Modul 4 von 16 · 📖 4 min Lesezeit · ⏱ 45 min gesamt

FUTO 04 pfSense Firewall-Regeln (EN)

Inhaltsverzeichnis (6 Abschnitte)
  1. Concepts and Background
  2. Architecture Diagram
  3. Practical Steps
  4. Common Pitfalls
  5. Further Resources
  6. Knowledge Check

FUTO 04 pfSense Firewall Rules

In this module, you will learn how to configure firewall rules in pfSense, the foundation for secure traffic in your infrastructure. You will understand how to effectively separate network segments such as LAN, WAN, and DMZ, and selectively open ports for specific services.

The practical application of NAT (Network Address Translation) and Port-Forwarding enables you to securely make internal services accessible from the outside while maintaining control over incoming and outgoing traffic.

Concepts and Background

Firewall Rules
Filter rules that determine which traffic between network interfaces is allowed or blocked. Each rule consists of source and destination network, port, protocol, and action (allow/deny).
NAT (Network Address Translation)
A technique for translating IP addresses that enables multiple devices in an internal network to communicate over the internet through a single public IP address.
Port-Forwarding
A specific NAT rule that forwards incoming connections on specific ports to an internal device, for example, to make a web server in the LAN reachable from the outside.
WAN/LAN Setup
Basic network segmentation where WAN (Wide Area Network) represents the connection to the internet, while LAN (Local Area Network) encompasses the internal, trusted network.
VLAN
Virtual Local Area Network that logically divides physical network devices into separate broadcast domains, enabling network segmentation without additional hardware.

Architecture Diagram

flowchart LR
  A[Internet] --> B(pfSense)
  B --> C[LAN]
  B --> D[DMZ]
  B --> E[WiFi]

Practical Steps

  1. Log in to the pfSense web interface and navigate to "Firewall > Rules". Each rule is evaluated in order from top to bottom.
  2. Create a new rule for the LAN by clicking "Add". Set the action to "Pass", protocol to "TCP/UDP", and enter the desired port in the "Destination Port Range" field.
  3. Configure NAT port forwarding under "Firewall > NAT > Port Forward". Click "Add" and select the interface (WAN), the external port, and forward it to the internal IP address and internal port.
  4. For DMZ rules, under "Firewall > Rules > DMZ", create a separate rule that explicitly prohibits access from the DMZ to the LAN to ensure unidirectional separation.
  5. Implement stateful firewalling by ensuring the "Stateful" option is enabled in your rules to automatically allow established connections.
  6. Test your rules using the "Packet Capture" tool under "Diagnostics > Packet Capture" to analyze traffic between the interfaces.
  7. Save your configuration and put the firewall into production mode with "Firewall > Apply Changes".

Common Pitfalls

Further Resources

Knowledge Check

Four questions for self-assessment. Click on each question to see the correct answer and explanation.

Which component in pfSense is primarily responsible for forwarding incoming connections from the outside to an internal device?
  • A) Firewall rules
  • B) Port-Forwarding
  • C) VLAN configuration
  • D) DHCP server

Correct Answer: B. Port-Forwarding is specifically designed for forwarding external connections to internal devices. Firewall rules only filter the data flow, VLANs logically segment the network, and DHCP assigns IP addresses internally.

In what order are firewall rules evaluated in pfSense?
  • A) From bottom to top
  • B) Randomly
  • C) By priority numbers
  • D) From top to bottom

Correct Answer: D. Firewall rules in pfSense are evaluated sequentially from top to bottom, once a matching rule is found. The other options do not correspond to the standard behavior of pfSense.

What is the main purpose of VLANs in a pfSense environment?
  • A) Accelerating traffic
  • B) Increasing internet speed
  • C) Logical network segmentation
  • D) Reducing hardware costs

Correct Answer: C. VLANs enable the logical division of a physical network into separate broadcast domains, improving security and organization. They do not accelerate traffic, increase internet speed, and primarily do not reduce hardware costs.

Which action in a firewall rule would allow traffic?
  • A) Block
  • B) Deny
  • C) Pass
  • D) Drop

Correct Answer: C. In pfSense, "Pass" is used as an action to explicitly allow traffic. "Block" and "Deny" prevent traffic, while "Drop" silently discards packets without sending an error message.