Jump to content

Training: Interfaces and Firewall Rules

From MediawikiCIT
Revision as of 06:58, 23 April 2026 by Justinaquino (talk | contribs) (Created page with "__NOTOC__ <div style="background-color:#e6f3ff; border:1px solid #0066cc; padding:10px; margin-bottom:15px;"> '''Module: FUND001-LIVE Section 2 — Interfaces, VIPs, and Firewall Rules'''<br> This training module covers pfSense interface configuration, Virtual IP types, firewall rules, aliases, and best practices for rule management. </div> == Learning Objectives == By the end of this module, you will be able to: * Understand OS interface names versus pfSense interfa...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Module: FUND001-LIVE Section 2 — Interfaces, VIPs, and Firewall Rules
This training module covers pfSense interface configuration, Virtual IP types, firewall rules, aliases, and best practices for rule management.

Learning Objectives

By the end of this module, you will be able to:

  • Understand OS interface names versus pfSense interface identifiers
  • Configure and manage interfaces in pfSense
  • Identify and apply appropriate Virtual IP (VIP) types
  • Create and manage firewall rules with proper ordering
  • Use aliases to simplify and streamline rulesets
  • Apply firewall best practices and troubleshooting techniques

Interfaces

OS Interface Names vs. Interface Identifiers

In pfSense, network interfaces have two naming conventions:

  • OS Interface Names — Physical or virtual NIC names assigned by the operating system (e.g., igb0, re1, ixl2)
  • Interface Identifiers — User-friendly labels assigned within pfSense (e.g., LAN, WAN, OPT1)

Key tasks:

  • Interface Assignments — mapping OS names to pfSense identifiers
  • Configuring Interfaces — setting IP addresses, enabling/disabling, and renaming

Virtual IPs (VIPs)

Virtual IPs allow multiple IP addresses to be assigned to a single interface.

VIP Types

VIP Type MAC Address Binding NAT Service ARP HA Ping Single/Range
IP Alias Parent NIC Yes Yes Yes Yes Single
CARP Shared vMAC Yes Yes Yes Yes Single
Proxy ARP Parent NIC Yes No No No Either
Other N/A No No Yes No Either
  • IP Alias — Most common type; binds additional IPs to the parent NIC
  • CARP — Used for high availability; shares a virtual MAC address between redundant firewalls
  • Proxy ARP — Responds to ARP requests on behalf of another IP; no service binding
  • Other — For miscellaneous purposes such as 1:1 NAT without ARP

Firewall Rules

Core Concepts

  • Rules apply inbound on the interface where traffic is sourced
  • First match wins — all subsequent rules are ignored for matching traffic
  • Stateful filtering — pfSense tracks connection states automatically
  • Actions: Pass, Block, and Reject

Default Rules

The following default rules are present on a new installation:

  • Block private networks — Blocks RFC 1918 traffic on WAN
  • Block bogon networks — Blocks unassigned/reserved IP space
  • Anti-lockout rule — Prevents administrators from locking themselves out
  • Default LAN Allow rule — Permits all outbound traffic from LAN

Rule Evaluation Order

  1. Floating Rules
  2. Interface Group Rules
  3. Single Interface Rules

Floating Rules

  • Can apply to all interfaces
  • Checked first in evaluation order
  • Extra "match" action available
  • Can set traffic attributes (limiters, queues, etc.)
  • Not meant for regular access rules — primarily for traffic-shaping and advanced filtering

Interface Groups

  • Association of multiple interfaces
  • Shared firewall ruleset across grouped interfaces
  • Eliminates need to duplicate rules between interfaces

Advanced Settings

Firewall rules support numerous advanced options:

  • Source OS (TCP only)
  • Diffserv Code Point (DSCP)
  • State type
  • TCP flags
  • No XMLRPC Sync
  • 802.1p
  • Schedule
  • Gateway
  • Limiters (In/Out)
  • ACK queue / Queue

Aliases

Aliases simplify firewall rule management by grouping IPs, networks, hostnames, or ports under a single name.

Benefits

  • Ease management
  • Faster, less error-prone updates
  • Shorter, more manageable rulesets

Configuration Options

  • Statically configured
  • URL — one-time import, suitable for small lists
  • URL table — configurable update frequency, supports large and small lists
  • Nesting of aliases (aliases within aliases)
  • Bulk import

Best Practices

  • Follow default deny philosophy — allow only what is required, block all else
  • Keep rulesets short and clean
  • Periodic review of rules (recommended: quarterly)
  • Remember rules apply on the interface where traffic is sourced
  • Use aliases extensively in your rules

Troubleshooting

When diagnosing firewall issues:

  • Remember: first match wins
  • Verify rules apply on the correct interface
  • Enable logging on suspect rules
  • Check states (Diagnostics > States)
  • Review System Logs > Firewall for blocked traffic

Summary

Key Takeaway Details
VIP Selection Use appropriate VIP types (IP Alias, CARP, Proxy ARP) based on needs
Rule Ordering Evaluation order: Floating → Interface Group → Single Interface
Aliases Use aliases to keep rulesets manageable and reduce errors
Review Schedule Check rules quarterly for accuracy and relevance
Interface Awareness Rules apply on the interface where traffic is sourced
Floating Rules Primarily for traffic-shaping, not regular access control

This concludes Section 2.

Next Module: Lab 2 — Firewall Rules and Aliases

Source: Netgate FUND001-LIVE-SLIDE-SEG2-RULES.pdf

Retrieved from "https://mediawiki.comfac.net/index.php?title=Training:_Interfaces_and_Firewall_Rules&oldid=227"