Application Filtering With pfSense Firewall Rules

MasozeraVictor
7 min readAug 20, 2023

A firewall functions as a security device or software-based solution designed to filter traffic entering and going out of the network. Firewalls are typically placed at the edge of the network, although various deployment architectures are possible. One of the primary objectives of a firewall is to prevent access to sensitive internal systems and data within the local network, safeguarding against by threats.

Network segmentation, blocking known malicious IP addresses from threat intelligence sources (such as reputational databases), and obstructing outbound requests to malicious domains are among the key actions that firewalls can perform, thereby restricting access to specific resources.

In this home lab scenario, we delve into the utilization of pfSense firewall rules to impose restrictions on accessing certain websites. The setup encompasses multiple components: the Debian host machine, a home router, VMware Workstation Player, a Debian virtual machine, and a pfSense virtual machine, as illustrated in Figure 1:

Figure 1: Image showing the network setup

Summary

The pfSense firewall functions as the gateway for the Debian VM. This means that traffic originating from the Debian machine is directed to the pfSense firewall, where firewall rules dictate whether the traffic is permitted or blocked. Subsequently, the pfSense firewall forwards the received traffic to the upstream gateway (home router), which then sends the traffic to the internet. Incoming internet traffic follows the same path: home router → pfSense firewall → LAN (Debian machine).

To configure the setup for blocking access to specific sites, the following steps should be taken:

Download and install the Vmware workstation player from this link.

Download the pfSense iso from this link.

Open VMware and click on “Create a New Virtual Machine” to initiate the creation of a new virtual machine.

Browse for the Debian iso on the local system.

Give the VM specs of 20GB hard disk space, 4GB RAM and 2 processor cores.

Change the network adapter’s mode to bridged to enable it to have its own IP address.

Follow the same process to allocate specifications for the pfSense VM, which includes assigning 20GB of hard disk space, 1GB of RAM, and 2 processor cores.

Select the default options to finalize the installation of pfSense and then proceed to reboot the operating system.

When the pfSense machine boots up, choose option one to assign an interface to the WAN.

Enter the interface “em0” that you wish to assign to the WAN. Press “Enter” when prompted to allocate an interface to the LAN. When asked to proceed, enter “y”.

The configuration will take a few minutes to load.

The WAN will be dynamically assigned a network address.

To assign an IP address to the WAN , select option 2.

When prompted to configure the IP address for the WAN Interface using DHCP, enter “n”.

Enter the IP address that was assigned by DHCP or choose any other address of your preference.

Enter the appropriate subnet mask. Press “Enter” when prompted for the upstream gateway. When asked to assign the IPv6 address for the WAN interface via DHCP, enter “n”. Press “Enter” when prompted for the IPv6 address.

When prompted about enabling the DHCP server on the WAN, select “n”.

Finally, press “Enter” to complete the configuration.

Enter the IP address of the WAN on the Debian machine to access the web portal of pfSense. The default credentials are username “admin” and password “pfSense”, which can be changed at any time.

The pfSense set-up wizard will appear.

Assign an appropriate hostname and domain of your choice. However, ensure that the domain is not registered to any organization.

Keep the time settings as they are.

Change the selected type to “Static”. Enter the IP address that appears in the browser. The upstream gateway can be obtained by running the command “ip route” on the Linux host. For Windows hosts, you can use the command “ipconfig” to see the default gateway. The upstream gateway refers to the home router’s gateway.

Ensure that the option to block private networks is unchecked, as this will prevent the blocking of traffic from the LAN.

At this point, you have the option to change the default password.

Click “Reload” to save the configuration.

In order to create a rule that blocks access to certain domains, an alias that will entail the domains to be blocked is first created. Go to “Firewall” and click “Aliases”. This alias will later be attached to a firewall rule.

Create a new alias that restricts access to certain domains called “blockdomains”. All domains that need to be restricted access to will be placed in this alias, however, you can choose to create a single alias for each domain.

After creating the alias, the next step is to establish the firewall rules. Navigate to “Firewall” and then select “Rules”. Add the rule designed to block the domains by placing it at the top of the list using the button with an upward-facing arrow. Opt for the action “block”, designate the interface as “WAN”, and choose the protocol “any”. For the source, select “Network”, and for the destination, choose “Single host or alias,” then input the alias “blockdomains.”

However, to enable internet access on the LAN, it’s necessary to add another rule at the bottom that permits all traffic to the WAN. This is because firewall rules operate hierarchically, processing from top to bottom.

To ensure that the block rule takes effect on the Debian VM, modify the gateway configuration on the Debian VM to use the IP address of the pfSense VM.

Remove the route that utilizes the default gateway of the home router

After altering the routes, it should be noted that none of the domains within the alias associated with the firewall rule should be accessible.

Domains that are not included in the “blockdomains” alias will resolve and remain accessible.

Thank you for reading!!!

--

--