Firewall Rules in pfSense: Part Two

Firewall Rules

Highlighting a rule in the pfSense GUI.

In the previous article, I covered basic firewall rules in pfSense. But pfSense 2.0 has a whole new set of advanced setup options, which I will cover in this article.

pfSense rules are evaluated from the top down. The first rule to match is executed and the rest of the rules are skipped. It is a good idea to put very specific rules at the top and more generic rules at the bottom, and this is what many administrators do. To reorder a rule, simply select the rule and click the “move selected rules before this rule” button.

You also may want to create a rule that’s very similar to an existing rule. To save time, you can copy the rule with the “add a new rule based on this one” button (the plus button).

Firewall Rules: Advanced Features

Firewall Rules

Advanced features section for firewall rules in the pfSense web GUI.

With pfSense 2.0, when you add or edit firewall rules, there is an Advanced Features section. Various features can be specified as criteria for a rule. If an advanced feature is specified, the rule will only be executed if a match is found. Click the Advanced button for each feature to display configuration settings for that feature. Here are the features:

Firewall Rules

Source OS option under firewall rules in pfSense 2.0.

  • Source OS: This option will attempt to match the operating system of the source traffic. The UNIXoid world is well represented on this list, with FreeBSD, NetBSD, and OpenBSD on the list, as well as Linux and Solaris. Windows and Novell are also on the list.
  • Diffserv Code Point: Diffserv is a mechanism for providing Quality of Service of network traffic. Systems can prioritize traffic based on their code point values.
  • Advanced Options: This contains a number of options. The options are as follows:
    • Allow packets with IP options to pass: Packets with IP options are blocked by default, and for good reason: some IP options can be used by attackers to hide the true source of a packet or to gain access to a protected network, or to glean information about the topology and the addressing scheme of a network. Also, IP options tax the CPU of the router, and may be used in denial of service (DoS) attacks. Nonetheless, there may also be legitimate reasons for allowing these packets to pass.
    • Disable auto-generated reply-to for this rule: By default, pfSense replies to a host regarding a rule; this disables it.
    • Mark a packet: Mark a packet matching a rule; you can then use this mark to match on other NAT/filter rules.
    • Match packet on a mark placed before on another rule.
    • Maximum state entries this rule can create: Limits the maximum number of state entries this rule can create to a specific number. If the maximum is reached, packets that would normally create state fail to match this rule until the number of existing states falls below the limit.
    • Maximum number of unique source hosts: Limits the number of unique hosts to this number.
    • Maximum number of established connections per host: Limits the number of connections per host to this number; good for protecting against DoS attacks.
    • Maximum state entries per host: Limits the number of state entries per host to this number.
    • Maximum new connections/per seconds: Limits the number of connections to X connections per Y seconds, where X and Y are entered here.
    • Timeout in seconds
  • TCP Flags: Specific TCP flags can be set here. These flags are:
    • FIN – No more data from sender
    • SYN – Synchronize sequence numbers (seen on new connections)
    • RST – Reset the connection (seen on rejected connections)
    • PSH – Push function
    • ACK – Indicates that the ACKnowledgment field is significant
    • URG – Indicates that the URGent pointer field is significant
  • State Type: Select which type of state stracking mechanism you would like to use from the following options – keep state, sloppy state, synproxy state (to protect against TCP SYN floods), and none. If in doubt, use keep state.
  • No XMLRPC Sync: This prevents a rule from syncing with the other CARP members.
  • Schedule: Specify the schedule for when the rule is valid. Schedules defined in Firewall -> Schedules will appear in the drop-down box.
  • Gateway: Gateways other than the default may be specified here. Leave as ‘default’ to use the system routing table.
  • In/Out: Specify alternative queues and virtual interfaces. Choose the Out queue/Virtual interface only if you have also selected In. The Out selection is applied to traffic leaving the interface where the rule is created, In is applied to traffic coming into the chosen interface. If you are creating a floating rule, if the direction is In then the same rules apply, if the direction is out the selections are reverted Out is for incoming and In is for outgoing.
  • Ackqueue/Queue: Specify alternative acknowledge queries here.
  • Layer7: Choose a Layer7 container to apply application protocol inspection rules. These are valid for TCP and UDP protocols only.

That covers advanced options for firewall rules in pfSense 2.0, demonstrating the unique level of granularity that pfSense offers in firewall configuration. Most of these options can be left unchanged a majority of the time, but many of them, such as “Source OS”, will undoubtedly be useful in enterprise-level deployments.

Be Sociable, Share!

Speak Your Mind


© 2013 David Zientara. All rights reserved. Privacy Policy