PFSENSE FIREWALL RULES

 In my previous project on Pfsense i installed, configured and set up Pfsense in the line of doing that we learnt how segmenting IP addresses works and also assigned IP addresses on my home lab network LAN0 and LAN1 which i use in my lab as my attacker and client. In this topic ill be setting rules for outbound and inbound traffic for the attacker interface and Cyberkomand client interface.

 How firewall rules work.

• Top -Bottom: Pfsense reads rules rules from top to bottom and applies the first match it finds before moving to the next rule.
• Default deny: Any traffic not allowed by a rule is blocked.

• Stateful inspection: Pfsense tracks the state of connections which can also be seen as networking monitoring (TCP/UDP sessions), allowing for dynamic handling of traffic.

Interfaces: The interfaces i which we set the rules on are set to that interface in my home lab as i have the WAN , LAN0 AND LAN1 interfaces.

I have already logged into my Pfsense so lets jump right into the rules, navigate to rules to do that select firewall in the options select rules "firewall/rules". in the image below i am on the WAN interface this interface is for inbound traffic which is traffic coming from the internet into your network.

WAN INTERFACE:

What is Bogon network ?  Bogon networks are IP address ranges that are not assigned to anyone by IANA (the Internet Assigned Numbers Authority) or are reserved for special use 

 These IPs include:

• Private IP ranges, e.g.:

  • 10.0.0.0/8

  • 192.168.0.0/16

  • 172.16.0.0/12

• Reserved IP ranges, e.g.:

• 0.0.0.0/8

• 127.0.0.0/8 (loopback)

• 169.254.0.0/16 (link-local)

• Unallocated IP ranges (not yet assigned to anyone).

The first and only rule in the WAN interface is the "Block bogon network" 

CYBERKOMAND INTERFACE:

 In this interface there were already three default rules. lets discuss these rules.

Anti-lock out rule: This rule is set by default so you don't get locked out accidentally from the Pfsense dashboard and unable to reset, change and add rules using port 80 and 443.

The two other rules allow every other traffic on the interface using IPV4 and IPV6 on all ports.

Now lets add some rules. I'm going to write the rules down then explain the function of the rules at the end so you get a clear basic understanding of what it does.

•   Action: Pass.
•  Interface: Cyberkomand. 
• IPV4 and IPV6.
• Protocol: Any .

• Source: Cyberkomand subnets.
• Destination: Cyberkomand subnets.

To explain what this rule i just set does it allows traffic from my Cyberkomand LAN address communicate with other devices on the same Cyberkomand subnet meaning it can talk to other connected host on the same network allowing traffic between each other, i hope that explanation was clear.

Its always good to leave a clear description of what the rule does as you can see in the image above.

Next rule.

Just like the previous rule settings where i allowed traffic to the Cyberkomand subnets to communicate with each other  the only difference is i want Cyberkomand to be able to communicate with the attack subnets in this rule the destination will be set to the Attack LAN subnet.

So far the rules i set are for devices in Cyberkomand to be able to communicate to each other and for Cyberkomand to be able to communicate with the attack subnet  although the default rules allows you to communicate to all interfaces and ports because it is at the top, like i said Pfsense rules work from top-down so as long as any other rule is below the default rule will be applied first, now to the next rule ill be setting up an RFC1918 alias address so that we can connect to the internet with group of private IP addresses, a good idea is to do a little research on RFC1918 IP range list. lets get started.

Up until now we've set single rules in by setting up an RFC1918 alias we are saying we want a group of private address to be able to browse and be able to connect to the internet lets remember that the default rules automatically allows that but just to show you how i would be done if the default rule gets deleted. You want to set the Destination as "invert match", "Address or Alias" and  "RFC1918".  That sets a group of private IP address to reach the internet.

This rule we want to block any other thing apart from the rules we've set up although automatically rules not written get blocked this a safety precaution 

 

Before moving this rule is blocking every other thing. Now that is all the rules ill be setting up for the Cyberkomand interface below in the image is what the rules i just set up looks like all together.

  

ATTACKER INTERFACE RULES:

For the attack interface i will allow the attack interface to be able to send traffic to Cyberkomand interface.

Block traffic to the WAN interface.

Block traffic to the internet using the Alias, RFC1918 but we will have that disabled because then that will mean our Kali Linux wont be able to reach the internet.

lets get started. 

After setting the rule always remember to give a good description of what the rule does for future purposes.

This rule allows traffic to the Cyberkomand interface.

This rule Blocks internet access for the attacker interface destination is set to use the RFC1918 private IP address  invert match but i have it disabled because i want to be able to reach the internet on my kali Linux .

The last image shows what all the rules i have set in the Attack interface, I hope this project helps as it as helped me also and to come as close to prefect you must do more research and experiment with the rules.