Post on 26-May-2022
Jesse Vallejos
Firewall Report
Introduction
Pfsense is an open-source computer software that can be used to protect a network by
acting as a router and firewall. While this particular application has many viable uses, this report
will focus primarily on those related to firewall rules and configuration. More specifically, rules
that are used to allow and deny traffic and rules that can block users from accessing specific sites
that are not needed to complete workplace tasks.
Allowing and Denying Traffic
The first set of rules to be discussed in this report are those that are used to allow and
deny traffic. These rules can be useful when the network needs to block certain features from
user access or restrict the users to only accessing the network over a specific port. For example,
consider a scenario where you want to use a Pfsense firewall to ensure that clients that are not on
your private network can only access the server on port 80 (HTTP) and port 443 (HTTPS). In
this scenario, you would want to create three firewall rules on the WAN. Two rules for allowing
access to the server over port 80 and port 443 and one rule that blocks traffic to all ports.
To set up the rules that allow access over ports 80 and 443, you will need to use a web
browser to visit the IP address of your Pfsense firewall’s LAN, then click on the firewall rules
tab. Since we are dealing with traffic that is not in our private network, we will then need to click
on the WAN rules. Once on this page, we will create a pass rule to allow all traffic with a
destination address of our server to access the server through port 80. Screenshot #1 below
represents the pass rule, while screenshot #2 sets the destination to the IP address of the server,
and the destination port range to port 80. As for creating a pass rule for port 443, the same steps
will be followed except the destination port range will say port 443 to port 443.
Jesse Vallejos
Firewall Report
Screenshot #1
Screenshot #2
Jesse Vallejos
Firewall Report
After creating the rules for allowing traffic over ports 80 and 443, you will want to make
sure to click the green “apply changes” tab seen on your firewall rules page. Failure to click this
tab will cause the rules to be ignored despite seeing them listed in your rules list. Once you have
applied these rules, it is time to create a block rule to ensure that traffic is denied to all other
ports. Screenshot #3 below shows the creation of this block rule. Like the pass rules before, the
destination is set to the IP address of the server. However, this rule does not name any specific
ports, as we want to block traffic from accessing the server from any port.
Screenshot #3
Jesse Vallejos
Firewall Report
While it may seem problematic to include such a rule in our list, we can get around the
block rule by listing our pass rules higher in the rules list. Pfsense firewall rules act with a sense
of precedence where the rules that are higher in the list gain first priority. So, if we put the block
rule below our pass rules like in screenshot #4 below, then we can restrict outside server access
to only ports 80 and 443. This feature is useful when the firewall needs to allow access to only a
small number of ports because instead of blocking every known port that isn’t 80 or 443, we can
use one rule block, and add pass rules whenever a new port needs to be granted access.
Screenshot #4
Jesse Vallejos
Firewall Report
In addition to being able to allow and deny access to the server, a Pfsense firewall can
also be used to control the access that outside clients possess. One example of this feature would
be blocking the ability to ping the server from outside of the private network. While pinging may
not seem like a huge deal, blocking it can actually increase the security of the server as there are
known attacks such as the Ping of Death, which aims to crash servers by sending oversized or
unusually formatted pings. For more information on these types of attacks, see the Ping of Death
link at the end of this report.
With now having an understanding of why one may wish to block pings, it is time to
discuss the rule that will be needed. In order to disable pinging, we will need to create a WAN
rule that is set to block the ICMP protocol, as this enables the ability to ping. Screenshot #5
demonstrates the creation of this rule. In addition to this rule, it should also be noted that pinging
can also be enabled the same way, but by setting the action to pass as opposed to block.
Screenshot #5
Jesse Vallejos
Firewall Report
When pinging is enabled, an outside user should see results similar to those provided in
screenshot #6 below. Notice how the outside user was able to make contact with both the IP
address of the server and the firewall itself while maintaining 0% for its packet loss. In
comparison to this image, screenshot #7 was provided to demonstrate ping results after the ICMP
block rule was added. In this image, neither the firewall or the server itself could be reached and
there was a 100% packet loss recorded.
Screenshot #6
Jesse Vallejos
Firewall Report
Screenshot #7
Along with blocking the ICMP protocol, a Pfsense firewall can be used to block file-
sharing abilities with an outside user. To demonstrate this ability, the firewall needed to have
block rules implemented to stop the SMB protocol. While there is no direct protocol rule for
blocking SMB traffic, file sharing can still be prevented by adding block rules for ports 445 and
139. Screenshot #8 demonstrates the two rules that were created to prevent file sharing. Notice
how these rules are similar to the pass rules added before, but with different actions, protocols,
and ports.
Jesse Vallejos
Firewall Report
Screenshot #8
With now having implemented these file-sharing rules, it is time to see if an outside user
can still access the servers shared folders. Screenshot #9 below demonstrates the screen that a
client outside of the private network would see when accessing the shares. In comparison to this
screen capture, Screenshot #10 was provided to give an idea of what that client would see after
the rule was applied. As you can see, the user is unable to access any of the shared folders with
having ports 445 and 139 blocked. It should also be noted that blocking these ports is beneficial
to the security of the server, as these ports were once exploited by the WannaCry attack. For
more information on this attack and the flaws of these ports, please see the “Windows SMB
Users at Risk” link at the end of this report.
Jesse Vallejos
Firewall Report
Screenshot #9
Screenshot #10
Jesse Vallejos
Firewall Report
Preventing Network Misuse
While the majority of this report has focused on protecting the network from users that
are not in the private network, there are still many things that Pfsense can do to protect the LAN.
For example, one of the more important rules to consider are those that prevent local users from
accessing sites that are either harmful or simply not suitable for workplace activities. This
section of the report will demonstrate how to block both a simple site such as stopfakenews.net,
as well as a more popular site like YouTube.com.
For both of these sites, a host override and a domain override were implemented in the
DNS resolver to block access by sending the user to a bogus IP address. Screenshot #11 below
has been provided to demonstrate the overrides that were created for this process. For the host
overrides, any user that entered the domain name for YouTube or stopfakenews was redirected to
the loopback IP address of 127.0.0.1. As for the domain overrides, users who entered these
domains were redirected to 192.168.100.100, which is a private IP address that is not affiliated
with any user or organization. While using just the host override would normally be necessary
for this process, I found that my machine did not want to properly block the site unless both a
host and domain override were implemented, so both were included for this exercise.
Jesse Vallejos
Firewall Report
Screenshot #11
To get a better look at the configuration of the host override, Screenshot #12 was
provided below. As you can see, the configuration of this feature is rather simple as you will
only need to know the domain name of the site and the IP address that you want the user to be
sent to. It should also be noted that this method of blocking a site is required for a site like
YouTube due to the wide range of potential IP addresses that are associated with the site. Sites
like stopfakenews.net on the other hand only have one IP address, meaning that they could be
blocked by their IP in addition to the override method.
Jesse Vallejos
Firewall Report
Screenshot #12
Along with the host override image, Screenshot #13 has been provided below to show
how the domain override was configured. Similar to the host override, the only data that is
needed is a valid domain name and an IP address of your choice. After these overrides were
saved, they were applied with the “apply changes” tab and tested to ensure that they properly
blocked their sites. Screenshot #14 and Screenshot #15 below represent the site access prior to
the override configurations. As for Screenshot #16 and Screenshot #17, these represent the end
result of entering these two domains after they were blocked. As you can see, both YouTube.com
and stopfakenews.net were successfully blocked by the host and domain override methods.
Jesse Vallejos
Firewall Report
Screenshot #13
Screenshot #14
Jesse Vallejos
Firewall Report
Screenshot #15
Screenshot #16
Jesse Vallejos
Firewall Report
Screenshot #17
Conclusion
As you can see, the Pfsense firewall has many useful features when it comes to protecting
a network. By adding simple rules to allow and deny both server access and network features,
Pfsense can provide added layers of security and convenience. Whether you need to prepare for
the dangers of the users that are not on the private network or provide restrictions to those that
are local to it, Pfsense has a variety of features to help meet your needs.
Jesse Vallejos
Firewall Report
Additional Information
Ping of Death
https://www.imperva.com/learn/application-security/ping-of-death/
Windows SMB Users at Risk
https://www.makeuseof.com/tag/windows-smb-users-risk-block-ports-protect/