pfSense: Configuring NAT and Firewall Rules

Exclusive offer: get 50% off this eBook here
pfSense 2 Cookbook

pfSense 2 Cookbook — Save 50%

A practical, example-driven guide to configuring even the most advanced features of pfSense 2.0

$26.99    $13.50
by Matt Williamson | July 2011 | Cookbooks Open Source

pfSense is an open source distribution of FreeBSD-based firewall which provides a platform for flexible and powerful routing and firewalling. The versatility of pfSense presents us with a wide array of configuration options.

In this article by Matt Williamson, author of pfSense 2 Cookbook, we will cover:

  • Creating an alias
  • Creating a NAT port forward rule
  • Creating a firewall rule
  • Creating a schedule
  • Remote desktop access, a complete example

 

pfSense 2 Cookbook

pfSense 2 Cookbook

A practical, example-driven guide to configuring even the most advanced features of pfSense 2.0

        Read more about this book      

(For more resources related to this subject, see here.)

Introduction

The core functionality of any firewall involves creating port forward and firewall security rules, and pfSense is no different. These core features, plus others, can all be found on the main Firewall menu of the pfSense web interface.

This article explains how to configure these rules and the features associated with them. Once you've done a few, you'll realize just how easy it is with pfSense.

Creating an alias

This recipe describes how to use, create, edit, and delete aliases. Aliases provide a degree of separation between our rules and values that may change in the future (for example, IP addresses, ports, and so on). It's best to use aliases whenever possible.

How to do it...

  1. Browse to Firewall | Aliases.
  2. Click on the "plus" button to add a new alias.
  3. Add a Name for the alias.
  4. Add an optional Description.
  5. Select an alias Type and finish the configuration based on that selection.
    See the following There's more section for details on each alias type (Hosts, Networks, Ports, OpenVPN Users, URL, and URL Table).

    (Move the mouse over the image to enlarge it.)

  6. Save the changes.
  7. Apply changes, if necessary.

How it works...

An alias is a place-holder (that is a variable) for information that may change. A host alias is a good example; we can create a host alias called Computer1 and have it store an IP address of 192.168.1.200.

We can then create firewall and NAT rules that use the Computer1 alias instead of explicitly specifying the IP address of Computer1, which may change. If the IP address of Computer1 does change, then we simply edit the alias instead of modifying numerous rules.

Aliases allow for the flexibility and simplification of future changes. It's best to use aliases whenever possible.

There's more...

Adding aliases within aliases is a great way to manage and simplify rules. To illustrate the power of aliases, let's say our organization has a single VoIP phone that must be allowed to communicate with our VoIP server.

An example of this rule without aliases is as follows:

pfSense: Configuring NAT and Firewall Rules

A better example, using aliases is as follows:

(Move the mouse over the image to enlarge it.)

An even better example, using sub-aliases is:

(Move the mouse over the image to enlarge it.)

Sub-aliases will allow us to easily add more phones by simply modifying an alias:

(Move the mouse over the image to enlarge it.)

Host alias

Selecting Host(s) as an alias Type allows you to create an alias that holds one or more IP addresses:

(Move the mouse over the image to enlarge it.)

Network alias

Selecting Network(s) as an alias Type allows you to create an alias that holds one or more networks (that is ranges of IP addresses):

(Move the mouse over the image to enlarge it.)

Port alias

Selecting Port(s) as an alias Type allows you to create an alias that holds one or more ports:

(Move the mouse over the image to enlarge it.)

OpenVPN Users alias

Selecting OpenVPN Users as an alias Type allows you to create an alias that holds one or more OpenVPN usernames:

(Move the mouse over the image to enlarge it.)

URL alias

Selecting URL as an alias Type allows you to create an alias that holds one or more URLs:

(Move the mouse over the image to enlarge it.)

URL Table alias

Selecting URL Table as an alias Type allows you to create an alias that holds a single URL pointing to a large list of addresses. This can be especially helpful when you need to import a large list of IPs and/or subnets.

(Move the mouse over the image to enlarge it.)

Using an alias

Aliases can be used anywhere you see a red textbox. Simply begin typing and pfSense will display any available aliases that match the text you've entered:

pfSense: Configuring NAT and Firewall Rules

Alias auto-complete is context aware. For example, if the textbox requires a port number then pfSense will only display port alias matches.

Editing an alias

To modify an existing alias, follow these steps:

  1. Browse to Firewall | Aliases.
  2. Click on the edit button to edit an alias.
  3. Make the necessary changes.
  4. Save the changes.
  5. Apply the changes.

Deleting an alias:

To remove an existing alias, follow these steps:

  1. Browse to Firewall | Aliases.
  2. Click the delete button to delete an alias.
  3. Save the changes.
  4. Apply the changes.

Bulk-importing aliases

To import a list of multiple IP addresses, follow these steps:

  1. Browse to Firewall | Aliases.
  2. Click on the import button to bulk import aliases.
  3. Provide an Alias Name.
  4. Provide an optional Description.
  5. Paste a list of IP addresses, one per line, in the Aliases to Import textbox:

    (Move the mouse over the image to enlarge it.)

  6. Save the changes.
  7. Apply the changes.
pfSense 2 Cookbook A practical, example-driven guide to configuring even the most advanced features of pfSense 2.0
Published: March 2011
eBook Price: $26.99
Book Price: $44.99
See more
Select your format and quantity:
        Read more about this book      

(For more resources related to this subject, see here.)

Creating a NAT port forward rule

This recipe describes how to create, edit, and delete port forward rules.

Getting ready

The complexity of port forward rules can vary greatly. Every aspect of a port forward rule is detailed in the following There's More section so for the sake of simplicity. The following is an example of a typical port forward scenario. We will create a port forward rule to forward any incoming web requests (HTTP) to a computer we've configured as a web server.

How to do it...

  1. Browse to Firewall | NAT.
  2. Select the Port Forward tab.
  3. Click on the "plus" button to create a new NAT port forward rule.
  4. For Destination port range, choose HTTP for the from and to drop-down boxes.
  5. For Redirect target IP specify the web server this traffic will be forwarded to, by alias or IP address.
  6. For Redirect target Port choose HTTP.
  7. Add a Description, such as Forward HTTP to webserver1.
  8. Save the changes.
  9. Apply the changes.

    (Move the mouse over the image to enlarge it.)

    By default, a firewall rule is created to allow the forwarded traffic to pass, but it's vital to remember that NAT and firewall rules are distinct and separate. NAT rules forward traffic, while firewall rules block or allow traffic. Remember, just because a NAT rule is forwarding traffic doesn't necessarily mean the firewall rules will allow it

How it works...

All traffic passes through the list of NAT rules, with the following criteria:

  • Interface
  • Protocol
  • Source and Source port range
  • Destination and Destination port range

If any traffic matches all of this rule's criteria, that traffic will be redirected to the Redirect target IP and Redirect target port specified.

Like all rules in pfSense, NAT rules are evaluated from the top down. The first rule to match is executed immediately and the rest are skipped.

Our specific examples can be read as:

Traffic from:

  • The Internet (Interface: WAN)
  • From any client (Source) on any port (Source Port Range)

Traveling to:

  • Our public IP address (Destination WAN address)
  • With a website request (Protocol: TCP, Destination Port Range: HTTP)

Will be redirected to:

  • A particular computer (Redirect Target IP: Webserver1)
  • With the same request (Protocol: TCP, Redirect Target Port: HTTP).

There's more...

NAT rules can be configured using a variety of options, the details of each is as follows (bold items are generally the only ones which need to be modified):

  • Disabled: Enable or disable a NAT rule by checking this box.
  • No RDR (NOT): Enabling this option will disable traffic redirection.
  • Interface: Specify the interface for this NAT rule (usually WAN).
  • Protocol: Specify the protocol for this NAT rule. Typically TCP, UDP, or TCP/UDP is specified, but GRE and ESP exist as well.
  • Source: Typically the source is left to the default value of any, but you can specify a specific source if needed.
  • Source Port Range: Generally Source Port Range is left to the default value of any, but you can specify the ports if needed.
  • Destination: Most often, the Destination is left to the default value of the WAN address (that is your public IP address), but an alternative can be chosen if necessary.
  • Destination Port Range: This is the port the traffic will be requesting. If we're forwarding web traffic, we would select HTTP, which is so common that it's built into the drop-down list, but choosing (other) and specifying port 80 would work just the same. If specifying a custom port (let's say we want to forward torrent traffic on port 46635), remember to use an alias!
  • Redirect Target IP: This is the IP address of the internal computer we will forward traffic to. Remember to use an alias!
  • Redirect Target Port: This is the port of the computer specified previously that traffic will be forwarded to. Remember to use an alias!
  • Description: The description provided here will be copied into any firewall rules (and preceded by the word "NAT") that are automatically generated.
  • No XMLRPC Sync: Enable this option to prevent this rule from being applied to any redundant firewalls using CARP.
  • NAT Reflection: Using system default is almost always the case, but NAT Reflection can be enabled or disabled as per rule, if needed.
  • Filter Rule Association: A firewall rule will automatically be created and associated to this NAT rule.

Port redirection

A true port forwarding rule will pass traffic to an internal machine on the same port that was requested (that is, the Destination port range and Redirect target port will match). However, there's nothing stopping you from redirecting to a different port if you'd like. There are two typical reasons for doing so:

  • Security Through Obscurity: Everyone knows that the standard HTTP port is 80, but suppose you have a "secret" website which you don't want to be accessed easily. You can set the Destination Port Range to some obscure port (for example, 54321) and forward that to your internal web server's standard HTTP port 80. Users will have to know to browse to http://www.example.com:54321 in order to access it.
  • Single Public IP Address: Smaller environments with only a single public IP address may find themselves stuck if they want to expose a lot of public services. For example, "I want to remote into 2 different machines, but I only have 1 public IP address." With port redirection, we'll create two different NAT rules. The first will redirect port 50001 to Computer1 on MSRDP (port 3389) and the second will redirect port 50002 to Computer2 on MSRDP (port 3389). You can then remote into different machines using a single IP by specifying particular ports (for example, example.com:50001, example.com:50002, and so on).

Creating a firewall rule

This recipe describes how to create a firewall rule.

Getting ready

As an example, we will create a firewall rule to allow the web traffic forwarded in by the NAT port forward rule we created in the previous recipe. If you've been following along, you'll know that the previous recipe automatically created the firewall rule we need, but instead we could have specified None for Filter Rule Association and used this recipe to create the rule ourselves.

How to do it...

  1. Browse to Firewall | Rules.
  2. Select the WAN tab.
  3. Click on the "plus" button to create a new firewall rule.
  4. Specify the WAN Interface.
  5. Specify the TCP Protocol.
  6. Specify any as the Source.
  7. Specify any as the Source Port Range.
  8. Specify Webserver1 as our Destination.
  9. Specify HTTP as our Destination Port Range.
  10. Specify a Description.
  11. Save the changes.
  12. Apply changes.

    (Move the mouse over the image to enlarge it.)

How it works...

All traffic passes through the list of firewall rules. If any traffic packet matches all of the rules' criteria, that rule we be executed (the packet will be allowed or denied).

Like all rules in pfSense, firewall rules are evaluated from the top down. The first rule to match is executed immediately and the rest are skipped. See the following Ordering Firewall Rules section for more information.

This rule can be read as: "Any port from any client on the Internet is allowed to access our web server's port 80".

There's more...

Firewall rules are highly configurable. Details of each firewall rule option are as follows:

  • Action: The type of action defined will be enforced if the rule is matched.
    • Pass: If all the criteria match, the packet will be allowed to pass.
    • Block: If all the criteria matches, the packet will not be allowed to pass (some refer to this as a silent drop).
    • Reject: If all the criteria match, the packet will be returned to the sender.
  • Disabled: Disable a rule without having to delete it entirely.
  • Interface: Traffic originating from the specified interface will be subject to this rule. This is typically the WAN.
  • Protocol: Specify the protocol to be matched; this varies depending on the type of traffic this rule defines.
  • Source: This is typically any when referring to incoming traffic.
  • Source Port Range: This is typically any when referring to incoming traffic.
  • Destination: This is typically the alias or IP address of computer which is servicing this traffic.
  • Destination Port Range: This is typically the specific port of the computer which is servicing this traffic.
  • Log: Enable logging to record packets that match this rule.
  • Description: Enter meaningful descriptions that will make it easier to understand the rule.

We rarely know the source port!

When specifying rules, it's important to remember that the Source Port Range is almost always set to any. People often make the mistake of specifying a Source Port Range when they shouldn't. Remember, when you request a website, you are requesting port 80 on someone else's computer and your computer decides what port to open on yours. This is your source port, an ever-changing port which you probably never know about. So 99 percent of the time, we won't know the Source Port Range of the traffic we are allowing in.

Ordering firewall rules

PfSense rules are always evaluated from the top down. The first rule to match is executed and the rest of the rules are skipped. Many administrators will include very specific rules at the top and more generic rules at the bottom. To reorder a rule, select the rule and then click the appropriate move selected rules before this rule button:

(Move the mouse over the image to enlarge it.)

Duplicating a firewall rule

Often, we may want to create a new rule that's very similar to an existing rule. To save time, we can create a new rule that's pre-filled with the same options as an existing rule by clicking the "plus" button:

(Move the mouse over the image to enlarge it.)

Advanced features

New to pfSense 2.0 is the firewall rule Advanced Features section. Each of the following features can be specified as criteria for a rule. If an advanced feature is specified, the rule will only be executed if a match is found. Click on the Advanced button to display the following configuration settings for each feature:

  1. Source OS: This option will attempt to match the operating system of the source traffic:

    pfSense: Configuring NAT and Firewall Rules

  2. Diffserv Code Point: Diffserv is a mechanism for providing Quality of Service (QoS) of network traffic. Systems can prioritize traffic based on their code point values:

    pfSense: Configuring NAT and Firewall Rules

  3. Advanced Options: Allows for the specification of advanced IP Options:

    (Move the mouse over the image to enlarge it.)

  4. TCP Flags: Specific TCP flags may be set here:

    pfSense: Configuring NAT and Firewall Rules

  5. State Type: Specify a particular state tracking mechanism:

    (Move the mouse over the image to enlarge it.)

  6. No XMLRPC Sync: Prevent a rule from syncing with the other CARP members:

    pfSense: Configuring NAT and Firewall Rules

  7. Schedule: Specify the schedule for when this rule is valid. Schedules defined in Firewall | Schedules will appear here:

    pfSense: Configuring NAT and Firewall Rules

  8. Gateway: Gateways other than the default may be specified here:

    pfSense: Configuring NAT and Firewall Rules

  9. In/Out: Specify alternative queues and virtual interfaces:

    (Move the mouse over the image to enlarge it.)

  10. Ackqueue/Queue: Specify alternative acknowledge queues:

    pfSense: Configuring NAT and Firewall Rules

  11. Layer7: Specify an alternative Layer7 container:

    (Move the mouse over the image to enlarge it.)

pfSense 2 Cookbook A practical, example-driven guide to configuring even the most advanced features of pfSense 2.0
Published: March 2011
eBook Price: $26.99
Book Price: $44.99
See more
Select your format and quantity:
        Read more about this book      

(For more resources related to this subject, see here.)

Creating a schedule

This recipe describes how to create a schedule.

Getting ready

Schedules allow us to specify when rules are enabled. They are primarily used with firewall rules, but their generic design allows them to be used with other existing and future pfSense features. If a firewall rule specifies a schedule, the rule is only enabled during that time period. In the following example, we'll define a schedule for our normal 9am-5pm work hours.

When creating schedules, it's essential to have your NTP time-sync settings properly configured against a reliable server. Also be aware of time-zone differences and day-light savings time.

How to do it...

  1. Browse to Firewall | Schedules.
  2. Click the "plus" button to create a new schedule.
  3. Enter a Schedule Name, such as WorkHours.
  4. Enter a Description, such as Regular work week hours.
  5. In the Month section, click on Mon, Tue, Wed, Thu, and Fri to select all the days of the work week.
  6. Specify a 9 am as the Start Time and 5 pm as the Stop Time.
  7. Enter a Time Range Description, such as Monday-Friday 9am-5pm.
  8. Click on Add Time.

    (Move the mouse over the image to enlarge it.)

  9. Note that the repeating time is added to Configured Ranges:

    (Move the mouse over the image to enlarge it.)

  10. Save the changes.
  11. Apply the changes, if necessary.

How it works...

Features associated with a schedule will only be valid during the schedule specified. To associate a firewall rule with the schedule we've just created:

  1. Edit an existing firewall rule, or create a new one.
  2. Click the Schedule Advanced button to show the scheduling options.
  3. Choose WorkHours as our Schedule:

    pfSense: Configuring NAT and Firewall Rules

  4. Save the changes.
  5. Apply the changes.

There's more...

Icons exist throughout the system to help determine at a glance if a schedule is active or not:

  • Firewall | Schedules: Active schedules show a "clock" icon:

    (Move the mouse over the image to enlarge it.)

  • Firewall | Rules: Rules with active schedules (meaning the rules which are enabled) show a "green arrow" in the schedule column.
    Rules with inactive schedules (meaning the rules which are disabled) show a "red x" in the schedule column:

    (Move the mouse over the image to enlarge it.)

Selecting days or days of the week

The Month section works in two ways:

  • Selecting specific days: Switch to the correct month and click on the specific day (the year is irrelevant; any days selected will repeat every year):

    (Move the mouse over the image to enlarge it.)

  • Selecting days of the week: Click on the day of the week heading link (the month is irrelevant, the day of the week will always repeat):

    (Move the mouse over the image to enlarge it.)

Remote desktop access, a complete example

The recipe describes how to access an internal machine using Microsoft's Remote Desktop Protocol (RDP).

Getting ready

The purpose of this recipe is to demonstrate a typical firewall task from start to finish. The following example will demonstrate how to remote into an internal machine from anywhere on the Internet. Doing so requires the configuration of the following features, which have all been covered in recipes in the article, pfSense: Configuring DHCP Server and Dynamic DNS Services:

  • DHCP Server
  • DHCP static mappings
  • DNS Forwarder
  • Aliases
  • NAT port forwarding
  • Firewall rules
  • Schedules

How to do it...

  1. Let's connect a computer to our network.
  2. Browse to Status | DHCP Leases to find the newly added computer. Click on the "plus" button to assign a new static mapping for the device:

    (Move the mouse over the image to enlarge it.)

  3. Let's assign it a static IP address of 192.168.1.200 and call it laptop1:

    (Move the mouse over the image to enlarge it.)

  4. Let's make sure our DNS Forwarder is configured to automatically serve static mappings at Services | DNS Forwarder, so that we can easily reference our laptop computer by name:

    (Move the mouse over the image to enlarge it.)

  5. Let's create an alias to be used when referencing this machine within pfSense from Firewall | Aliases:

    (Move the mouse over the image to enlarge it.)

  6. Let's create a schedule at Firewall | Schedules so that remote access is only enabled while we're at work, since that's when we intend to use it. Also, we can rest a little easier that it's not susceptible to attack while we're sleeping:

    (Move the mouse over the image to enlarge it.)

  7. Let's create a NAT rule to forward all remote desktop (RDP) requests to our laptop from Firewall | NAT. From researching on "remote desktop protocol" on the Internet, we know we are dealing with TCP port 3389 (PfSense includes a predefined MS RDP port because it's so common):

    (Move the mouse over the image to enlarge it.)

  8. Next, we need to add our schedule to the firewall rule that was automatically created from Firewall | Rules:

    (Move the mouse over the image to enlarge it.)

  9. Save all changes.
  10. Apply all changes, if necessary.

How it works...

Our NAT rule forwards all RDP requests to our laptop. The NAT rule is always enabled. Our firewall rule allows anyone to remote into our laptop, but only during work hours (Monday- Friday, 9am-5pm). At the time of writing this article, it's Sunday at 4 pm; so you can see the rule is correctly disabled.

There's more...

If we really wanted to tighten security, we could restrict external access to only our IP address at work. We would first create an alias for our office's IP address:

(Move the mouse over the image to enlarge it.)

Then we would modify our firewall rule to only apply to requests coming from our company's IP address (remember, traffic that doesn't match any rules is blocked by default). Now, with pfSense's Filter Rule Association, we won't be able to modify the Source of our firewall rule directly.

pfSense: Configuring NAT and Firewall Rules

So, we'll modify the NAT rule instead. From Source, click on the Advanced option and specify the alias for our company's public IP address.

pfSense: Configuring NAT and Firewall Rules

Then we'll double check if those changes have propagated down to our firewall rule, which they have:

pfSense: Configuring NAT and Firewall Rules

Summary

This article described how to configure NAT and firewall rules and the features associated with them.



About the Author :


Matt Williamson

Matt Williamson is the founder of Blue Key Consulting – a computer systems design and development firm located in the New York City area. Before forming his consulting business, Matt developed software for a number of companies in the insurance and financial research industries. A long-time user of pfSense, Matt has incorporated pfSense in a number of roles throughout a variety of his own systems and those of his clients. His personal website and blog can be found at http://www.bunkerhollow.com.

Books From Packt


OpenVPN 2 Cookbook
OpenVPN 2 Cookbook

Squid Proxy Server 3.1: Beginner's Guide
Squid Proxy Server 3.1: Beginner's Guide

Nginx HTTP Server
Nginx HTTP Server

Tcl 8.5 Network Programming
Tcl 8.5 Network Programming

OpenX Ad Server: Beginner's Guide
OpenX Ad Server: Beginner's Guide

VirtualBox 3.1: Beginner's Guide
VirtualBox 3.1: Beginner's Guide

FreeSWITCH 1.0.6
FreeSWITCH 1.0.6

Building Telephony Systems with OpenSER
Building Telephony Systems with OpenSER


Your rating: None Average: 3 (1 vote)

Post new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
U
W
M
K
P
F
Enter the code without spaces and pay attention to upper/lower case.
Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Resources
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software