pfSense
The pfSense project is a free open source customized distribution of FreeBSD tailored for use as a firewall and router entirely managed by an easy-to-use web interface. No FreeBSD knowledge is required to deploy and use pfSense software.
In this article, we'll configure Firewall Floating Rules, Aliases, and Firewall Rules (Firewall policies) as well as apply them to the LAN interface under pfSense Firewall configuration.
We've written an article that includes how to add a LAN interface that will be helpful to continue with this article.
1. Floating Rules
Floating Rules are a type of advanced rule that can perform complicated actions not possible with rules on interface or group tabs. They can act on multiple interfaces in the inbound, outbound, or both directions. The use of inbound and outbound filtering makes designing them more complex and prone to user error, therefore admins should opt for floating rules instead of regular rules.
Because protocol TCP port 1337 was flagged as a threat so, we'll close it to stop any backdoor attack.
Here, we are using the floating rule to disable the LAN and WAN interfaces from listening to port 1337 instead of configuring separate rules for each interface.
By default, this port is open you will allow connecting, run this command
$ telnet pfsense_IP 1337
Navigate to Firewall > Rules > Floating > Add
Action > Reject
Interface > ctrl key with LAN, WAN
Destination port > 1337
Log > Log Packets that are handled by this rule
Description
Save> Apply Changes
Try to connect to port 1337 remotely again connection 'll refused run this command
$ telnet pfsense_IP 1337
To see logs navigate to Status > System logs > Firewall
Apply Filter with the Destination Port 1337
2. Firewall Aliases
Aliases define a group of ports, hosts, or networks. They can greatly simplify a ruleset and make it easier to understand and manage.
In this section, we'll allow only ports 80, 443, 22, 53 for TCP connection and block all other ports
Navigate to Firewall > Aliases > Ports > Add
Complete these fields' information
Name
Description
Type > ports
Ports > 80, 443, 22, 53 > Save
Add ports 53,123 for UDP connection
Complete these fields' information
Name
Description
Type > ports
Port > 53,123 > Save> Apply Changes
To apply these changes on the LAN interface, navigate to Firewall> Rules> Lan> Add
Note: pfSense Firewall performs the rules in order from top to bottom so make sure you put the rule in the correct order as you want to implement it. Also, You can drag and drop rules to modified places easily.
For TCP connection
Action > Pass
Protocol> TCP
Destination port range >"Alias name you defined " > Save
For UDP connection
Action > pass
Protocol>UDP
Destination port range >"Alias name you defined " >Save> Apply Changes
You must disable the rule [ Default allow LAN to any rule ] to avoid it overriding our newly configured rules.
Click on the corresponding check box
Action > Disable
Test any port from our alias allowed ports 80, 443, 22, 53 such as SSH Port 22 run this command
$ ssh user@LAN_IP
Now, try to connect to any other ports except the allowed ports; your connection should be refused. to test LDAP port 389, run the command
$ telnet LAN_IP 389
3. Firewall Rules
Firewall rules control traffic passing through the firewall.
Because we configured aliases above, allowing TCP and UDP defined ports. by default, all other ports will be blocked, including ping requests. run this command
$ ping LAN_IP
Now in this section, we'll open ICMP protocol ping with 3 subtypes Echo-Request, Time Exceeded, Destination unreachable
Navigate to Firewall> Rules> Lan > Add>
Protocol: ICMP,
ICMP Subtypes: ctrl key with Echo Request, Time Exceeded, Destination unreachable> Save> Apply Changes
Test ping from the terminal run Command
$ping LAN_IP
