Configuring Custom Firewall Rules with pfSense (3e) Need help with these two parts:
Part 1. Using the internet, research pfSense’s EasyRule functionality. Then, search the pfSense firewall logs for an attempted ICMP request to the pfSense WAN interface (202.20.1.1) from its upstream gateway (202.20.1.2).
Part 2. From the firewall log, add a pass rule for it using EasyRule. Navigate to the firewall rules WAN table to confirm your rule addition.
JBL Network Security, Firewalls, and VPNs, Third Edition – Lab 07
The Correct Answer and Explanation is:
Correct Answer:
Part 1 – EasyRule Functionality and Searching Logs
Step-by-Step:
- EasyRule Functionality:
- pfSense’s EasyRule tool provides a fast and convenient way to create firewall rules directly from the firewall logs.
- It is primarily used to either block or pass traffic from specific IP addresses or protocols seen in the logs, without manually navigating to the Firewall Rules interface.
- This helps quickly address unauthorized or legitimate traffic, often for troubleshooting or real-time responses.
- Search the Firewall Logs for ICMP from 202.20.1.2 to 202.20.1.1:
- Navigate to: Status > System Logs > Firewall (Tab)
- Use the search or filter function to locate:
Protocol: ICMP Source IP: 202.20.1.2 Destination IP: 202.20.1.1 - Once you locate the log entry showing that the ICMP request was blocked, you’ll see an EasyRule icon or link next to the entry.
Part 2 – Creating a Pass Rule and Confirming
Step-by-Step:
- Create a Pass Rule using EasyRule:
- Click the EasyRule Pass link next to the ICMP log entry.
- pfSense will generate a rule to allow ICMP from source 202.20.1.2 to destination 202.20.1.1 on the WAN interface.
- Confirm the addition by clicking Apply Changes when prompted.
- Verify the Rule in WAN Firewall Table:
- Navigate to Firewall > Rules > WAN
- Look for a newly created rule:
Action: Pass Interface: WAN Protocol: ICMP Source: 202.20.1.2 Destination: 202.20.1.1 - This confirms the rule was successfully created.
pfSense is a robust open-source firewall and routing platform that includes a wide range of network security features. One of its efficient troubleshooting tools is EasyRule, which allows administrators to create firewall rules directly from the system logs. This is particularly useful when you’re monitoring real-time traffic or identifying blocked connections and need to allow or deny access quickly.
In this scenario, an upstream gateway with the IP address 202.20.1.2 is trying to send an ICMP request (commonly used for ping) to the pfSense WAN interface (202.20.1.1). If no rule currently allows ICMP traffic on the WAN interface, pfSense will log this attempt as blocked. Viewing the firewall logs at Status > System Logs > Firewall, you can filter for entries involving ICMP, and specifically those with source IP 202.20.1.2 and destination 202.20.1.1.
Once the relevant log entry is found, using EasyRule Pass, you can immediately create a rule that allows future ICMP traffic from 202.20.1.2 to the WAN interface. This action is especially useful in networks where ICMP is used for monitoring or connectivity testing between routers and upstream devices. Without such rules, legitimate diagnostic traffic might be incorrectly dropped.
After using EasyRule to allow the traffic, you should verify that the rule has been applied correctly. By navigating to Firewall > Rules > WAN, you’ll find the rule added at the top (default EasyRule behavior), ensuring it takes precedence over any general block rules further down. The rule should match the protocol (ICMP), source IP (202.20.1.2), and destination IP (202.20.1.1).
