 Tom here for more systems and we're going to dive into PF sense firewall rules some basics and some troubleshooting tips Because well, they aren't that hard once you know them But of course that's always the learning curve what seems to be easy or when people say oh that seems so obvious now It's because there's a few knowledge gaps So my goal right now is to bridge some of those knowledge gaps now The good news is what I talk about here are general firewall rules and may apply to more than just PF sense So some of this is just some general network engineering the concepts of firewalls how the rules and how traffic gets passed or stopped is You know fairly the same and I'm gonna talk a little bit during this about those differences PF sense is my favorite firewall as anyone who's watched the channel knows So that's why I'm covering it specifically with PF sense But as I said these general rules are going to apply more than just PF sense But this hopefully gives you a good idea of how it works How you can do some troubleshooting and how to dig through some of the logs and a couple of utilities All of this is built into PF sense To be able to troubleshoot this so you can figure out why something is or is not working before we dive into that Let's first feel like to learn more about me or my company head over to Lawrence systems calm If you'd like to hire short project There's a hires button right at the top if you'd like to help keep this channel Sponsor-free and thank you to everyone who already has there is a join button here for YouTube and a patreon page Your support is greatly appreciated if you're looking for deals or discounts on products and services We offer on this channel check out the affiliate links down below They're in the description of all of our videos including a link to our shirt store We have a wide variety of shirts that we sell and new designs come out well randomly So check back frequently and finally our forums forums.laurancesystems.com is where you can have a more in-depth discussion about this video and other tech Topics you've seen on this channel now back to our content All right, I am running this in my virtual lab for simplicity because the number of connections on our primary PF sense Well, they're extensive and sorting through a lot of connections Is where you want to scale up to but when you're sorting out with a few connections makes a lot easier to get started So my lab here my main server is 192.1683.152 and my laptop that I'm using to access it is on the WAN side So we've opened up a port normally you're going to be doing this more than likely at least from the inside of the network and By default PF sense does not have any ports open the defaults are very secure with PF sense Nothing's open So we did change default to open up the WAN in order for me to access it from my laptop Now my laptop is this is at 3.152 and my laptop is at 3 to 18 so you'll see that reference quite a bit just want to get that out of the way first and Then we have in the back end of the lab here This and this is my Debian box that is behind the PF sense This is all attached via virtual network adapters I have whole videos on using XC PNG and getting started for building a virtual lab for this So it has an IP address of 192.168.40.129 So this is the box that's going to be where server host that's going to be behind the PF sense that will be doing all the testing on They do have documentation of course at the Netgate docs and I'll leave a link to this It's just the firewall rule basics that they're going to dive into a few other pieces I want to get you to start with the basics, but there's actually quite a bit in here I'm in one thing of note and this is where it applies to perhaps other firewalls is Floating rules now PF sense takes for each network interface You have and creates a firewall tab. So when you go over to the rules tab You have for each created interface a tab that's generated including I don't have one in here, but open VPN So that is where the rules start now the default when you create new interfaces no rules and will pass no traffic This is actually the first troubleshooting tip is every time you create an interface You have to at least create a pass rule to pass traffic because the default is not so this is the Actually out of the box default for land the default allow land to any rule because the land By default gets access to everything now the reason I brought up floating rules is some firewalls Don't use the term floating rule now floating rule means rules that can apply In a broader sense to all interfaces with both directions It's kind of an interesting Advanced inside of PF sense, but some firewalls That's how all rules are treated in one giant page and there can be arguments made back and forth for this I prefer the method that PF sense in other firewall companies have chose where they create a List and you apply rules on a per interface you still have an option to universally apply rules But for doing large networks and we've dealt with some of the firewalls That just dump it all on one page some people like well you get this one single paying view and I'm like but you also have to Have this large view every time you try to sort something out so it becomes a little more complicated I like that the rules are there so Debate that all you want this is how it is in PF sense But that is what the floating rules are and yes you could create any of these rules as floating But there's actually floating is more advanced when I did my video and you can search this on my channel for a Cattle queue you create that as a floating rule so it will apply to all interfaces an example of one to use it There's other times like when I do the whole VPN rule You want to take everything and wrap it in a VPN that's a floating rule So you can apply it to multiple interfaces including my VPN kill switch video once again floating rule So it doesn't matter what interface it applies to all right back to the firewall basics here The friend of the firewall basics is the logs not enough people stop I that's the first question you're going to ask every time you are new to pf sensing you post Hey, I can't get this to work You almost immediately see someone go where's your logs and a lot of times you find the answer in the logs Now one thing I've done from default and we're going to open this up in a new tab I Like this log shown in reverse entry and a default is 50 and I usually change it to 100 That's just so it lists out the logs a bit longer So here show log entries in reverse order newest entries at the top. I wish that was the default that is at least something I should Say that I do change all the time that just makes it easier when I look at something and get a view It will actually will just click it first without filtering And there's your normal view and all the log informations at the top now default It's all it's also only going to be showing the firewall rules firewall rules It logs the denies, but it doesn't log the past you can change that and well There's a little checkbox when you're creating a rule So we'll talk about that when we get to the rule creation But at the top here is a little filter and we want to filter it to only things coming from my laptop Which is at 3.18. We could also do The other side like destination IP address. What is the internal address? So we mentioned and Right here is the SSH into it. So here's that 192 168 40 129 That's the WM box I have and we could also you know look at rules Related to that and I believe we do this. I don't know if there's anything in there right now Yeah, probably not it's not it's not been denied anything But this is where you're gonna be able to go through look for past block now by default all the rules It's only logging the block if you do choose to log pass one It does take up more resources to be able to dump these in here So that's why it doesn't do it by default because well, you don't need all that logged But you could also do that for troubleshooting purposes All right, so let's go ahead and Go ahead and look at the rules themselves close that one So take a look here at the WAN now. These are all rules. I created I have it on port 5 5 5 as you can see at Their top so I created a WAN rule to allow 5 5 5 I was playing with dark stats So that's why 6 6 6 is open and 2 2 2 is going directly to the firewall And this is an auto-generated rule from that. There's our IP address of the server So, you know, I'm setting the destination to be this firewall this firewall Which means land on the firewalls WAN IP address if it has multiple you can choose that And for here we have a rule for landing on port 22 and then that now I'll cover briefly that I have a separate video on how to do that But when you do that that's under a separate tab that is actually really easy in PF sense because it auto creates the rule A lot of firewalls keep NATs separate and make you create the rules separate and this is kind of an Annoyance now the home and consumer stuff doesn't do this But a lot of the commercial stuff do first you create a NAT translation rule that means hit this public side of the IP address and Bring it to this private side of the IP address and then you have to create a rule as well as a NAT Translation so the NAT translation is the redirect then the filter rule is the rule that says alright It comes here and allow it to go there. So we'll edit this rule real quick and just walk through it So interface WAN if we had more interfaces you just pull down protocol was TCP Destination WAN address if there was more than one ad address you could choose that like if there was multiple public IPs You can say destination range. This is port 22 for SSH Then we have the IP address 192 40 and 168 40 dot 129. That's our devian server back there Redirected port now. This is a nice feature what port it comes in on and what port it lands on can be different generally It's the same if you have a web server on port 80 on the internal side and you have it on a different port Other it can be different, but generally it is the same it's but it does allow for that as use case it also does ranges and Just so you know when you're doing the range right here if I start at 22 and put 30 here It starts at whatever number I start here and automatically that's what there's not a second part Automatically adds those other ranges. So if you're forwarding a range of ad ports, it does allow that I put a description in and It automatically creates the filter rule this is what I'm up for the filter rule and here you can hit view rule and I'm pivoted over to it and That's that rule that's auto generated when you create a new NAT rule for that So that's how those rules get in there Like I said, I have a separate video where I cover NAT a little bit more in depth now Let's look at the land. This is the default anti-lockout rule and what these are is to keep you from Locking yourself out of the PF sense. It's expected that you're going to admin PF sense from the WAN So by default PF sense opens up the LAN addresses and allows you to Get into the firewall. So that's what we have an 80 as a redirect rule That way when you hit port 80 it redirects to whatever port you've moved it to or left it at default Which is 443 I do prefer to move it to a different port We use 555 in this case for the web interface that we're looking at right now 222 happens to be the SSH interface so from the LAN side we can SSH into the 222 now It does have the option to turn on You know blocking and things like that and I have it open externally But it's going to apply the blocking such as to any user attempts and things like that For specifically admin of the firewall via SSH that is not open by default on the way But when you open it you can turn on the blocking on there and I won't get too in-depth on that But this is why it's called anti-lockout rule and you noticed there's Not anything you can do but go to the settings page and if you would like to disable the anti-lockouts That's right here. So those rules generally are left at default and perfectly fine because we assume LANs admin Now when I created LAN to and I have a whole thing about creating interfaces, there was no rules on here So we created a couple rules. Well, this one's technically wrong Um, I have it blocking at 443. So let's fix that real quick And what this does is by default when you create an allow rule It is allowed to talk to the firewall that may be a problem because if you want this to be let's say a guest network 34 all right block access to firewall Interface and because I changed the port All right save apply what that means is anything on land to has now been denied access to Port 555 what that does for you is say, all right, here's land to it's our guest network And we don't want to access the web interface on the particular machine matter of fact I should if I were going to be more security conscious we can create another rule that says block So we'll actually do that real quick We want to block TCP 666 666 block access to Dark stat. I know I have dark stat set up on here on port 666 and it's listening on the firewall port So this now will block access to that now the rules are top down. So if I were to do this and then Hit save apply What I have now done is it's going to say hey you can do whatever as long as you're not matching land net So this particular rule says allow traffic, but don't allow it to land. So that's what the invert matches. Let me just show so action pass Interface land to address family IPv4 protocol any make sure because when you create a rule by default It defaults the protocol TCP so change it to any because this is another problem a lot of people are into and a creator rule to Allow traffic. They don't change it to protocol any they'll only have TCP Well, that actually means it'll partially work some things will work But not all things and the reason why any TCP protocols will work, but all the other ones will start failing But now what we've done is The destination is long as it's not land net now another option in here If you have a series of addresses you can put aliases in the terms of guest network You can put like a list of RFC 1918 addresses like you just block all private address. So a couple different options there I have a separate video as well on how to set up and build like a secure network and that's one of the ways I say to do it. I'll leave a link to that down below as well as I have a lot of different topics on this So I don't have to dive too deep into those so the top down and This is a lot of traffic and this is that log packets that are handled by this rule That is the default does not check but that's what will fill things up in the log Which is great for troubleshooting bad if you don't have enough storage So I use that wisely in terms of you know, how much you want to have dedicated that But important thing is that this one needs to be on the bottom. We need all of the block rules to be Starting at the top. So deny deny you can't go there You can't go there once it gets past those things to confirm that that host is not trying to access the things That it's not allowed to access then it hits the allow rule. So that's why the rules are in that order now a couple little side notes here is Block rules You can easily Create this and then we'll say add another separator Allow rules now. You don't have to do this. These are just separators that just look pretty But when you're dealing with large networks, it does help We've got some companies with a lot of Lot of port forwards and a lot of special rules in place now because of that you have this Well too many rules to look at to make it easy So we group them all together because each one is related to a different property They manage in certain ports that need to be forwarded for different things. So it's kind of nice to be able to do that This is the little dividers are certainly something to give you a visual appeal when you're setting up firewalls It's a feature that I'll know it doesn't make any functional difference. It's just a separator literally to make it a little bit easier Now let's look at the firewall rules on land where we'll do a little bit of testing and troubleshooting So we have this that says the defaults allow to any rule now that means it can go wherever it wants We can see all the states in there. So the state details now what a state is is anytime the Hosts connects through the firewall It has to create a state in that state. They'll tell you how many creations it has how many things are doing on there and you can click it and Look at this specifically the state tables related to that and filter them much better than filtering that where you want to watch things a Little better would be watching it under pftop. So this is under diagnostics pftop, and I've covered this in my troubleshooting video for PF sense so if we just say we're going to say just this host I want to see what states this particular host has and what it what's going on and because I'm ssh into it You can see and we if I identify exit out You have these states. So you have 192 168 40 dot 120 import 123 reaching out to a time server 3.18 my laptop and it's connecting in and landing on port 22 And you can see that this has now changed to a wait state because it's getting ready to close now the state tables if we're going to go ahead and Ssh back into them now we have active ones. So we have established established This is your excellent tool for troubleshooting what might be happening with any particular rules So whether or not those rules are working whether or not things are coming across I could filter right now. We're filtering for this host here But we could also change it and say 192 and 68 3.18 and we can see what is The host on the outside doing so you can use this with public ip address private ip addresses But this is one of the ways you can try to look at and try to figure out what the rules are doing if you see nothing in here And that means there's no Traffic passing between the firewall. That's a other indicator of why something isn't working. You may have been too aggressive with your blocking rules And you've now blocked it from even getting out people like well It's not seeing connection. Is it the server or is it pf sense causing a problem? That's where you would probably want to start here at pftop Is it creating an established state and losing it is a state dropping what's happening now another note I'll make about rules and this is another point of confusion that sometimes happens. So if we go over here We're going to go firewall rules land So we have the default allow rule and We can even go here like a net. So this net rule says when address And allow ssh allow me to ssh into that virtual machine behind there And there's of course the associated rule under firewall rules When so here we go allow remote access now I can edit these rules and we'll start editing them at the net level Well, we can edit them either way. We'll just we're just going to turn it off essentially So we're going to go here And net allow vm. So if you click it now, it's grayed out. We just took that rule down but Go back over here. We still see established we go over here to terminal Hey, look I can still um Get in here. I didn't stop my axis This is an important aspect of the way state tables are created when you now have blocked I've told pf since that's it that rule is dead. You can't ssh back into the machine, but it does not Automatically clear existing established state tables. So when we look over here, we see these established state tables And let's go ahead and exit Try to ssh back in it won't let me And now we'll see these go to They're getting ready to close. They're at fin weight. So now this one's getting ready to close and it'll go away This is one of those really important troubleshooting things of when you change a rule to stop something from happening But you still see it happening it you have to look if there's any established rules This is an important concept in there. So the will not automatically be cleared now They can be cleared because you can go over to diagnostics states And you can even filter for that particular one filter And we could actually forcibly we're just going to clear these states right here. Are you sure you want to clear this state? Yep, I should run a clear state now You can actually go in and reset all states and that can just be a headache that'll just stop everything That's like an emergency move. You don't necessarily want to do that But it is an option there So you can actually just drop all the state tables kill all the states kill the filtered states with this right here matter of fact, just I If you can't kill them, it'll also if you're connected to web interface Pause while your system reestablishes all the states for that. So that's kind of A good way to understand the state tables is once they're existing they don't automatically die But you can just nuke them so to speak without rebooting the firewall But that's very disruptive to your users. That's the part to remember They will reestablish But if there was any phone calls going anything going on behind that firewall if you drop all state tables They may not reestablish without hanging up first because everything kind of has to be renegotiated and if we go over here to the firewall log 192 and 68 3.18 my laptop and because we told it to block the ssh and we filtered it So we said Show me the blocks show me the destination part of 22 because we had turned that rule off and now there's denies But because we have it allowed again and we'll go back over here Cannot connect and we go make sure actually let me double check make sure I got the rule enabled so firewall rules Oh didn't hit apply. All right. So now this is enabled again. Go back over here And we're logged right back in Pretty straightforward in terms of that once you you know had a grayed out hit it again It's re-enabled now. This is a linked rule back over to the nat like I had said So I could have disabled the nat rule But either way you kind of get the concept on the firewall rule of how to do that Now the last thing I want to talk about is when you're trying to troubleshoot things in that broader sense That's where you can also use pftop to help like pivot through any of this and actually me too many tabs open All right, and we're back over here at pftop. We're focusing on host 192 168 40.129 So we focused on that we focused on a protocol tcp So we've narrowed down what we want to look at on this or we could even focus on udp It's as simple as that so we can see where Things are going on this so you can focus on even icmp So what about paying things so you can actually there's no pings going on but let's go in here and ping Google.com And away we go we've got some icmp traffic on there now. This is also where you want to look at the rules and let's Go back over here firewall rules. We'll open a new tab so we can keep that open over there We're going to look at the land because that's where this is located and we're going to add A block rule and we don't want icmp traffic. We say, you know what no one should be able to ping on this network So we're going to block it block it on land doesn't matter where it's going. It's just straight up blocked So we go over here hit apply So ipv4 igmp. Nope. We're not going to do it. What I meant icmp. I chose the wrong one Glad I caught that And it does even have the options here for subtypes if you have like only block the echo reply or whatever you want to do It so we're going to hit save apply So now we have this default block that so we go over here And it does resolve It doesn't allow ping to come through. So now that's being blocked and we look over here We see no ping but if we drop all this And we look at what the host does so right now we have It's got port 53 and we'll actually see when I shrink this down a little bit Each time you go to ping a new place. It's going to make a new established connection. So it's actually ping like You can see each of these port 53 dns Queries going through so each one of those starts and like I said this gives you that diagnostic you're looking for All right, I see it doing this it goes out to port 53, but there's no pings coming back There's no icmp traffic going back So then you can go what do the rules look like and we can see that now one more example is going to be We'll go here And if we move this down to the bottom like I said So rules are out of order essentially I said hey block it but because there's an allow above Take a second to reload here There we go The rules are reloaded. There's a moment pause. That's why it says when you do this it says monitor the filter reload process And it just lets you know when it's done if you have a lot of rules and you depending on speed of your firewall It'll take a second to go through here But now we've done that but that means we can now go back to pinging icmp traffic goes across We go over here to the diagnostics and hey look here's all that traffic icmp traffic And proto icmp Now we can watch what's going across there So all these get you an idea of how to get the firewall rules started how to get them going and Start drilling down in there So for each one you create you need to create at least some allow rule to allow it to go somewhere A couple other tips when you're creating these allow rules when you create a new interface because let's say you want to Guess you don't want it to have access to the other one So that's that the deny where it was an inverted deny saying hey you can go anywhere but land I have another video I'll link to where I dive a little more in that one important rule You cannot block access to the firewall itself You can block access to ports on a firewall such as the web interface But i've seen people tried to say i don't want it to be able to access the firewall Well the firewall is the gateway it has to get out so devices on that network do have to get out So that's another mistake i see a lot of people make when they're doing it is they go Well, I denied access to the firewall for security and i'm like no you need to allow it to the firewall You also need to unless you have another solution allow dns And you can do that where you can block dns on there if you want block port 53, but if you block port 53 Overall now, we can't do any dns and now you've also broken The hosts on there that rely on dns unless they have another method by which to resolve names So you have to be careful on what you block on there It is important to block the web interface on those extra interfaces But not all of it and using pftop and the firewall log rules and just checking a little log box on there To turn on logging to help troubleshoot those rules to see if there's even a log file of them Or if there's anything being established that helps you a lot with whether or not you have just a basic networking problem on the host side A greater problem where it is going through the firewall But not establishing on the other end and whether or not that traffic's returning and those are all the tools you use to diagnose So check your logs always go through there Go ahead and turn it on for a reverse sort order, which I guess that I wish was the default That's very helpful So they're always at the top and use a little filter icon at the top to help narrow down because Once you have this in an established network with a lot of connections pfSense does a great job of allowing you to filter it But if you were to just look at like our connections at any given moment There's thousands of these little state tables created So it can be a little bit daunting at first, but that's those little filters are for all right and thanks And thank you for making it to the end of the video If you like this video, please give it a thumbs up if you'd like to see more content from the channel Hit the subscribe button and hit the bell icon if you like youtube to notify you when new videos come out If you'd like to hire us head over to laurancesystems.com fill out our contact page and Let us know what we can help you with and what projects you'd like us to work together on If you want to carry on the discussion head over to forums.laurancesystems.com Where we can carry on the discussion about this video other videos or other tech topics in general Even suggestions for new videos. They're accepted right there on our forums, which are free Also, if you like to help the channel in other ways head over to our affiliate page We have a lot of great tech offers for you and once again, thanks for watching and see you next time