12: / Line 12: @@
 ====== LAN Firewall Rules ======
+Navigate to **Firewall -> Rules -> LAN**.
 LAN Firewall rules will cover:
@@ Line 17: / Line 19: @@
   * Anti-Lockout to ensure you can always gain access to pfSense.
   * Allow ICMP pings to facilitate debugging.
-  * Allow traffic to the local networks on approved ports.
+  * Allow all other traffic, internal and external.
-  * Allow internet traffic on approved ports.
-  * Redirect any non-local DNS lookups back to the pfSense DNS server.
-  * Redirect any non-local NTP time lookups back to the pfSense time server.
-  * Reject any other traffic.  <WRAP info>
-**NOTE:**  Reject is used rather than block on internal interfaces to provide a response to any programs trying to send traffic preventing delays associated with waiting for time outs to occur.
-</WRAP>
 ----
 ===== Anti-Lockout =====
 There should be a default **Anti-Lockout** rule already created on this page.
@@ Line 35: / Line 29: @@
 {{:pfsense:install_pfsense:pfsense_-_firewall_-_rules_-_lan_-_anti-lockout_rule.png?800|}}
-There should also be Permit Traffic Rules.
-{{:pfsense:install_pfsense:pfsense_-_firewall_-_rules_-_lan_-_permit_traffic_rules.png?800|}}
-<WRAP info>
-**NOTE:**  These allow all traffic through from the LAN.
-This may be too Open, as they allow all traffic.
-To secure this better, these default rules we will blocked and replaced with only allowing specific traffic.
-</WRAP>
 ----
@@ Line 52: / Line 34: @@
 ===== Allow ICMP Pings =====
-  * Click **Add (up arrow)**.
+  * Click **Add (up arrow)**.  Add this above the default **Permit Traffic Rules**.
   * Action:  **Pass**.
   * Disabled:  **Not Checked**.
@@ Line 66: / Line 48: @@
 {{:pfsense:install_pfsense:pfsense_-_firewall_-_rules_-_lan_-_allow_pings.png?800|}}
-----
+<WRAP info>
+**NOTE:**  This is not actually needed here, as the **Permit Traffic Rules** defined next will also allow pings.
-===== Allow local traffic from LAN interface to all other subnets =====
+The reason this is included here separately is that we log any pings, and to cater for future changes.
-<WRAP center round todo 60%>
-TODO:  Not currently used.  Check this out and update etc.
 </WRAP>
-Navigate to **Firewall -> Rules**.
-Select **LAN**.
-  * Click **Add (up arrow)**.
-  * Action:  **Pass**.
-  * Disabled:  **Not Checked**.
-  * Interface:  **LAN**
-  * Address Family:  **IPv4**.
-  * Protocol: **TCP/UDP**.
-  * Source:  **LAN net**.
-  * Destination:
-    * Invert Match:  **Not Checked**.
-    * Single Host or alias:  **LOCAL_SUBNETS**.
-  * Destination Port Range:
-    * From:  **Other**
-    * Custom:  **Allowed_OUT_Ports_LAN**.
-    * To:  **Other**.
-    * Custom:  **Allowed_OUT_Ports_LAN**.
-  * Log:  **Not Checked**.
-  * Description:  **LAN - Allow traffic to local subnets**.
 ----
-===== Allow traffic from LAN interface to Internet =====
+===== Permit Traffic Rules =====
-<WRAP center round todo 60%>
+There should already be default Permit Traffic Rules.
-TODO:  Not currently used.  Check this out and update etc.
-</WRAP>
-We identify traffic destined for the internet as to an interface which is NOT a LOCAL_SUBNETS.
+{{:pfsense:install_pfsense:pfsense_-_firewall_-_rules_-_lan_-_permit_traffic_rules.png?800|}}
-Navigate to **Firewall -> Rules**.
-Select **LAN**.
-  * Click **Add (up arrow)**.
-  * Action:  **Pass**.
-  * Disabled:  **Not Checked**.
-  * Interface:  **LAN**
-  * Address Family:  **IPv4**.
-  * Protocol: **TCP/UDP**.
-  * Source:  **LAN net**.
-  * Destination:
-    * Invert Match:  **Checked**.
-    * Single Host or alias:  **LOCAL_SUBNETS**.
-  * Destination Port Range:
-    * From:  **Other**
-    * Custom:  **Allowed_OUT_Ports_WAN**.
-    * To:  **Other**.
-    * Custom:  **Allowed_OUT_Ports_WAN**.
-  * Log:  **Not Checked**.
-  * Description:  **LAN - Allow traffic to WAN**.
-----
-===== Block unknown IPv4 =====
-<WRAP center round todo 60%>
-TODO:  Not currently used.  Check this out and update etc.
-</WRAP>
-  * Click **↴+Add**
-  * Action:  **Reject**.
-  * Disabled:  **Not Checked**.
-  * Interface:  **LAN**.
-  * Address Family:  **IPv4**.
-  * Protocol:  **Any**.
-  * Source =  **Any**.
-  * Destination:  **Any**.
-  * Log:  **Checked**.
-  * Description:  **LAN - Block IPv4**.
-  * Click **Save**.
 <WRAP info>
-**NOTE:**  Reject is used rather than block on internal interfaces to provide a response to any programs trying to send traffic preventing delays associated with waiting for time outs to occur.
+**NOTE:**  These rules allow all traffic through from the LAN.
-</WRAP>
-----
+This may be too Open, as they allow all traffic.
-===== Block unknown IPv6 =====
+To secure this better, these default rules could be blocked and replaced with only allowing specific traffic.
-<WRAP center round todo 60%>
-TODO:  Not currently used.  Check this out and update etc.
-</WRAP>
-  * Click **↴+Add**.
-  * Action:  **Reject**.
-  * Disabled:  **Not Checked**.
-  * Interface:  **LAN**.
-  * Address Family:  **IPv6**.
-  * Protocol:  **Any**.
-  * Source:  **Any**.
-  * Destination:  **Any**.
-  * Log:  **Not Checked**.
-  * Description:  **LAN - Block IPv6**.
-  * Click **Save**.
-<WRAP info>
-**NOTE:**  Reject is used rather than block on internal interfaces to provide a response to any programs trying to send traffic preventing delays associated with waiting for time outs to occur.
 </WRAP>
 ----
-===== Disable the Permit Traffic Rules =====
+The final ruleset for the LAN will be:
-<WRAP center round todo 60%>
-TODO:  Not currently used.  Check this out and update etc.
-</WRAP>
-The default Permit Traffic Rules rules should be right at the bottom.
-They will never be reached, as the **Block unknown IPv4** and **Block unknown IPv6** rules would have blocked anything else.
-However, to be safe it is suggested these be disabled.
-Click the Tick Mark against these rules to disable them for now.
-<WRAP info>
-**NOTE:**  These firewall rules can also be deleted.
-But safer to keep them in for now, to quickly re-enable if needed.
-For now, ensure that both these rules are right at the bottom of all other firewall rules against the LAN,
-</WRAP>
+{{:pfsense:install_pfsense:pfsense_-_firewall_-_rules_-_lan.png?800|}}
 ----
@@ Line 208: / Line 82: @@
 ====== CLEAR Firewall Rules ======
+Navigate to **Firewall -> Rules -> CLEAR**.
-<WRAP center round todo 60%>
-TODO:  Not currently used.  Check this out and update etc.
-</WRAP>
 The requirements for this interface are:
-  * Allow ICMP pings to facilitate debugging.
+  * Allow access to the Printers.
-  * Allow traffic to local networks on approved ports.
+  * Allow internet traffic.
-  * Allow internet traffic on approved ports via default gateway.
-  * Allow non-local DNS lookups.   (DHCP allocates public DNS Servers).
-  * Allow non-local NTP time lookups.
-  * Reject any other traffic.
 ----
-===== Allow ICMP Pings =====
+===== Allow traffic from CLEAR interface to Printers =====
-<WRAP center round todo 60%>
-TODO:  Not currently used.  Check this out and update etc.
-</WRAP>
 Navigate to **Firewall -> Rules**.
@@ Line 239: / Line 97: @@
 Select **CLEAR**.
-  * Click **↴+Add**.
+  * Click **Add (up arrow)**.
-  * Action:  **Pass**.
-  * Disabled:  **Not Checked**.
-  * Interface:  **LAN**.
-  * Address Family:  **IPv4**.
-  * Protocol:  **ICMP**.
-  * ICMP subtype:  **echo request**.
-  * Source:  **LAN net**.
-  * Destination:  **Any**.
-  * Log:  **Not Checked**.
-  * Description:  **LAN - Allow ICMP Ping**.
-----
-===== Allow local traffic from CLEAR interface to all other subnets =====
-<WRAP center round todo 60%>
-TODO:  Not currently used.  Check this out and update etc.
-</WRAP>
-Navigate to **Firewall -> Rules**.
-Select **CLEAR**.
-  * Click **↴+Add**.
   * Action:  **Pass**.
   * Disabled:  **Not Checked**.
@@ Line 272: / Line 106: @@
   * Destination:
     * Invert Match:  **Not Checked**.
-    * Single Host or alias:  **LOCAL_SUBNETS**.
+    * Single Host or alias:  **PRINTERS**.
-  * Destination Port Range:
+  * Log:  **Checked**.
-    * From:  **Other**
+  * Description:  **Allow CLEAR to Printer**.
-    * Custom:  **Allowed_OUT_Ports_LAN**.
-    * To:  **Other**.
-    * Custom:  **Allowed_OUT_Ports_LAN**.
-  * Log:  **Not Checked**.
-  * Description:  **CLEAR - Allow traffic to local subnets**.
+<WRAP info>
+**NOTE:**  This allows users of the CLEAR network to access the Printers.
+</WRAP>
 ----
-===== Allow traffic from CLEAR interface to Internet =====
+===== Allow traffic from CLEAR interface to the Internet =====
-<WRAP center round todo 60%>
-TODO:  Not currently used.  Check this out and update etc.
-</WRAP>
-We identify traffic destined for the internet as to an interface which is NOT a LOCAL_SUBNETS.
 Navigate to **Firewall -> Rules**.
@@ Line 297: / Line 122: @@
 Select **CLEAR**.
-  * Click **↴+Add**.
+  * Click **Add (up arrow)**.
   * Action:  **Pass**.
   * Disabled:  **Not Checked**.
   * Interface:  **CLEAR**
   * Address Family:  **IPv4**.
-  * Protocol: **TCP/UDP**.
+  * Protocol: **ANY**.
   * Source:  **CLEAR net**.
-  * Destination:
+  * Destination:  **any**.
-    * Invert Match:  **Checked**.
-    * Single Host or alias:  **LOCAL_SUBNETS**.
-  * Destination Port Range:
-    * From:  **Other**
-    * Custom:  **Allowed_OUT_Ports_WAN**.
-    * To:  **Other**.
-    * Custom:  **Allowed_OUT_Ports_WAN**.
-  * Log:  **Not Checked**.
-  * Description:  **CLEAR - Allow traffic to WAN**.
-<WRAP info>
-**NOTE:**  On the **CLEAR** network no redirection is made for DNS (port 53) or NTP (port 123) traffic, so this rule will also allow this traffic out.
-</WRAP>
-----
-===== Block unknown IPv4 =====
-<WRAP center round todo 60%>
-TODO:  Not currently used.  Check this out and update etc.
-</WRAP>
-  * Click **↴+Add**
-  * Action:  **Reject**.
-  * Disabled:  **Not Checked**.
-  * Interface:  **CLEAR**.
-  * Address Family:  **IPv4**.
-  * Protocol:  **Any**.
-  * Source:  **Any**.
-  * Destination:  **Any**.
   * Log:  **Checked**.
-  * Description:  **CLEAR - Block IPv4**.
+  * Description:  **Allow CLEAR to any**.
-  * Click **Save**.
 <WRAP info>
-**NOTE:**  Reject is used rather than block on internal interfaces to provide a response to any programs trying to send traffic preventing delays associated with waiting for time outs to occur.
+**NOTE:**  This allows users of the CLEAR network to access the internet.
 </WRAP>
 ----
-===== Block unknown IPv6 =====
+The final ruleset for the CLEAR will be:
-<WRAP center round todo 60%>
+{{:pfsense:install_pfsense:pfsense_-_firewall_-_rules_-_clear.png?800|}}
-TODO:  Not currently used.  Check this out and update etc.
-</WRAP>
-  * Click **↴+Add**.
-  * Action:  **Reject**.
-  * Disabled:  **Not Checked**.
-  * Interface:  **CLEAR**.
-  * Address Family:  **IPv6**.
-  * Protocol:  **Any**.
-  * Source:  **Any**.
-  * Destination:  **Any**.
-  * Log:  **Not Checked**.
-  * Description:  **CLEAR - Block IPv6**.
-  * Click **Save**.
-<WRAP info>
-**NOTE:**  Reject is used rather than block on internal interfaces to provide a response to any programs trying to send traffic preventing delays associated with waiting for time outs to occur.
-</WRAP>
 ----
 ====== IOT Firewall Rules ======
+Navigate to **Firewall -> Rules -> IOT**.
 IOT devices should be prevented from accessing anything that is not-essential to them.
@@ Line 377: / Line 154: @@
   * Allow ICMP pings to facilitate debugging.
+  * Redirect any non-local DNS lookups.
+  * Redirect any non-local NTP time lookups.
   * Deny traffic to other internal interfaces.
   * Deny traffic to any local networks.
   * Allow internet traffic via default gateway.
-  * Redirect any non-local DNS lookups.
-  * Redirect any non-local NTP time lookups.
   * Reject any other traffic.
@@ Line 399: / Line 176: @@
   * Log:  **Not Checked**.
   * Description:  **IOT - Allow ICMP Ping**.
-----
-===== Deny traffic to other internal interfaces =====
-Navigate to **Firewall -> Rules**.
-Click **IOT**.
-  * Click **↴+Add**.
-  * Action:  **Reject**.
-  * Disabled:  **Not Checked**.
-  * Interface:  **IOT**
-  * Address Family:  **IPv4**
-  * Protocol:  **TCP/UDP**.
-  * Source:  **IOT net**.
-  * Destination:
-    * Invert match:  **Checked**.
-    * **Single host or alias**.
-    * Address:  **LOCAL_SUBNETS**.
-  * Destination Port Range:
-    * From: **Any**.
-    * To:  **Any**.
-  * Log:  **Not Checked**.
-  * Description:  **IOT - Reject internal interfaces**.
-  * Click **Save**.
 ----
@@ Line 501: / Line 252: @@
 There should be two rules created for the NTP and DNS redirects at the bottom.
+----
+===== Reject traffic to other internal interfaces =====
+Navigate to **Firewall -> Rules**.
+Click **IOT**.
+  * Click **↴+Add**.
+  * Action:  **Reject**.
+  * Disabled:  **Not Checked**.
+  * Interface:  **IOT**
+  * Address Family:  **IPv4**
+  * Protocol:  **TCP/UDP**.
+  * Source:  **IOT net**.
+  * Destination:
+    * Invert match:  **Not Checked**.
+    * **Single host or alias**.
+    * Address:  **LOCAL_SUBNETS**.
+  * Destination Port Range:
+    * From: **Any**.
+    * To:  **Any**.
+  * Log:  **Not Checked**.
+  * Description:  **IOT - Reject internal interfaces**.
+  * Click **Save**.
+<WRAP info>
+**NOTE:**  Reject is used, instead of Block, as it returns quicker.
+</WRAP>
 ----
@@ Line 521: / Line 302: @@
     * To:  **Any**.
   * Log:  **Not Checked**.
-  * Description:  **IOT - Pass WAN**.
+  * Description:  **IOT - Allow traffic to WAN**.
   * Click **Save**.
@@ Line 563: / Line 344: @@
 **NOTE:**  Reject is used rather than block on internal interfaces to provide a response to any programs trying to send traffic preventing delays associated with waiting for time outs to occur.
 </WRAP>
+----
+The final ruleset for the IOT will be:
+{{:pfsense:install_pfsense:pfsense_-_firewall_-_rules_-_iot.png?800|}}
 ----
@@ Line 613: / Line 401: @@
   * Source:  **GUEST net**.
   * Destination:
-    * Invert match:  **Checked**.
+    * Invert match:  **Not Checked**.
     * **Single host or alias**.
     * Address:  **LOCAL_SUBNETS**.
@@ Line 619: / Line 407: @@
     * From: **Any**.
     * To:  **Any**.
-  * Log:  **Not Checked**.
+  * Log:  **Checked**.
   * Description:  **GUEST - Reject internal interfaces**.
   * Click **Save**.
@@ Line 634: / Line 422: @@
   * Interface:  **GUEST**
   * Address Family:  **IPv4**.
-  * Protocol:  **TCP/UDP**
+  * Protocol:  **any**
   * Source:  **GUEST net**.
-  * Destination
+  * Destination:  **any**.
-    * Invert match:  **Checked**.
-    * **Single host or alias**.
-    * Address:  **LOCAL_SUBNETS**.
-  * Destination Port Range:
-    * From:  **Any**.
-    * To:  **Any**.
   * Log:  **Not Checked**.
-  * Description:  **GUEST - Pass WAN**.
+  * Description:  **Allow GUEST to any**.
   * Click **Save**.
@@ Line 654: / Line 436: @@
 ----
-===== Block unknown IPv4 =====
+The final ruleset for the GUEST will be:
-  * Click **↴+Add**
+{{:pfsense:install_pfsense:pfsense_-_firewall_-_rules_-_guest.png?800|}}
-  * Action:  **Reject**.
-  * Disabled:  **Not Checked**.
-  * Interface:  **GUEST**.
-  * Address Family:  **IPv4**.
-  * Protocol:  **Any**.
-  * Source =  **Any**.
-  * Destination:  **Any**.
-  * Log:  **Checked**.
-  * Description:  **GUEST - Block IPv4**.
-  * Click **Save**.
-<WRAP info>
-**NOTE:**  Reject is used rather than block on internal interfaces to provide a response to any programs trying to send traffic preventing delays associated with waiting for time outs to occur.
-</WRAP>
-----
-===== Block unknown IPv6 =====
-  * Click **↴+Add**.
-  * Action:  **Reject**.
-  * Disabled:  **Not Checked**.
-  * Interface:  **GUEST**.
-  * Address Family:  **IPv6**.
-  * Protocol:  **Any**.
-  * Source:  **Any**.
-  * Destination:  **Any**.
-  * Log:  **Not Checked**.
-  * Description:  **GUEST - Block IPv6**.
-  * Click **Save**.
-<WRAP info>
-**NOTE:**  Reject is used rather than block on internal interfaces to provide a response to any programs trying to send traffic preventing delays associated with waiting for time outs to occur.
-</WRAP>
 ----