 Tom here from Orange Systems and a really popular question is what are the firewall rules? I need to properly and securely set up PF cents for my home And I'm actually going to be saying for my home in the literal sense of my home in the rules I have it my house on my PF cents now I should start with what is on my home network because that's obviously very relevant because if you have more things You may need to do things a little bit differently, but I do have the more common questions and the common things that you see in Home. I do have a Plex server. Well, I've actually got an MB server and a Plex server because I kind of like MB But either way home media server I also have a true NAS and a NAS is something that's going to be a popular thing to see in the home because You know, we got to store all that media somewhere I also have a Synology in my home now Synology is really nice and I use it for both media storage The photo backup which I've covered the Synology backup So if using this for your phone and I've covered, you know, some of the other fun things you can do with Synology Especially the cameras and yes, I have cameras at my house another popular thing for home But I've also talked about unify cameras and you could substitute Unify cameras and do the same rule sets that I have here that you're going to generally work the same Now I also have really not a lot else at my house I have Chromecast and some of the usual things So I'm going to cover on what goes on what network because I think it's a really important aspect And something that's often overlooked and one of those aspects is of course Where does the phone go and I want to cover that part right away that this is an iot device I know there's some Myth that it's not because it's my personal phone and we like it so much and we should protect it from the bad people that may be outside of these firewall walls, but Honestly, this is made to be in hostile environments It's running some of the same or similar software that some of the media casting devices run And if you want to cast media or use it to control your chromecast will be an easy example I highly recommend this be on that same network Now let's start diving into and breaking down the actual network rules and functionality of it and how I have All this configured and I'll talk a little bit about vpns and rules and all that fun stuff But first if you want to learn more about me and my company head over to laurance systems.com If you like to hire a short project, there's a hires button right at the top If you like to support this channel in other ways There's affiliate links down below to get your deals and discounts on products and services We talk about on this channel Now before we get to the rules, I wanted to cover very quickly here Kind of a basic rundown of what goes on what network and this is all my opinion Feel free to disagree with me down in the comments down below the gaming systems phones guest devices smart tv iot controller chromecast and connections for mb and plex I put all these in this particular network because I want to be able to stream media from mb plex Or maybe my phone to my chromecast I actually recently got an oculus quest and it's kind of cool that you can also Stream that to the chromecast having those on different subnets while possible adds more challenges and sometimes there's updates that break them Because these devices are looking for things to be on that same network And I do put these all in the nsfw or not safe for work category because this is where all the Noise and things of these devices bouncing around guest devices doesn't necessarily mean guest network This is more My friends who do have my wi-fi password for this network because maybe they would like to share something or we're playing A game together or they bring your laptop over and we need to you know Cast something to the chromecast and sonos would be another example I don't have a sonos on my network But this is one of those things where this would go on that network because you want to play music On your phone as I said phones an iot device So the phones go on here and you'll cast it to different music devices And I just put these all in one place right here Now things these don't have access to will cover in the firewall rules and pf sense of how I set them up But they're not allowed to talk to this network or this network And I have specifically put blocks on those network So it can't from here admin any of the other devices Then we have this right here this referred to as lts tom lorns technology services tom's network There's really just my work computer on it. That's it. It's really limited on here We also have the admin interfaces for ipmi and network controllers anything that admins the network goes on here This is also essentially the base network. That is where my unifies controller my actual unify switches have their ip addresses all that is all locked down into here any admin interfaces or ssh Or any type of access for any of these so even though I have connections for mbm plex over here The synology that actually this runs on has limited firewall connections Well limited by firewall connections within the synology that actually has it inside of this network So it can talk to mbm plex and the same thing goes for my true nas But the admin interfaces are on this network This is the extra layer of security So you can easily let all the people come over and visit and be on here But if for some reason one of these systems goes rogue or always the fear that people have vio t devices Is the cloud will send some terrible command to them and make them try to move laterally through your network Well, they're isolated to only finding the other devices over here Now let's get down to the cam land down here. Now the camera one's actually really simple It's not a lot of talk to the internet these two can talk to the internet This can talk to in the 172 network and talk to the 192 network, but not the reverse But the cam land network can be talked to from the 172 network, but that's it It's not allowed to reach out to the internet. Once again. Synology has an interface in here This allows the cameras to talk to the synologies I do have the ability and we'll cover those rules in a second here for the cameras to talk to the pf Sense in a limited fashion in order to get ntp because cameras being all on the same time Matters you want all the time stamps and all that to be the same So when you issue your dhcp, which we'll cover you set all the cameras up to be this way But without any internet access so your worries of what about the firmware is probably full of bugs and holes in these cameras I absolutely agree. It's very likely it is not having any access and these only being able to talk to the Synology and the Synology and nothing on this 192 168 60 slash euro network gets any internet access means It's a mitigated risk at that point. They talk to the Synology server if they ever Someone were to get on the network and even try to exploit them. You can't do anything from this network You can't leave this network to go to the internet now the first rules I want to start with under firewall and that of which I have no rules I don't have anything forwarded for external access on my network because I do all of that via vpn Now mileage may vary for some people. I get it There may be services you want externally accessible and that's fine But when you're trying to reduce to the most secure it is not opening Anything to directly to the internet, but if you really need to obviously you need to and you can't get around it But if you don't start with do you actually need it? And then we go over here to rules and when because this is where I do allow it Now you can ignore these top three rules. These aren't really something home users need This is just allowing the lts office IP connections the sources and alias of our public IP addresses And it filters for those to allow access to for example the firewall admin interface and so Zavik's monitor Not something a home user is going to need but these two rules down here This allows for wire guard and allows for open vpn because yes, I use both I have wire guards set up on my phone and open vpn on My computer here at the office and it makes it really simple to get to all those services that I want to get to Without having to deal with port forwards vpns are well tested. They've gone through code reviews So they're a reasonably secure way to do it and much more secure than opening up a random port to a device on the system That hopefully is patched against whatever problem Obviously, there could be some flaw found in wire guard or open vpn that would allow someone in But it's just less likely to happen and even so finding your way in through one of those only gets you on the network But only to the next layer where another username and password prompt that we met just an idea for how to do that Over here my nsfw land not safe for work land Now the first thing we do is block the firewall and we have firewall service ports set up as an alias I set these up as an alias that way if I open up or load another service on pf sense That has another port open and the examples here are going to be 10443 is my web admin 22 for ssh another example might be if you load something like dark stat or other services on here that open up ports You can just add them to the alias and because I use this Same rule across different subnets. It will apply the same when I don't have to go edit a bunch of rules That means all these different devices that connect to here if something were to happen to them They can't talk to the firewall admin ports if a friend comes over and connects to the nsf W network they cannot try to log into my pf sense or ssh into it. It's just blocked at that level The next block because the rules are top down. So you have the block rules at the top LTS Tom net that's this network over here. And yes, we want this Network to be blocked. So is the source this network destination this network if Those two things are true. Then we try to block it. Then we have the cam land There's no reason for the nsf w network to talk to the camera network Not needed. So you block that traffic as well And I did a video on this this is setting up a privacy vpn. So this is route out over pa You create an alias and I'll leave a link to a whole video setting up privacy vpns And I can say anything I throw in this alias route it out over that particular network So you throw devices in there on an as needed basis And then once all those rules are matched and anything that needed to go out through this particular vpn Is going out through that vpn the final rule Which is where everything else falls under go ahead and allow it and because it's at the bottom It has to pass through all the rules that are on the top now cameras Cameras are a big topic one. I blocked once again the firewall service ports Then we have the cam land net address the cam land net address says From the cam land network and to cam land address, which means the firewall itself You're allowed to talk as long as it doesn't match these ports here So you can talk to dns I could put exclusion in for dns But it doesn't matter to me that the cameras have the ability to look up dns because It just doesn't matter to me and if I ever needed to put certain dns aliases in I like having pfsense be the dns because having dns resolution does not get them out to the internet So because this will not allow this to give a destination up out to the internet This does allow though the cameras to get their dhcp Reservations grab all that information including ntp protocol of which I have enabled to go to services ntp I have this enabled inside of here And this allows the cameras to stay in time synchronization So it makes it really nice. They're all synchronized working And they have no access to the internet because those cameras. Yes, I have a random grouping of cameras on there I'm positive the firmware has holes in it have that have been discovered or yet to be discovered Kind of depends but because there's no way to get to these cameras It's not really an issue the only way that these cameras and it's all on the same subnet Is one of the network interfaces for the Synology has a static IP address within this network And because it's all within the same subnet that means it doesn't traverse the pfsense system itself and everything stays on this network So cameras have no access and nothing from nsfw land can talk to them And I don't want to talk to them from the LTS tom network. So There's not really much the cameras can do Back over here. We'll cover this briefly. This is testing and outside of scope of this I usually create on my networks and I have them at my office Well the vlan 1337 which is usually a lockdown network for testing and I leave it with no rules by default and When I'm doing some lab demos You may have seen that in a couple demos where I'll put something on that particular network for whatever reason And I create the rules on an as needed basis when I'm done with the project just out of good security hygiene I delete the rules not to leave anything open to whatever I was testing there So out of scope out of this then here comes the LTS tom network LTS tom says first Do any does anything on this network need to route out over piavpn? And I have the same rule but these aliases only really apply because they're in the range of nsfw land But that way the rule is the same and if I have something on my network I want to send out that easy enough to do next one It's just simply an allow all now because of the lack of devices on here other than once again The synology has four interfaces in total So we've got one interface set up with an address in here One set up an address in here and one set up an address in here It's not like I have to do any special rules for those This allows all those devices to do while they're talking and I put the firewall on the Synology itself to limit its ability to talk even though it has a network in each of these for example the dsm Interface is only accessible from the LTS tom network. It's not something I'm doing inside of here It's something you could Force everything through this by putting all things routed But then I would end up routing my camera through it For example, if I only had the analogy over here until my cameras are reached through Here this kind of puts an undue tax on the pf sense where everything can be routed through It's it's always best to keep things on their own subnet And then for each device and this also goes for my true nas where I have it limited in scope It can only do admin things on the LTS tom 172 network It has an interface over here for file sharing, but there's no admin on it So I've just locked that down you just do that inside of each specific device in the case of true nas You bind the management interface only to the network interfaces that are in each one of these subnets just to keep it really simple And that's really it. It's all about Essentially following principles of least privilege keep everything very narrow in scope And because the only other things on here are all the different admin interfaces for the devices I have I've narrowed down and kept limited the risk factor of what happens if something from the nsfw land Goes rogue and tries lateral movement. Well, it only finds all the other nsfw things. It doesn't find firewall ports It doesn't find the ipmi Login interface for some of my devices that are all on the LTS tom network And the LTS tom work work just really has my work laptop on there for when I work from home And it's you know kind of lonely and isolated there It only has the other management devices to talk to but that's perfectly fine And that's good and secure now a few final things that I do have running is like pf blocker I've covered that in previous videos I've also covered sericata now when it comes to home sericata may be a little bit more extensive It all depends on how much troubleshooting you want to go through you can leave a link to that video But when you don't have any ports open you're not trying to scan and filter for a series of inbound connections Sericata doesn't really have much to do on a home network like this where it just has a lot of Mostly encrypted outbound connections, which mostly makes it flag some false positives Or is just blind to a lot of things going out there So it's not something I necessarily recommend for home users. It's a little Overkill not necessary and not likely to be incredibly helpful from a home user standpoint But if you are getting into security network engineering I think it'd be great to have from a learning experience of it But if you're just a home user that wants to get things basic set up secure set up a couple subnets This is the way to do it I do have other videos and I will of course in the future make some newer ones to Relate to changes to the latest version of psense and the latest version of unify because yes at home I am running unify switches and unify access points So I have the Videos that I'll link down below either the latest ones or the older ones that I have depending on when you're watching this video That will give you an idea of how to set up vlands and psense and different subnets and different networks I have links down below to pf blocker and sericata as I said So hopefully this will kind of get you building blocks to set up your network and get things secure Leave your questions comments down below and head over to deforms for a more in-depth discussion. Thanks And thank you for making it all the way to the end of this video If you've enjoyed the content Please give us a thumbs up if you would like to see more content from this channel Hit the subscribe button and the bell icon If you like to hire a short project head over to laurance systems.com and click the hires button right at the top To help this channel out in other ways There's a join button here for youtube and a patreon page where your support is greatly appreciated For deals discounts and offers check out our affiliate links in the description of all of our videos Including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out Well randomly, so check back frequently and finally our forums forums.laurancesystems.com is where you can have a more In-depth discussion about this video and other tech topics covered on this channel Thanks again for watching and look forward to hearing from you