pfSense is a great firewall with many “enterprise” features. However, if you are not used to the lingo, it can be confusing.
Terms
- Direction - Describes how the traffic flows. Web traffic from the WAN interface is said to flow into the firewall. Web browser traffic from internal workstations flows out of the LAN to the WAN.
- WAN - The interface exposed to the internet.
- DMZ (demilitarized zone) - “A DMZ Network is a perimeter network that protects and adds an extra layer of security to an organization’s internal local-area network from untrusted traffic. A common DMZ is a subnetwork that sits between the public internet and private networks.”
- LAN - The interface exposed to the internal network.
- Destination - This is the interface that the connection comes into the firewall. Sometimes but not always the WAN connection.
- NAT - Network Address Translation
- Rules - Logic rules specifying the exact type of traffic and what to do with it. A rule generally will NAT or translate the IP address from outside to inside using the same port number.
Example: ###.###.###.###:80 -> 10.1.1.5:80- Pass - Allow the traffic to pass or go through
- Block - The traffic is dropped silently. Since the sender will usually wait, it “wastes” their time.
- Deny - A packet is returned immediately to the sender with a failure.
- Port forward or NAT - Similar to a Rule except the port can also to NATed.
Example: ###.###.###.###:8080 -> 10.1.1.5:80 - Inbound traffic - Traffic coming from the internet into the DMZ or into the LAN.
- Outbound traffic - Traffic coming from the LAN to the DMZ or the WAN connection.
- Aliases - A shorthand term to describe one or more IP addresses/ranges, ports or URLs. Why? Instead of “hardcoding” a port, port range or a list of ports in multiple places, you can group them under one alias then use the alias is multiple places.
Webserver example
Typical web server DMZ configuration:
- Inbound traffic (HTTP/HTTPS) can enter from the internet and is redirected to the web server within the DMZ.
- The database used by the web site is hosted internally but not in the DMZ.
- Developers on the internal network can contact the webserver(s) in the DMZ but only using SSH/SFTP.
- The webserver traffic can not enter the internal LAN because it should not need to. This prevents a “hacked” webserver from entering the internal network.
This allows the firewall to strictly control what type of traffic crosses from the LAN, DMZ and WAN interfaces.
- Database traffic (port 3306 for MySQL) only needs to go from the DMZ to the LAN. DB traffic never should come in through the WAN connection.
- SSH/SFTP traffic should never enter from the WAN and never from the DMZ to the LAN.
Example Port Forward Rule
- Any IP address inbound using TCP,
- On port 8080,
- Redirected to IP address 10.10.10.100,
- Redirected to port 80,
- Allow traffic
Wise words on Rules
Default Deny There are two basic philosophies in computer security related to access control: default allow and default deny. A default deny strategy for firewall rules is the best practice. Firewall administrators should configure rules to permit only the bare minimum required traffic for the needs of a network, and let the remaining traffic drop with the default deny rule built into pfSense® software. In following this methodology, the number of deny rules in a ruleset will be minimal. They still have a place for some uses, but will be minimized in most environments by following a default deny strategy.
In a default two-interface LAN and WAN configuration, pfSense software utilizes default deny on the WAN and default allow on the LAN. Everything inbound from the Internet is denied, and everything out to the Internet from the LAN is permitted. All home grade routers use this methodology, as do all similar open source projects and most similar commercial offerings. It’s what most people expect out of the box, therefore it is the default configuration. That said, while it is a convenient way to start, it is not the recommended means of long-term operation.
pfSense software users often ask “What bad things should I block?” but that is the wrong question as it applies to a default allow methodology. Noted security professional Marcus Ranum includes default permit in his “Six Dumbest Ideas in Computer Security” paper, which is recommended reading for any security professional. Permit only what a network requires and avoid leaving the default allow all rule on the LAN and adding block rules for “bad things” above the permit rule.
Source: https://docs.netgate.com/pfsense/en/latest/firewall/best-practices.html