pfSense config tips

pfSense 2.2 dropped last week and to pay homage, I’ve put together some configuration tips that I do immediately post install. Yes I am a biased pfSense user going on five years and haven’t looked back. When I look at some of the crappy home gear that comes with a hefty price tag and lack of advanced features in comparison to my pfSense UTM, I find myself saying, “It don’t make sense, if it ain’t pfSense!” OpenDNS

  • Force DNS requests from local clients to use the DNS Forwarder or Resolver on pfSense for resolution. I chose to use OpenDNS servers based on their reliability and reputation for filtering out malicious domains. I recommend checking out Blocking DNS queries to external resolvers.
  • The OpenDNS server IP’s are 208.67.222.222 & 208.67.220.220

OpenDNS Firewalling Strategy

  • Employ egress filtering – Strive to allow only the minimum required outbound traffic. Allow what you know (e.g. web traffic on TCP 80 & 443, DNS queries on TCP/UDP 53), block the rest, and work through it by analyzing the firewall logs and fine tuning the rules making them as granular as possible.
  • Rulesets are evaluated from the top down on a first match basis. Check out the ‘Firewall Rule Basics‘ article for a quick overview.
  • Default deny – Most commercial routers come with default allow rules on the LAN – pfSense is no exception. The best approach is to disable or remove the “Default LAN > any” rule. Check out the ‘Example basic configuration’ article that gives a great understanding of how rules are setup.
  • Reduce log noise – Make sure your logs are not getting over-spammed with things such as NetBIOS broadcasts. Too much noise will overshadow the important messages that you want to see. Make sure to carefully analyze your logs and review the frequency. Get a thorough understanding of what is generating the logs, and only then decide if it is something that you deem safe to filter out.

pfblockerNG (coming soon?) – Update pfblockerNG v1.0 has been released for 2.2 – thanks to developer BBcan177. I’ve had a chance to play with it a bit. I’ve added some block lists from Emerging Threats and so far so good. I’m already seeing some activity being logged because of the rules.

  • pfBlocker was a must have package for pfSense that could be used to block IP ranges of spammers, botnets and/or entire countries. It would have made this list, but the package is outdated and has some noted issues with pfSense 2.2. Development is under way for it’s replacement called pfBlockerNG. Keep a close eye on the forums for the latest news.

A special thanks to all the wonderful folks that contribute to the pfSense project. Your time and efforts are greatly admired and appreciated.

Advertisements

pfSense – Unified Threat Management Home Lab Project

…on why pfSense makes a lot of Sense: pfsense.org

  • Go far beyond the consumer grade WiFi gateway that sits on the shelf, collects dust and runs outdated firmware. No worries, you can make use of it as an AP.
  • Have an old PC lying around? Turn it into a pfSense box; It’s the green way of thinking.
  • Amazing Features: Stateful Firewall, Hardware Failover, Multi-WAN, Load Balancing, VPN, Dynamic DNS, Captive Portal, DHCP Server etc.
  • Additional 3rd Party Packages: Squid Proxy, Snort IDS/IPS, pfBlocker and more…..
  • I highly recommend purchasing a copy of “pfSense – The Definitive Guide”. A great read, props to Chris Buechler and Jim Pingle.
  • Great user community and support to help you when you find yourself banging your fist or head against your desk.

For InfoSec folks it is an awesome project to not only protect the home network but reap the benefits of learning about firewalls, networking, intrusion detection and traffic analysis. I’ve used multi-port NICs and a couple of switches for LAN segmentation so I can test malware and various security tools without disrupting my home network and facing the wrath of my wife for bringing down her Facebook session. “Sorry Honey!”

My current LAB design:

Hardware:

  • pfSense box: Lenovo M58P (SFF), 1TB HDD, 8GB RAM. 3 x LAN ports
  • D-Link DIR-628 WiFi
  • MikroTik RB250GS switch
  • Netgear GS108T switch
  • Custom PC: Asus Maximus V Gene, Core I5, 16GB RAM, 4 x HDD, 3 x LAN port, Host OS = Windows 7 + Mixed Windows/Linux VMs

Additional software:

  • Syslog Watcher – snmpsoft.com  – Syslog parsing and reporting – Running on Windows 7 Host PC
    Replaced with Splunk. See my post
  • Snorby – snorby.org – Snort NIPS monitoring and traffic analysis – Running on CentOS VM

Stay tuned for more…

pfSense snorby syslog_watcher