Differences

This shows you the differences between two versions of the page.

--- pfsense:install_pfsense:create_firewall_rules [2021/01/05 17:48] – [Deny traffic to other internal interfaces] peter
+++ pfsense:install_pfsense:create_firewall_rules [2022/10/20 09:12] (current) – [IOT Firewall Rules] peter
@@ Line 12: / Line 12: @@
 ====== LAN Firewall Rules ======
+Navigate to **Firewall -> Rules -> LAN**.
 LAN Firewall rules will cover:
@@ Line 79: / Line 81: @@
 ====== CLEAR Firewall Rules ======
+Navigate to **Firewall -> Rules -> CLEAR**.
 The requirements for this interface are:
@@ Line 142: / Line 146: @@
 ====== IOT Firewall Rules ======
+Navigate to **Firewall -> Rules -> IOT**.
 IOT devices should be prevented from accessing anything that is not-essential to them.
@@ Line 148: / Line 154: @@
   * Allow ICMP pings to facilitate debugging.
+  * Redirect any non-local DNS lookups.
+  * Redirect any non-local NTP time lookups.
   * Deny traffic to other internal interfaces.
   * Deny traffic to any local networks.
   * Allow internet traffic via default gateway.
-  * Redirect any non-local DNS lookups.
-  * Redirect any non-local NTP time lookups.
   * Reject any other traffic.
@@ Line 170: / Line 176: @@
   * Log:  **Not Checked**.
   * Description:  **IOT - Allow ICMP Ping**.
-----
-===== Reject traffic to other internal interfaces =====
-Navigate to **Firewall -> Rules**.
-Click **IOT**.
-  * Click **↴+Add**.
-  * Action:  **Reject**.
-  * Disabled:  **Not Checked**.
-  * Interface:  **IOT**
-  * Address Family:  **IPv4**
-  * Protocol:  **TCP/UDP**.
-  * Source:  **IOT net**.
-  * Destination:
-    * Invert match:  **Checked**.
-    * **Single host or alias**.
-    * Address:  **LOCAL_SUBNETS**.
-  * Destination Port Range:
-    * From: **Any**.
-    * To:  **Any**.
-  * Log:  **Not Checked**.
-  * Description:  **IOT - Reject internal interfaces**.
-  * Click **Save**.
-<WRAP info>
-**NOTE:**  Reject is used, instead of Block, as it returns quicker.
-</WRAP>
 ----
@@ Line 276: / Line 252: @@
 There should be two rules created for the NTP and DNS redirects at the bottom.
+----
+===== Reject traffic to other internal interfaces =====
+Navigate to **Firewall -> Rules**.
+Click **IOT**.
+  * Click **↴+Add**.
+  * Action:  **Reject**.
+  * Disabled:  **Not Checked**.
+  * Interface:  **IOT**
+  * Address Family:  **IPv4**
+  * Protocol:  **TCP/UDP**.
+  * Source:  **IOT net**.
+  * Destination:
+    * Invert match:  **Not Checked**.
+    * **Single host or alias**.
+    * Address:  **LOCAL_SUBNETS**.
+  * Destination Port Range:
+    * From: **Any**.
+    * To:  **Any**.
+  * Log:  **Not Checked**.
+  * Description:  **IOT - Reject internal interfaces**.
+  * Click **Save**.
+<WRAP info>
+**NOTE:**  Reject is used, instead of Block, as it returns quicker.
+</WRAP>
 ----
@@ Line 296: / Line 302: @@
     * To:  **Any**.
   * Log:  **Not Checked**.
-  * Description:  **IOT - Pass WAN**.
+  * Description:  **IOT - Allow traffic to WAN**.
   * Click **Save**.
@@ Line 338: / Line 344: @@
 **NOTE:**  Reject is used rather than block on internal interfaces to provide a response to any programs trying to send traffic preventing delays associated with waiting for time outs to occur.
 </WRAP>
+----
+The final ruleset for the IOT will be:
+{{:pfsense:install_pfsense:pfsense_-_firewall_-_rules_-_iot.png?800|}}
 ----
@@ Line 388: / Line 401: @@
   * Source:  **GUEST net**.
   * Destination:
-    * Invert match:  **Checked**.
+    * Invert match:  **Not Checked**.
     * **Single host or alias**.
     * Address:  **LOCAL_SUBNETS**.
@@ Line 394: / Line 407: @@
     * From: **Any**.
     * To:  **Any**.
-  * Log:  **Not Checked**.
+  * Log:  **Checked**.
   * Description:  **GUEST - Reject internal interfaces**.
   * Click **Save**.
@@ Line 409: / Line 422: @@
   * Interface:  **GUEST**
   * Address Family:  **IPv4**.
-  * Protocol:  **TCP/UDP**
+  * Protocol:  **any**
   * Source:  **GUEST net**.
-  * Destination
+  * Destination:  **any**.
-    * Invert match:  **Checked**.
-    * **Single host or alias**.
-    * Address:  **LOCAL_SUBNETS**.
-  * Destination Port Range:
-    * From:  **Any**.
-    * To:  **Any**.
   * Log:  **Not Checked**.
-  * Description:  **GUEST - Pass WAN**.
+  * Description:  **Allow GUEST to any**.
   * Click **Save**.
@@ Line 429: / Line 436: @@
 ----
-===== Block unknown IPv4 =====
+The final ruleset for the GUEST will be:
-  * Click **↴+Add**
+{{:pfsense:install_pfsense:pfsense_-_firewall_-_rules_-_guest.png?800|}}
-  * Action:  **Reject**.
-  * Disabled:  **Not Checked**.
-  * Interface:  **GUEST**.
-  * Address Family:  **IPv4**.
-  * Protocol:  **Any**.
-  * Source =  **Any**.
-  * Destination:  **Any**.
-  * Log:  **Checked**.
-  * Description:  **GUEST - Block IPv4**.
-  * Click **Save**.
-<WRAP info>
-**NOTE:**  Reject is used rather than block on internal interfaces to provide a response to any programs trying to send traffic preventing delays associated with waiting for time outs to occur.
-</WRAP>
-----
-===== Block unknown IPv6 =====
-  * Click **↴+Add**.
-  * Action:  **Reject**.
-  * Disabled:  **Not Checked**.
-  * Interface:  **GUEST**.
-  * Address Family:  **IPv6**.
-  * Protocol:  **Any**.
-  * Source:  **Any**.
-  * Destination:  **Any**.
-  * Log:  **Not Checked**.
-  * Description:  **GUEST - Block IPv6**.
-  * Click **Save**.
-<WRAP info>
-**NOTE:**  Reject is used rather than block on internal interfaces to provide a response to any programs trying to send traffic preventing delays associated with waiting for time outs to occur.
-</WRAP>
 ----