Example basic configuration

From PFSenseDocs

This article is part of the HOWTO series.

This article is part of the EXAMPLE series.

Contents 1 Summary 2 Caveats 3 Example of a basic lock down of the LAN and DMZ out going rules 3.1 Outbound LAN 3.2 Outbound DMZ

Summary

This article is designed to help you get acquainted with how pfSense does rule matching and how you can get a basic ruleset going.

Caveats

• Always remember that rules are matched on the INCOMING Interface. This is how PF works, and cannot be changed.
• This isn't the most secure approaches, but should get you familiar with how to setup rules.
• Take a look at the page for Aliases, it might make management of ACL's easier.

Example of a basic lock down of the LAN and DMZ out going rules

Outbound LAN

1. Make sure the “Default LAN > any” rule is either disabled or removed.
2. Allow all users to browse web pages anywhere.
   1. Allow TCP 80 (HTTP) from LAN subnet to anywhere
3. Allow users to browse secure web pages anywhere.
   1. Allow TCP 443 (HTTPS) from LAN subnet to anywhere
4. Allow users to access FTP sites anywhere.
   1. Allow TCP 21 (FTP) from LAN subnet to anywhere
5. Allow users to access SMTP on a mail server somewhere.
   1. Allow TCP 25 (SMTP) from LAN subnet to anywhere
6. Allow users to access POP3 on a mail server somewhere.
   1. Allow TCP 110 (POP3) from LAN subnet to anywhere
7. Allow users to access IMAP on a mail server somewhere.
   1. Allow TCP 143 (IMAP) from LAN subnet to anywhere
8. If you need to allow remote connection to an outside windows server you will want to configure a rule for Remote administration.
   1. Allow TCP/UDP 3389 (Terminal server) from LAN subnet to ip of remote server
9. If you use windows shares on the DMZ and want LAN users to access these files you need to allow NETBIOS/Microsoft-DS from the LAN to the DMZ
   1. Allow TCP/UDP 137 from LAN subnet (NETBIOS) to DMZ subnet
   2. Allow TCP/UDP 138 from LAN subnet (NETBIOS) to DMZ subnet
   3. Allow TCP/UDP 139 from LAN subnet (NETBIOS) to DMZ subnet
   4. Allow TCP 445 from LAN subnet (NETBIOS) to DMZ subnet

Outbound DMZ

1. By default, there are no rules on OPT interfaces.
2. To allow your servers to use Windows update or browse the WAN
   1. Allow TCP 80 from DMZ subnet (HTTP) to anywhere
3. If you use an external DNS server you will need to allow the computers to leave the network to connect to a DNS server.
   1. Allow TCP\UDP 53 from DMZ subnet (DNS) to ip of primary DNS server
   2. Allow TCP\UDP 53 from DMZ subnet (DNS) to ip of secondary DNS server
4. To allow your servers to use a remote time server open port 123.
   1. Allow UDP 123 from DMZ subnet (NTP) to ip of remote time server