Messages

1

17.7 Legacy Series / Re: How badly did I mess up with floating rule?

« on: November 07, 2017, 02:07:12 am »

OK, to put some closure on this. I went and reinstalled pfSense and configured it again. In the process I noticed that it is much clearer which interface the rules are being applied to. Also, the firewall rule menu item defaults to WAN, which, while it has problems of its own, at least is not as dangerous as Floating.

If I may be permitted to offer some suggestions, they would be these: 1) default to the LAN interface, which is one that already has the most permissions by default, and so an error is least likely to cause a problem; alternatively, default to the last added interface; 2) make the tabs much larger and clearer; 3) offer a place to launch a BSD shell from the GUI; 4) put an auth log in the Users tab to show who has been logging in, or trying to do so; 5) document somewhere what the timestamps in the logs mean.

2

17.7 Legacy Series / Re: How badly did I mess up with floating rule?

« on: November 06, 2017, 03:08:09 pm »

Thank you for your patient and understanding replies. Thus encouraged, I hope you don't mind if I pursue this a bit and offer a few more details, probably too much.

I do use IPv4, and I actively try to disable IPv6 because it's too hard for my aging brain. It used to be easier in previous versions just to ignore it, but now it's creeping into the kernels everywhere.

My passwords were 9 mixed characters--hardly strong, but not "password" at least. Someone scanning the ports would have had to try for some time to get into the box. How long, I wonder, would such a password hold against a brute force? Would a bad guy even bother to try to brute force a dynamic public IP on Comcast? Not much return on the effort, but that's cold comfort, considering I see continuous blocked port scans in the logs on telnet ports.

I'd like to restore, or at least view, the earliest configs, but I can't. The "config history" feature only goes back to 60 changes. Because each firewall change is logged as a config change, and I had many subnets and firewall rules added, the original configuration had long since scrolled off the end. I went to open a shell into the logs--by the way, where is the command to open a shell in the gui menu tree? anyway I enabled SSH temporarily, and SSH'd into a shell -- to see if further changes were stored there; but I could not find the file that keeps the changes in /var/log. Where is that file? Might it hold earlier configurations than the gui offers, even if the gui is limited to 60? Anyway, I did use the gui to diff all the way back to the original configuration changes (great feature), but couldn't pin down where exactly the boo-boo happened. I don't mind re-installing from scratch, that doesn't bother me, but I'd really like to see exactly what happened, so I can learn from it.

I did find the record of the entry for the baneful change in the current config: it is noted as having been added by me, sometime during the initial configuration process, with a timestamp that I can't decode: format xxxxxxxxxxx.xxxx. I couldn't find out how to decode that to find out exactly when the entry had been made.

Where are the auth logs?

Am I correct that it was that fateful floating quick rule that allowed my personal subnet out to the internet, even in the absence of a pass rule on its tab? I was using that box all day for work, and it was only late in the day that I logged into the router and found the pass any rule, which I then deleted. Of course, that's when I lost access to my own router, and had to physically connect to the LAN subnet with its anti-lockout rules. I use that as a kind of informal IPMI. It has saved my butt many times.

Lastly; boy this is a long whine; sorry--is it possible that my noob error came about because the firewall rules menu opens a tab system that defaults to "floating"? The tabs are easy on the eyes; maybe the color highlighting the active tab could be have more contrast? I'm thinking that's what may have made it easier for me to err. In the years past using another, similar kind of software that shall not be named (which now seems broken in a dozen small ways; hence my presence here), I never even touched the floating tab. Not that I'm exculpating myself here: I should obviously have scanned the ports as part of the pre-production checklist. But still, anything to save someone else from the same midnight panic!

3

17.7 Legacy Series / How badly did I mess up with floating rule?

« on: November 06, 2017, 06:20:24 am »

My first installation of OPNsense two days ago, after a couple of years with pfSense. I set up the usual, which is several subnets to compartmentalize traffic: IoT, home, guests, VOIP. I wrote some firewall rules, which are the usual for me: I give one subnet with a single management box a pass/any/any, and I use that one to access and manage the other subnets, which are walled off from RFC1918.

So here's where it all goes wrong. When I went back into the system today to make a firewall change I saw, to my horror, that I had not put the rule on the subnet's interface. Instead, I had put it into the floating rules. Moreover, it was automatically a quick rule; pass any any. And, strangely enough, the subnet I thought it should be under had no rules at all. That's something that should not have been able to happen, considering that I was getting out to the net just fine on that box; unless it was the pass any any that had made that happen.

Since then, I have been trying to figure out what happened, and what the consequences might have been. It seems to me that such a floating rule completely opens up the firewall, because it applies to the WAN in both directions. Indeed, I did a quick experiment by running Shields Up on the system with the rule in place, and sure enough it showed 80 and 443 open. Holy crow. I checked my logs for problems, but I'm not even sure I would find any. The configuration history did not go back far enough to show where exactly I had made the error.

Two days of having the router open to the WAN, with a not particularly strong password on it--what to do? Is there anything on that box that is going to be salvageable? My systems inside are all individually firewalled, except for an access point--so I don't think there's anything that could have jumped--but still....

This careless error, a combination of fatigue and of unfamiliarity with the interface, has me spooked. I don't actually have any clear idea what it means yet, or even how floating rules work, because the documentation on them is fairly scanty. Can anybody help, please?