• 0

Firewall rules to further restrict traffic?


 Share

Question

So these are the rules I've implemented for my IoT VLAN network in pfSense. I wonder if I should restrict the outbound protocols, or just leave it on "Any", since there are other blocks in place?

 

image.thumb.png.77536c44b6fe2929204cef9052b617e5.png

Link to comment
Share on other sites

7 answers to this question

Recommended Posts

  • 0

Those rules don't make a lot of sense without more context.

 

For starters I take it your your clients on this network are not using pfsense for dns or time?  Oh wait your rules are only TCP?  What exactly are you blocking in Management blocks, since I take it they are not on the firewall, since your blocking everything to firewall below that rule?  But only tcp?

 

! rules or Not rules can be problematic if your using VIPs?  Like pfblocker?  What exactly is in your Non_IOT alias?

 

Here is example rules that I like to use that are restrictive..

rules.thumb.jpg.922065585a2fafa9c8ab99cfe3d94cb6.jpg

 

The rules are labeled to exactly what they do.. But quickly described.

1) allow to ping pfsense IP in this network to test for connectivity

2) Allow dns to pfsense IP in this network

3) Allow ntp to pfsense IP in this network

4) Block all other access to ANY IP on the firewall - this would be any other lan side IP, or even the public wan IP.  And if that changes - still block per the built in alias

5) Block all access to any rfc1918 addresses, my other local networks. (10/8, 192.168/16, 172.16/12) This works no matter how many other vlans/networks I might add in the future on any rfc1918 space.

6) Allow access to anything else - ie the internet on any port.

 

I use reject vs just blocked, since this will send icmp response to client saying hey you can not do that.. So client doesn't have to send retrans trying to get an answer.  This is something you would do locally, but never on a wan rule, etc..  It should help clients from having to wait for a timeout trying to do something and let them know right away - hey you can not go there..

  • Like 2
Link to comment
Share on other sites

  • 0

Sorry for the long delay in replying, my whole network was down at home due to renovation. Anyway I'm back up again!

 

Clients on IoT network reach out to Cloudflare for DNS. Didn't think of NTP actually! Maybe they are syncing with the UniFi controller for it? Reason I blocked only TCP is because I thought those are web access only, 80 and 443. Though now that you mention this specifically, I realise it is actually wrong. Forgive my ignorance! 😔

 

The Management Blocks alias has the access IP's of my virtualisation host XEN server, UniFi Controller, Pi-Hole and OpenMediaVault. Sorry, I don't understand what you mean by them not being on the firewall though. TCP only again because of my reasoning above.

 

I am using pfBlockerNG, but only for GeoIP blocking. The DNS filtering is disabled as I have Pi-Hole handling that. The Non_IoT alias has all my other networks - Trusted, Guest, WiFi, Servers and Pi-Hole. Pi-Hole is on its own VLAN based on your advice to achieve a proper DNS redirect for devices that have hardcoded DNS servers. Curious, what problems can it cause? Everything seems to be working here. Or maybe there is something already wrong, and I just don't know about it!

Link to comment
Share on other sites

  • 0

I also have this rule setup for redirecting DNS to my Pi-Hole. How do I specify a DNS rule for my restricted networks keeping this in mind?

 

dnsredirect.thumb.png.31241632bfa0ec71c8775bcbbcdfc10a.png

Link to comment
Share on other sites

  • 0

So your blocking iot devices from talking to 80/443 on anywhere - not just the firewall?  So what are they doing on the internet if they can not use 80/443 - your management ports?  Guess they could use quic which is over udp..

 

What is on your firewall on 10443, that you don't want them to talk to?  What about ssh to the public IP? 

 

I gave you an example how it is normally done, Not with those ! rules... Which if your using vips with pfblocker could not work how you think they are going to work.

 

Wouldn't an aliases of your local networks be better called just local_nets, or how about you just use all rfc1918 space?

 

No your rules are not how I would do them at all, and are not very intuitive to look at..   That redirected rule is only on your lan, so it has zero to do on your iot vlan..

 

 

  • Like 1
Link to comment
Share on other sites

  • 0

Oh ok, so by blocking TCP connections to pfSense, I am actually blocking these devices completely from using 80 and 443? Didn't realise that! But all the devices connect and work just fine, remotely as well. So they have found a way out! :blink:

 

With my limited knowledge or ignorance, I just wanted to prevent access to the login page of pfSense, that is why I put in that rule. :blush:

So that means the Management Block rules are all wrong? Or just specifying a rule like yours called "Block all other access pfSense IPS" takes care of it? But your rule specifies "This Firewall" only. Sorry, this is a bit confusing to me.

 

I don't allow access to SSH by itself remotely. I VPN in if I need to.

 

The only problem (that I know of) that I faced with pfBlocker was that enabling another instance of Pi-Hole exclusively for the IoT network caused connection issues. Disabling pfBlocker seemed to solve them, so I just removed Pi-Hole and continued with pfBlocker. Probably caused other issues too (and still does), but I have no idea! :blush:

 

The reason I setup individual aliases like Non_IoT was because I specified all other local networks in them, excluding the one I wanted to prevent blocking. So Non_IoT for example has LAN, Servers, Restricted and Guests in it. Non_Servers has all networks except Servers. And so on. So you're saying I can just have one alias for local networks for each individual network? How do I do this?

 

Oh ok, I thought as much the DNS redirect rule shouldn't affect other networks, just wanted to confirm! :)

Link to comment
Share on other sites

  • 0

This topic was automatically locked because it did not receive any replies for a year. If you want to have this topic reopened

  • please contact any staff moderator or
  • report the first post of the topic with the reason why it should be reopened.

Thank you.

Link to comment
Share on other sites

This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Copernic
      GlassWire 2.3.343
      by Razvan Serea



      Visualize your current and past network activity by traffic type, application, and geographic location, on an easy to use graph. GlassWire lets you see what applications are sending out data over the Internet and shows you what hosts they are communicating with. The program also looks for; domains or IP addresses that are known threats, networking system file changes, unusual application changes, ARP spoofing and more.

      GlassWire shows you what network activity occurred while you were away or logged out from your computer. No more wondering what your computer was doing while you were out. Just go back in time with GlassWire's graph and see exactly what happened in detail.

      GlassWire visualizes what current and past applications are accessing the Internet. If you don’t like what you see you can instantly block network access to specific apps with GlassWire’s firewall manager.

      GlassWire 2.3.343 changelog:

      GlassWire alerts are now completely redesigned! Now you can manage your alerts in a much easier way. Set unimportant alerts as "logs" where they don't show up on the desktop, then set other alerts as "important" where they do. Go to our alerts pane, then go to the top left and click the small settings icon. Next choose "alerts settings" to set up any security alerts however you prefer!

      GlassWire "while you were away" summaries now appear on the alerts pane.

      Some alerts are now on by default for new users, but the less important alerts appear under the alerts "logs" area.

      Receive a lot of GlassWire alerts at once? Now the alerts are stacked one on top of each other, so they don't take up so much of your screen real estate.

      It's now possible to make alerts unread. Mouse over the alert you want to make unread, then click the three dot menu on the right side.

      Many other fixes and improvements.

      Download: GlassWire 2.3.343 | 59.2 MB (Shareware)
      Links: GlassWire Website | Android

      Get alerted to all of our Software updates on Twitter at @NeowinSoftware

    • By Copernic
      simplewall (Wfp Tool) 3.4.3
      by Razvan Serea



      simplewall (WFP Tool) allows simple Windows Filtering Platform (WFP) configuration for your PCs network activity. The lightweight application is less than a megabyte, and it is compatible with Windows Vista and higher operating systems. You can download either the installer or portable version. For correct working, need administrator rights.

      Features:

      Simple interface without annoying pop ups Rules editor (create your own rules) Internal blocklist (block Windows spy / telemetry) Dropped packets information with notification and logging to a file feature (win7+) Allowed packets information with logging to a file feature (win8+) Windows Subsystem for Linux (WSL) support (win10) Windows Store support (win8+) Windows services support Free and open source Localization support IPv6 support Simplewall (WFP Tool) 3.4.3 changelog:

      added verify code signatures from catalog files (issue #1003)

      fixed crash at startup (issue #995)

      fixed rule reference (issue #1002)

      Download: simplewall (Wfp Tool) 3.4.3 | 573 KB (Open Source)
      Download: Portable simplewall (Wfp Tool) 3.4.3 | 1.0 MB
      Links: simplewall Home Page | Project Page @GitHub

      Get alerted to all of our Software updates on Twitter at @NeowinSoftware

    • By Copernic
      simplewall (Wfp Tool) 3.4.2
      by Razvan Serea



      simplewall (WFP Tool) allows simple Windows Filtering Platform (WFP) configuration for your PCs network activity. The lightweight application is less than a megabyte, and it is compatible with Windows Vista and higher operating systems. You can download either the installer or portable version. For correct working, need administrator rights.

      Features:

      Simple interface without annoying pop ups Rules editor (create your own rules) Internal blocklist (block Windows spy / telemetry) Dropped packets information with notification and logging to a file feature (win7+) Allowed packets information with logging to a file feature (win8+) Windows Subsystem for Linux (WSL) support (win10) Windows Store support (win8+) Windows services support Free and open source Localization support IPv6 support Simplewall (WFP Tool) 3.4.2 changelog:

      enable checking apps certificates by default

      show notifications immediately without waiting for busy operations to complete

      impoved listview responsiveness by using virtual listview callback

      fixed packets log displays incorrect direction (issue #945)

      fixed missed listview icons on refresh

      fixed thread environment

      fixed internal bugs

      cosmetic fixes

      Download: simplewall (Wfp Tool) 3.4.2 | 571 KB (Open Source)
      Download: Portable simplewall (Wfp Tool) 3.4.2 | 1.0 MB
      Links: simplewall Home Page | Project Page @GitHub

      Get alerted to all of our Software updates on Twitter at @NeowinSoftware

    • By Copernic
      simplewall (Wfp Tool) 3.4
      by Razvan Serea



      simplewall (WFP Tool) allows simple Windows Filtering Platform (WFP) configuration for your PCs network activity. The lightweight application is less than a megabyte, and it is compatible with Windows Vista and higher operating systems. You can download either the installer or portable version. For correct working, need administrator rights.

      Features:

      Simple interface without annoying pop ups Rules editor (create your own rules) Internal blocklist (block Windows spy / telemetry) Dropped packets information with notification and logging to a file feature (win7+) Allowed packets information with logging to a file feature (win8+) Windows Subsystem for Linux (WSL) support (win10) Windows Store support (win8+) Windows services support Free and open source Localization support IPv6 support Simplewall (WFP Tool) 3.4 changelog:

      added arm64 binaries (portable only) added protocol and host name information into network alert window (issue #843) added limit number of packets log entries (issue #941) added host resolving for packet logger listview added listview group for forever blocked apps fixed loading icons of each application freezes interface (issue #830) fixed log listview can have empty lines due to race condition fixed ui not properly display installation status (issue #962) fixed memory leak when loading profile (issue #888, #937) fixed high cpu usage for packet logger (issue #949) updated system rules updated project sdk fixed internal bugs Download: simplewall (Wfp Tool) 3.4 | 569 KB (Open Source)
      Download: Portable simplewall (Wfp Tool) 3.4 | 1.0 MB
      Links: simplewall Home Page | Project Page @GitHub

      Get alerted to all of our Software updates on Twitter at @NeowinSoftware

    • By Copernic
      NOD32 Antivirus / ESET Internet Security / Eset Smart Security Premium 14.2.24.0
      by Razvan Serea



      NOD32 for Windows is the best choice for protection of your personal computer. Almost 20 years of technological development enabled ESET to create state-of-the-art antivirus system able to protect you from all sorts of Internet threats. ESET Internet Security boasts a large array of security features, usability enhancements and scanning technology improvements in defense of your your online life.

      ESET Internet Security
      ESET Internet Security keeps your computer or laptop safe with intelligent multi-layered protection combining proven antivirus, antispyware, firewall, anti-rootkit and antispam capabilities. Based on ESET NOD32 Antivirus, it protects you from viruses, worms, spyware, and all Internet threats. It conserves resources and improves computer speed. You are protected at the highest level while you work, social network, play online games or plug in removable media.

      ESET NOD32 Antivirus
      Your best defense against viruses, trojans and other forms of malware—and the top choice for IT professionals. Powered by the ThreatSense® engine with advanced heuristics, which blocks far more unknown threats than the competition. The latest generation of the legendary ESET NOD32 Antivirus takes your security to a whole new level. Built for a low footprint, fast scanning, it packs security features and customization options for consistent and personalized security online or off.

      ESET Smart Security
      Ultimate protection for everyday web users, thanks to ESET’s trademark best balance of detection, speed and usability. Stay safe from viruses and spyware. Stay protected from ransomware - Blocks malware that tries to lock you out of your own data. Receive free support by email or telephone in your local language, wherever you are. Bank and shop online more safely - automatically secures transactions on internet banking sites, and helps to protect you on online payment gateways. Stop hackers from accessing your PC - Personal Firewall prevents hackers from gaining access to your computer and keeps you invisible when you use public Wi-Fi. Keep your kids safe online - block unwanted internet content by categories or individual websites and keep your kids safe online with Parental Control. Safer webcam and home router - Get an alert when anyone tries to access your webcam, and check your home router for vulnerabilities. Safely store passwords, and encrypt your data. Safely store, generate and prefill your passwords, and encrypt your files and removable media (USB keys). Includes protection for smartphones and tablets. Protect all of your devices - mix and match security protection for up to 3 or 5 devices.

      v14.2.24.0 changelog:

      Fixed: Crash which may occur with FW interactive mode

      Download: ESET NOD32 Antivirus 14.2.24.0 (32-bit) | NOD32 Antivirus 64-bit | ~180.0 MB (Free Trial)
      Download: ESET Internet Security 14.2.24.0 (32-bit) | ESET Internet Security 64-bit
      Download: Eset Smart Security Premium 14.2.24.0 (32-bit) | Eset Smart Security Premium 64-bit
      Link: ESET Home Page

      Get alerted to all of our Software updates on Twitter at @NeowinSoftware