Getting Started With pfsense Firewall Rules and Troubleshooting States With pfTop.

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Tommi here for more assistance we're gonna dive into pfSense firewall rules some basics and some troubleshooting tips because well they aren't that hard once you know them but of course that's always the learning curve what seems to be easy or when people say oh that seems so obvious now is because there's a few knowledge gaps so my goal right now is to bridge some of those knowledge gaps now the good news is what I talk about here are general firewall rules and may apply to more than just PF sense so some of this is just some general network engineering the concepts of firewalls how the rules and how traffic gets passed or stopped is you know fairly the same and I'm going to talk a little bit during this about those differences a PF sense is my favorite firewall as anyone who's watched his channel knows and so that's why I'm covering it specifically a PF sense but as I said these general rules are going to apply more than just PF sense but this hopefully gives you a good idea of how it works how you can do some troubleshooting and how to dig through some of the logs and a couple of utilities all of this is built into PF sense to be able to troubleshoot this so you can figure out why something is or is not working before we dive into that let's first if you like to learn more about me or my company head over to Lawrence Systems calm if you like to hire short projects there's a hires button right at the top if you like to help keep this channel sponsor free and thank you to everyone who already has there is a joint button here for YouTube and a patreon page your support is greatly appreciated if you lookin for deals or discounts on products and services we offer on this channel check out the affiliate links down below they're in the description of all of our videos including a link to our shirt store we have a wide variety of shirts that we sell and new designs come out well randomly so check back frequently and finally our forums forums dot Lawrence Systems comm is where you can have a more in-depth discussion about this video and other tech topics you've seen on this channel now back to our content I am running this in my virtual lab for simplicity because the number of connections on our primary pfSense well they're extensive and sorting through a lot of connections is where you want to scale up to but when you're sorting out with a few connections makes it a lot easier to get started so my lab here my main server is one 92168 3.15 - and my laptop that i'm using to access it is on the wind side so we've opened up a port normally you're going to be doing this more than likely at least from the inside of the network and my default pfSense does not have any ports open the defaults are very secure with pfSense nothing's open so we did change default to open up the LAN in order for me to access them from my laptop now my laptop is this is a 3.15 - and my laptop has at 3 to 18 so you'll see that reference quite a bit just want to get that by the way first and then we have in the back end of the layout here this and this is my debian box that is behind the PF sense this is all attached via virtual network adapters I have whole videos on using XC PNG and getting started for building a virtual lab for this so it has an IP address of 192 168 40 . 129 so this is a box that's going to be where server host that's going to be behind the PF sense that will be doing all the testing on they do have documentation of course at the neck gate docks and I'll leave a link to this it's just the firewall rule basics that they're gonna dive into a few other pieces I want to get you started with the basics but there's actually quite a bit in here I mean one thing of note and this is where it applies to perhaps other firewalls is floating rules now pfsense takes for each network interface you have it creates a firewall tab so when you go over to the rules tab you have for each created interface a tab that's generated including I don't have one in here but open VPN so that is where the rules start now to default when you create new interfaces no rules and will pass no traffic this is actually the first troubleshooting tip is every time you create an interface you have to at least create a pass rule to pass traffic because the default is not so this is the actually out-of-the-box default for LAN the default allow land to any rule because the land by default gets access to everything now the reason I brought up floating rules is some firewalls don't use the term floating rule now floating role means rules that can apply in a broader sense to all interfaces with both directions it's kind of an interesting advanced in side of PF sense but some firewalls how all rules are treated in one giant page and energy can be arguments made back and forth to this I prefer the method that pfSense and other firewall companies have chose where they create a list and you PI rules on a per interface you still have an option to universally apply rules but for doing large networks and we've dealt with some of the firewalls that just dump it all on one page some people like well you get this one single pane view and I'm like but you also have to have this large view every time you're trying to sort something out so it becomes a little more complicated I like that the rules are there so debate that all you want this is how it is in PF sense but that is what the floating rules are and yes you could creating these rules as floating but there's actually floating is more advanced when I did my video and you can search this on my channel for a coddled queue you create that as a floating role so it will apply to all interface that's an example of one to use it there's other times like when I do the whole VPN role you want to take everything and wrap it in a VPN that's a floating role so you can apply it to multiple interfaces including my VP and Killswitch video once again floating rules so it doesn't matter what interface it applies to all right back to the firewall basics here the friend of the firewall basics is the logs not enough people stop by that's the first question you're going to ask every time you are new to PF sensing you post hey I can't get this to work you almost immediately see someone go where's your logs and a lot of times you find the answer in the lodge now one thing I've done from default and we're gonna open this up in a new tab I like this log showed in Reverse entry and it defaults is 15 I usually change to a hundred that's just so it lists out the logs a bit longer so here's show log entries in reverse order newest entries at the top I wish that was the default that is at least something I should say that I do change all the time that just makes it easier when I look at something and get a view and well actually let's click it first without filtering and there's your normal view and all the log informations at the top now default it's all it's also only going to be showing the firewall rules firewall rules it logs the denies but it doesn't log the past you can change that and well there's a little checkbox when creating a rule so we'll talk about that when we get to the rule creation but at the top here's a little filter and we want to filter it to only things coming from my laptop which is at 3.18 we could also do the other side like destination IP address what is the internal address so we mentioned and right here is the SSH into it so here's that one 92168 41:29 that's the debian box they have and we could also you know look at rules related to that and I believe if we do this I don't know if there's anything in there right now yeah probably not it's not done it's not been denied anything but this is where you're gonna be able to go through look for pass block now by default all the rules is only logging in a block if you do choose to log pass one it does take up more resources to be able to dump these in here so that's why it doesn't do it by default because well you don't need all that logged but you could also do that for troubleshooting purposes alright so let's go ahead and go ahead and look at the rules themselves close that one so we'll take a look here at the win now these are all rules I created I have it on port five five five as you can see at their top so I created a way and rule to allow five five five I was playing with dark stats so that's why six six six is open and two two two is going directly to the firewall and this is an auto general from nap there's our IP address of the server so you know I'm setting the destination be this firewall this firewall which means land on the firewalls LAN IP address if it has multiple you can choose that and for here we have a rule for landing on port 22 and then act now I'll cover briefly and add I have a separate video on how to do NAT but when you do net that's under a separate tab NAT is actually really easy and pfsense because it auto creates rule a lot of firewalls keep NAT separate and make you create the rules separate and this is kind of an annoyance now the home and consumer stuff doesn't do this but a lot of the commercial stuff do first you'd create a NAT translation rules it means hit this public side of the IP address and bring it to this private side of the IP address and then you have to create a rule as well as a NAT translation so the NAT translation is the redirect then the filter rule is the rule that says alright it comes here and allow it to go there so we'll edit this rule real quick and just walk through it so interface win if we had more interfaces you just pull down protocol was tcp destination when address if there was more than one address you could choose that like if there was multiple public IPS you can say destination range this is port 22 for ssh then we have the IP address 192 41 6 8 40 . 129 that's our debian server back there redirected port now this is a nice feature what port it comes in on and what port it lands on can be different generally the same if you have a web server on port 80 on the internal side and you have it on a different port out there it can be different but generally it is the same it's but it does allow for that as a use case it also does ranges and just so you know when you're doing the range right here if I start at 22 and put 30 here it starts that whatever number I start here and automatically that's why there's not a second part automatically adds those other ranges so if you're forwarding a range of add ports it does allow that I put a description in and it automatically creates the filter role this is what I was talking about for the filter rule and here you can have you roll it onto pivoted over to it and that's that rule that's auto-generated when you create a new NAT rule for that so that's how those rules get in there like I said I have a separate video where I cover NAT a little bit more in depth now let's look at the lamp this is the default anti lockout rule and what these are is to keep you from locking yourself out of the PF sense it's expected that you're going to admin pfsense from the LAN so by default pfsense opens up the land addresses and allows you to get into the firewall so that's what we have an eighty as a redirect well that way when you hit port 80 it redirects to whatever port you've moved it to or left it at default which is 443 I do prefer to move it to a different port we use five high five in this case for the web interface that we're looking at right now 2 to 2 happens to be the ssh interface so from the land side we can SSH into 2 to 2 now it does have the option to turn on you know blocking and things like that and I have it opened externally but it's going to apply the blocking such as to any user attempts and things like that for specifically admin of the firewall via SSH that is not open by default on the way but when you open it you can turn on the blocking on there and I won't get too in-depth on that but this is why it's called anti-lock control and you noticed there's not anything you can do but go to the settings page and if you like to disable the anti lockouts that's right here so those rules generally are left at default and perfectly fine because we assume lands admin now when I created land 2 and I have a whole thing about creating interfaces there was no rules on here so we created a couple rules well this one's technically wrong I have it blocking at 4 4 3 so let's fix that real quick and what this does is by default when you create an allow rule it is allowed to talk to the firewall that may be a problem because if you want this to be lets say a guest network 3 4 all right block access to firewall interface and because I change to port alright save apply what that means is anything on land 2 has now been denied access to port 5 5 5 what that does for you is say alright here's land - it's our guest Network and we don't want to access the web interface on the particular machine matter of fact I should if I were going to be more security conscious we can create another rule that says block so we'll actually do that real quick we want to block TCP 6 6 6 6 6 6 block access to dart staff I know I have dark stats set up on here on port 666 and it's listening on the firewall port so this now will block access to that now the rules are top-down so if I were to do this and then hit save apply what I have now done is it's going to say hey you can do whatever as long as you're not matching land net so this particular rule says allow traffic but don't allow it to land so that's what the invert match is no just show so action pass interface land to address family ipv4 protocol any make sure because we created a rule by default it defaults the protocol TCP so change it to any because this is another problem a lot of people on - and they create a rule to allow traffic they don't change it to protocol and it'll only have TCP well that actually means it will partially work some things will work but not all things in a reason why any TCP protocols will work but all the other ones will start failing but now what we've done is the destination as long as it's not land net now another option in Europe if you have a series of addresses you can put aliases in terms of guest network you can put like a list of RFC 1918 addresses like you can just block all private address so a couple different options there I have a separate video as well on how to set up and build like a secure Network and it's one of the ways I say to do it I'll leave a link to that down below as well as I have a lot of different topics on this so know the type to deep into those so the top down and this is a lot of traffic and this is that log packets that are handled by this rule that is the default it's not checked but that's what we'll fill things up in the log which is great for troubleshooting bad if you don't have enough storage so use that wisely in terms of you know how much you want to have dedicated that but important thing is that this one needs to be on the bottom we need all of the block rules to be starting at the top so deny deny you can't go there you can't go there once it gets past those things to confirm that that host is not trying to access the things that it's not allowed to access then it hits the allow rule so that's why the rules are in that order now a couple little side notes here is block rules you can easily create this and then we'll say add another separator allow rules now you don't have to do this these are just separators that just look pretty but when you're dealing with large networks it does help we've got some companies with a lot of a lot of port forwards and a lot of special rules in place now because of that you have this well too many rules to look at to make it easy so we group them all together because each one is related to a different property they manage in certain ports that need to be forwarded for different things so it's kind of nice to be able to do that this is the little dividers or certainly something that give you a visual appeal when you're setting up firewall most nights a feature that I'll note it doesn't make any functional difference it's just a separator literally to make a little bit easier now let's look at the firewall rules on land where we'll do a little bit of testing and troubleshooting so we have this that says the defaults allow to any rule now that means it can go wherever it wants we can see all the states in there so the state details now what a state is is any time the host connects through the firewall it has to create a state in that state it'll tell you how many creations it has how many things you're doing on there and you can click it and look at the specifically the state tables related to that and filter them much better than filtering at where you want to watch things a little better it would be watching it under PF top so this is under Diagnostics PF top and i've covered this in my troubleshooting video for PF sense so if we just say we're gonna say just this host I want to see what states this particular host has and what it what's going on and because I'm SSH into it you can see you know if I even if I exit out you have these states so you have one 92168 40.1 trying to import 123 - reaching out to a time server 3.18 my laptop and it's connecting in and landing on port 22 and you can see that this has now changed to a wait state because it's getting ready to close now the state tables if we're going to go ahead and ssh back into them now we have active ones so we have establish establish this is your excellent tool for troubleshooting what might be happening with any particular rules so whether or not those rules are working whether or not things are coming across I could filter right now we're filtering for this host here but we could also change it and say 192 + 6 8 3 dot 18 and we can see what is the host on the outside doing so you can use this with public IP address private IP addresses but this is one of the ways you can try to look at and try to figure out what the rules are doing if you see nothing in here and that means there's no traffic passing between the firewall that's an other indicator of why something isn't working you may have been too aggressive with your blocking rules you've now blocked it from even getting out people like well it's not seeing connection is it the server or is it pfSense causing a problem that's where you would probably want to start here PF top is it creating an established state and losing it as a state dropping what's happening now another note I'll make about rules and this is another point of confusion that sometimes happens so if we go over here we're gonna go firewall rules LAN so we have the default allow rule and we can even go here like in net so this net rule says when address in allow SSH allow me to SSH into that virtual machine behind there and there's of course The Associated rule under firewall rules Wham so here we go allow remote access now I can edit these rules and we'll start editing them at the NAT level well we can edit them either way we'll just gonna turn it off essentially so we're gonna go here and that allow VM so if you click it now it's grayed out we just took that rule down but go back over here we still see established you go over here to terminal hey look I can still get in here I didn't stop my access this is an important aspect of the way state tables are created when you now have blocked I've told pfSense that's it that rule is dead you can't ssh back into the machine but it does not automatically clear existing established state tables so when we look over here we see these established state tables and let's go ahead and exit try to ask this h back in it won't let me and now we'll see the e's go to they're getting ready to close they're at Finn wait so now this one's getting ready closing will go away this is one of those really important troubleshooting things of when you change a rule to stop something from happening but you still see it happening it you have to look if there's any established rules this is an important concept in there so the will not automatically be cleared now they can be cleared because you can go over to Diagnostics states and you can even filter for that particular one filter and we can actually forcibly order it's gonna clear these states right here are you sure you want to clear this state yep make sure you're on clear state now you can actually go in and reset all states and that can just be a headache that'll stop everything that's like an emergency move you necessarily want to do that but it is an option air so you can actually just drop all the state tables kill all the states kill the filtered states with this right here matter of fact just if you here kill them it'll also if you're connected to web interface pause while your system reestablishes all the states for that so that's kind of a good way to understand the state tables is once they're existing they don't automatically die but you can just nukem so to speak without rebooting a firewall but that's very disruptive to your users that's the part to remember they will re-establish but if there was any phone calls going anything going on behind that firewall if you drop all state's tables they may not reestablish without hanging up first because everything has to be renegotiated and if we go over here to the firewall log 1 9 2 & 6 8 3 18 my laptop and because we told it to block the ssh and we filtered it so we said show me the blocks show me a destination part of 22 because we had turned that rule off and now there's denies but because we have it allowed again and we'll go back over here cannot connect and we go make sure actually let me double check make sure I got the rule enabled so a firewall rules didn't hit apply all right so now this is enabled again go back over here and we're logged right back in pretty straightforward in terms of that once you you know had a grayed out hit it again it's renamed now this is a linked rule back over to the NAT like I had said so I could have disabled in that role but either way you kind of get the concept on the firewall rule of how to do that now the last thing I want to talk about is when you're trying to troubleshoot things in that broader sense that's where you can also use PF top to help like pivot through any of this and actually me too many tabs open all right and we're back over here at PF top we're focusing on host 1 92168 41:29 so we focused on that we focus on the protocol tcp so we've narrowed down what we want to look at on this where we could even pro pass on UDP it's as simple as that so we can see where things are going on this so you can focus on even ICMP so what about paying things so you can actually there's no pings going on but let's go you're in ping google.com and away we go we've got some ICMP traffic on there now this is also where you want to look at the rules and let's go back over here firewall rules we open a new tab so we can keep that open over there we're gonna look at the land because that's where this is located and we're gonna add a block rule and we don't want ICMP traffic please say you know what no one should be able to ping on this network so we're gonna block it block it on land doesn't matter where it's going it's just straight-up blocked so we go over here hit apply so IP v4 IGMP nope we're not gonna do it what I'm an ICMP 9 chose the wrong one glad I caught that and it does even have the options here for subtypes if you have like only block the echo reply or ever you want or to it so we're going to hit save apply so now we have this default block that so we go over here and it does resolve it doesn't allow ping that come through so now that's being blocked and we look over here we see no ping but if we drop all this and we look at what the host does so right now we have it's got port 53 and we'll actually see when now you'd shrink this down a little bit each time you go to ping a new place it's gonna make a new established connection so it's actually paying like you can see each of these port 53 DNS queries going through so each one of those starts and like I said this gives you that diagnostic you're looking for you go Ari I see it doing this it goes out to port 53 but there's no pings coming back there's no ICMP traffic going back so then you can go what do the rules look like and we can see that now one more example is gonna be able to go here and if we move this down to the bottom like I said so rules are out of order essentially I said hey block it but because there's a allow of of take a second to reload here there we go the rules are reloaded there's a moment pause that's why it says when you do this it says monitor the filter reload process and it just lets you know when it's done if you have a lot of rules and you depending on sweetie or firewall it'll take a second and go through here but now we've done that but that means we can now go back to pinging ICMP traffic goes across we go over here to the Diagnostics and hey look here's all that traffic ICMP traffic and proto ICMP now we can watch what's going across there so all these gets you an idea of how to get the firewall rule started how to get them going and start drilling down in there so for each one you create you need to create at least some allow rule to a lot to go somewhere a couple other tips when you're creating these a lot rules when you create a new interface because let's say you want to guess you don't want it to have access to the other one sets that the deny where it was an inverted deny saying hey you can go anywhere but land I have another video I'll link to our I dive a little more in that one important rule you cannot block access to the firewall itself you can block access to ports on a firewall such as the web interface but I've seen people try to say I don't want it to be able access firewall well the fire was the gateway it has to get out so devices on that network do have to get out so that's another mistake I see a lot of people make when they're doing it is they go well I denied access to the firewall for security and I'm like no you need to allow it to the firewall you also need to unless you have another solution allow DNS and you can do that where you can block DNS on there if you want blackboard 53 but if you block port 53 overall now we can't do any DNS and now you've also broken the hosts on there that rely on DNS unless you have another method by which to resolve names so you have to be careful on what you block on there it is important to block the web interface on those extra interfaces but not all of it and using pf' top and the firewall log rules and just checking a little log box on there to turn on logging to help troubleshoot those rules to see if there's even a log file of them or if there's anything being established that helps you a lot with whether or not you have just a basic networking problem on the host side a greater problem where it is going through the firewall but not establishing on the other end and whether or not that traffic's returning and those are all the tools you use diagnostic your logs always go through there go ahead and turn it on for a reverse order which I guess that I wish was the default that's very helpful so they're always at the top and use a little filter icon at the top to help narrow down because once you have this in an established network with a lot of connections pfSense does a great job of allowing you to filter it but if you were to just look at like our connections at any given moment there's thousands of these little stake tables created so it can be a little bit daunting at first but that smells a little filters or for re 10 thanks and thank you for making it to the end of the video if you liked this video please give it a thumbs up if you like to see more content from the channel hit the subscribe button and hit the bell icon if you like YouTube to notify you when new videos come out if you'd like to hire us head over to Lauren systems comm fill out our contact page and let us know what we can help you with and what projects you like us to work together on if you want to carry on the discussion hetero to forum style or insistence comm where we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos they're accepted right there on our forums which are free also if you like to help the channel on other ways head over to our affiliate page we have a lot of great tech offers for you and once again thanks for watching and see you next time
Info
Channel: Lawrence Systems
Views: 50,560
Rating: undefined out of 5
Keywords: lawrencesystems, pfsense firewall, pfsense tutorial, pfsense setup, pfsense (software), firewall rules, pfsense firewall setup, pfsense installation guide
Id: eb1pTs7XamA
Channel Id: undefined
Length: 27min 48sec (1668 seconds)
Published: Wed Jul 15 2020
Related Videos
2020 Getting started with pfsense 2.4 Tutorial: Network Setup, VLANs, Features & Packages
Lawrence Systems
585K
pfSense Firewall - pfSense Administration Full Course
Knowledge Power
30K
C++ Weekly - Ep 302 - It's Not Complicated, It's std::complex
Cᐩᐩ Weekly With Jason Turner
pfsense VS OPNSense
Lawrence Systems
100K
pfsense Firewall Setup and Features in Depth Version 2.4
Lawrence Systems
280K
How To Install And Configure pfSense Firewall Pt1
Tech Tutorials - David McKone
6K
Tutorial: pfsense and pfBlockerNG Version 3
Lawrence Systems
82K
2021 Firewall Review, Feature Comparison and Recommendations
Lawrence Systems
68K
Managed VS Unmanaged Switches and Support For InterVLAN Routing / Layer Three Switch Routing
Lawrence Systems
181K
Tutorial:Internet Filtering / Site Blocking Using pfblocker DNSBL on pfsense
Lawrence Systems
184K
You Should Be Using Yubikeys!
Crosstalk Solutions
425K
2018 Getting started with pfsense 2.4 from install to secure! including multiple separate networks
Lawrence Systems
491K
UnIFi & pfsense Deployment, Setup and Planning with WiFi, VLAN & Guest Network
Lawrence Systems
143K
HOW TO MAKE A SUPER EXTENSION CORD! (Perfect for Christmas!)
Stud Pack
1M
How To Setup VLANS With pfsense & UniFI. Also how to build for firewall rules for VLANS in pfsense
Lawrence Systems
336K
Creating VLANS And Firewall Rules with PFsense
Mactelecom Networks
23K
pfsense and Rules For IoT Devices with mDNS
Lawrence Systems
74K
Asher Dallas Lecture - Intro to Port Numbers and Network Firewalls by J Martinez
Asher College
99K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.