Friday, July 29, 2016

Limiting Outbound Ports in pfSense by Interface

In this article, I will cover limiting outbound port traffic, typically done for interfaces like a DMZ (Demilitarized Zone, of the same construct as a conflict between countries) network, a place for systems  (or devices, as in a previous article about an isolated network for "Internet of Things" to be) that you do not want on your LAN because of security concerns. Limiting ports is to restrict the network only the traffic that you want to allow. As an example, TCP ports 80 (HTTP) and 443 (HTTPS) for web content. Basic services like DNS (TCP and UDP protocols port 53) and NTP (Network Time Protocol, on TCP and UDP port 123) should also be enabled for functionality.

This is the main grouping of my DMZ rules limiting outbound traffic by ports (along with defined names and aliases):


Any outside equipment that should not be accessed from systems on the DMZ interface are aliased and blocked (with logging enabled) with the first rule. Access to the pfSense interface is blocked on the next line. On the next two rules, I explicitly block traffic from the DMZ to my administrative and Local Area Network, although you may have an inverse rule on those interfaces to access something like a webserver hosted within your DMZ.

My next "any-any" rule is disabled, but placed for troubleshooting when you might be locking down ports too tightly, and can be quickly toggled to enable all ports to determine if the firewall is the issue. Disable it again after adding the correct port(s). I also turn off outbound PINGs (ICMP) from the DMZ, but have a rule (the last) to enable that functionality if necessary.

Four rules are in place to allow basic web browsing (both HTTP and HTTPS) over the DMZ interface, being assigned a DHCP address and DNS from a wireless access point (WAP). Specific web addresses are also blocked from that WAP. More details are in an earlier blog post on setting up a "guest" wireless network.

That's all there is to structuring the use of your network(s) in pfSense. Of course, your LAN environment can be more complex, with such things as gaming consoles needing other odd ports open at need, but the uPNP mechanism (which does that process automatically on pfSense and other gateway devices and firewalls) can be controlled by interface in pfSense. The WAP I use on my DMZ interface has uPNP disabled.

Stay tuned for other pfSense content, and ask questions in the comments section below...

No comments:

Post a Comment