Documentation
pfSense Documentation - Configuration and Administration Guides
pfSense Configuration Recipes - Common Scenarios
pfSense Security Recipes - Hardening and IDS

pfSense Security Recipes - Hardening and IDS

This section covers pfSense security hardening recipes: from baseline system hardening and two-factor authentication to IDS/IPS deployment, automated threat blocking, and compliance with PCI DSS and CIS standards.

Before following any recipe, create a configuration backup at Diagnostics - Backup & Restore. For foundational firewall information, see the pfSense firewall rules section.

Hardening pfSense

Baseline pfSense hardening includes disabling unused services, enforcing SSH key authentication, requiring HTTPS access, and reducing the attack surface.

Step-by-Step

  1. Update pfSense to the latest version: System - Update

  2. Configure HTTPS access to the web GUI:

    • Navigate to System - Advanced - Admin Access
    • Protocol - HTTPS
    • SSL/TLS Certificate - use a certificate issued by an internal CA (not the default self-signed certificate)
    • TCP Port - change the default port (e.g., 8443)
    • WebGUI Login Autocomplete - disable
    • Login page color - change the color (visual indicator for production environments)

  3. Configure SSH:

    • Secure Shell Server - enable SSH only when needed
    • SSHd Key Only - Public Key Only (disables password authentication)
    • SSH Port - change the default port 22
    • Add administrator public keys: System - User Manager - edit user - Authorized SSH Keys

  4. Disable unused services:

    • Check Status - Services and stop unnecessary ones
    • Disable UPnP: Services - UPnP & NAT-PMP - uncheck Enable
    • Disable SNMP if not in use: Services - SNMP

  5. Protect console access:

    • System - Advanced - Admin Access - Console Options
    • Password protect the console menu - enable

  6. Configure login lockout:

    • System - Advanced - Login Protection
    • Threshold - 5 attempts
    • Blocktime - 1800 seconds (30 minutes)
    • Detection time - 300 seconds (5 minutes)

  7. DNS Rebinding Check:

    • System - Advanced - Admin Access - DNS Rebind Check is enabled by default; leave it enabled unless specific requirements dictate otherwise

  8. Configure NTP:

    • Services - NTP - Settings
    • Specify reliable NTP servers (pool.ntp.org)
    • Bind NTP to internal interfaces only

Two-Factor Authentication with Google Authenticator

TOTP authentication via Google Authenticator adds a second factor for web GUI login and VPN access. Implementation uses the FreeRADIUS package with a TOTP module.

Step-by-Step

  1. Install the FreeRADIUS package: System - Package Manager - Available Packages - freeradius3

  2. Navigate to Services - FreeRADIUS - Interfaces:

    • Add an interface:
      • Interface IP - 127.0.0.1
      • Port - 1812
      • Interface Type - Authentication

  3. Navigate to Services - FreeRADIUS - NAS/Clients:

    • Add a client:
      • Client IP - 127.0.0.1
      • Shared Secret - generate a strong secret

  4. Navigate to Services - FreeRADIUS - Users and add a user:

    • Username - user name
    • Password - password
    • One-Time Password Configuration - Enable
    • OTP Auth Method - Google Authenticator
    • Init-Secret - auto-generated
    • PIN - numeric PIN (entered before the TOTP code)
    • Record or scan the QR code for Google Authenticator setup

  5. Navigate to System - User Manager - Authentication Servers and add RADIUS:

    • Type - RADIUS
    • Hostname or IP - 127.0.0.1
    • Shared Secret - the secret from step 3
    • Authentication Port - 1812

  6. To protect the web GUI:

    • System - User Manager - Settings
    • Authentication Server - select the RADIUS server

  7. For VPN: in the OpenVPN server settings, select RADIUS as the Backend for authentication

  8. When logging in, the user enters: PIN + TOTP code in the password field (e.g., 1234567890 where 1234 is the PIN and 567890 is the TOTP code)

IDS/IPS with Suricata in Inline Mode

Suricata in inline mode not only detects but actively blocks malicious traffic in real time. Unlike passive IDS mode, inline (IPS) mode actively prevents attacks.

Step-by-Step

  1. Install Suricata: System - Package Manager - Available Packages - suricata

  2. Navigate to Services - Suricata - Global Settings:

    • Install ETOpen Emerging Threats rules - checked
    • Install Snort rules - checked (requires an Oink Code from snort.org)
    • Update Interval - 12 hours
    • Remove Blocked Hosts Interval - 1 hour
    • Log to System Log - checked

  3. Click Update to download rule sets

  4. Navigate to Services - Suricata - Interfaces and add an interface:

    • Interface - WAN
    • Enable - checked
    • IPS Mode - checked (Inline mode)
    • Block Offenders - checked
    • Kill States - checked
    • Block Duration - 3600 (1 hour)

  5. Navigate to the WAN Categories tab and select rule sets:

    • ET Open Rules - enable categories: emerging-attack_response, emerging-exploit, emerging-malware, emerging-scan, emerging-trojan
    • Disable high false-positive categories (emerging-info, emerging-games)

  6. Navigate to the WAN Rules tab for fine-tuning individual rules

  7. Add WAN for inbound traffic monitoring and LAN for outbound traffic monitoring

  8. Navigate to Services - Suricata - Logs to review events

  9. Configure false positive suppression: WAN - SID Mgmt - add rule SIDs to the Suppress List

Important: initially run Suricata in IDS mode (without blocking) to identify false positives. After configuring the Suppress List, switch to IPS mode. For traffic mirroring configuration, see the network recipes section.

Automatic IP Blocking with pfBlockerNG and Threat Feeds

pfBlockerNG automatically updates lists of known threats and blocks traffic from malicious IP addresses. It supports numerous threat intelligence sources.

Step-by-Step

  1. Install the package: System - Package Manager - Available Packages - pfBlockerNG-devel

  2. Navigate to Firewall - pfBlockerNG - General:

    • Enable pfBlockerNG - checked
    • Keep Settings - checked
    • CRON Settings - Every hour

  3. Navigate to Firewall - pfBlockerNG - IP:

    • Under the IPv4 tab, add feeds:
NameURLAction
Spamhaus DROPhttps://www.spamhaus.org/drop/drop.txtDeny Inbound
Spamhaus EDROPhttps://www.spamhaus.org/drop/edrop.txtDeny Inbound
DShield Blockhttps://feeds.dshield.org/block.txtDeny Inbound
Emerging Threatshttps://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txtDeny Both
Abuse.ch Feodohttps://feodotracker.abuse.ch/downloads/ipblocklist.txtDeny Both

  1. For each feed, configure:

    • Action - Deny Inbound (block inbound) or Deny Both (inbound and outbound)
    • Update Frequency - Every 1 hour

  2. Navigate to Firewall - pfBlockerNG - Update and click Run

  3. Verify created aliases and rules: Firewall - Rules - pfBlockerNG

  4. Monitor blocks: Firewall - pfBlockerNG - Reports

  5. To add custom lists: create a text file with IP/CIDR entries and specify the URL

Logging to a Remote SIEM (Wazuh/ELK/Graylog)

Centralized log collection from pfSense to a SIEM system (Wazuh, ELK, Graylog) enables event correlation, long-term storage, and security incident analysis.

Step-by-Step for Syslog

  1. Navigate to Status - System Logs - Settings:

    • Log Message Format - syslog (RFC 5424) or BSD (RFC 3164) depending on the SIEM
    • Enable Remote Logging - checked
    • Source Address - LAN interface
    • IP Protocol - IPv4
    • Remote Log Servers - SIEM server IP:port (e.g., 192.168.1.100:514)
    • Remote Syslog Contents - select log types:
      • System Events
      • Firewall Events
      • DNS Events
      • DHCP Events
      • Authentication Events
      • VPN Events
      • Gateway Monitor Events

  2. For TLS transport (recommended):

    • Install the syslog-ng package via Package Manager
    • Configure TLS transport in the syslog-ng configuration

Configuration for Wazuh

  1. Install the Wazuh Agent on pfSense (FreeBSD version):
pkg install wazuh-agent
  1. Configure /var/ossec/etc/ossec.conf:
<ossec_config>
  <client>
    <server>
      <address>192.168.1.100</address>
      <port>1514</port>
      <protocol>tcp</protocol>
    </server>
  </client>
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/filter.log</location>
  </localfile>
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/system.log</location>
  </localfile>
</ossec_config>
  1. Start the agent:
service wazuh-agent start
  1. On the Wazuh Manager, verify the agent connection

For detailed pfSense-Wazuh integration instructions, see the pfSense Wazuh integration section.

Configuration for ELK/Graylog

  1. Configure Remote Logging as described above (using the Logstash or Graylog input port)
  2. On the ELK side, create a Logstash pipeline for parsing pfSense logs (filterlog format)
  3. Use the available Graylog Content Pack for pfSense when using Graylog

PCI DSS Compliance Checklist for pfSense

PCI DSS mandates specific network security requirements. pfSense can be configured to meet the primary requirements of the standard.

Step-by-Step

  1. Requirement 1 - Install and maintain a firewall configuration:

    • Document all firewall rules with descriptions
    • Create a deny-all rule at the end of each rule list (pfSense does this by default)
    • Restrict inbound and outbound traffic to the minimum necessary
    • Isolate cardholder data networks via DMZ or a dedicated VLAN

  2. Requirement 2 - Change default parameters:

    • Change the administrator password
    • Change web GUI and SSH ports
    • Disable unused services (UPnP, SNMP if not required)

  3. Requirement 4 - Encrypt transmission of cardholder data:

    • Enable HTTPS for the web GUI with a strong certificate
    • Configure VPN for remote access with AES-256 encryption
    • Disable weak TLS protocols: System - Advanced - Admin Access - minimum TLS 1.2

  4. Requirement 6 - Maintain updated systems:

    • Update pfSense and all packages to current versions
    • Subscribe to pfSense security notifications

  5. Requirement 8 - Identify and authenticate access:

    • Configure individual accounts for each administrator
    • Enable two-factor authentication (recipe above)
    • Configure login lockout for failed attempts

  6. Requirement 10 - Track and monitor all access:

    • Enable logging for all events
    • Configure log forwarding to a SIEM (recipe above)
    • Ensure log retention for a minimum of 1 year (90 days online)
    • Synchronize time via NTP

  7. Requirement 11 - Test security systems:

    • Install IDS/IPS (Suricata, recipe above)
    • Conduct periodic vulnerability scans

CIS Benchmark Hardening for pfSense

CIS (Center for Internet Security) provides detailed recommendations for secure configuration. The following items are based on CIS practices for network devices.

Step-by-Step

  1. Access management:

    • Create named accounts for each administrator: System - User Manager
    • Assign minimum required privileges through groups
    • Disable the default admin account and create a named account with administrator rights
    • Enable auditing of administrator actions

  2. Network services:

    • Disable IPv6 if not in use: System - Advanced - Networking - Allow IPv6
    • Disable IGMP Proxy if not needed
    • Disable UPnP and NAT-PMP

  3. Cryptographic settings:

    • System - Advanced - Admin Access:
      • SSL/TLS Certificate - RSA 2048+ or ECDSA
      • Disable HTTP Redirect (HTTPS only)
    • For VPN, use AES-256-GCM and SHA-256
    • Disable DES and 3DES support in IPsec

  4. Logging and auditing:

    • Enable default logging for all firewall rules: System - Advanced - Firewall & NAT - Log packets matched from the default block rules
    • Configure remote syslog with TLS
    • Enable configuration change logging

  5. Network security:

    • Enable the Anti-Lockout Rule only on the management interface
    • Enable IP spoofing protection: System - Advanced - Firewall & NAT - enable Bogon Networks blocking on all WAN interfaces
    • Configure Rate Limiting via Firewall - Traffic Shaper for DDoS mitigation

  6. Backup:

    • Configure automatic configuration backup via AutoConfigBackup
    • Store backups in encrypted form

Blocking Tor Exit Nodes and Anonymizers

Blocking Tor exit nodes and known anonymizers prevents circumvention of corporate security policies and reduces the risk of anonymous attacks.

Step-by-Step

  1. Via pfBlockerNG (recommended):
    • Navigate to Firewall - pfBlockerNG - IP - IPv4
    • Add feeds:
NameURLAction
Tor Exit Nodeshttps://check.torproject.org/torbulkexitlistDeny Both
dan.me.uk Torhttps://www.dan.me.uk/torlist/?exitDeny Both
  • Set Update Frequency - Every 1 hour (Tor node lists change frequently)

  1. Via Firewall Aliases (alternative without pfBlockerNG):

  2. Create block rules on WAN and LAN:

# Block inbound traffic from Tor
Action: Block
Interface: WAN
Source: Tor_Exit_Nodes
Destination: any

# Block outbound traffic to Tor
Action: Block
Interface: LAN
Source: LAN net
Destination: Tor_Exit_Nodes

  1. To block VPN anonymizers, add additional lists of known VPN providers to pfBlockerNG

  2. Log blocked connection attempts for analysis: enable logging in the block rules

For comprehensive protection, combine Tor blocking with a DNS sinkhole and IDS/IPS (Suricata).

Last updated on
pfSense Network Recipes - VLANs, Proxy, IPv6pfSense Service Recipes - HAProxy, Squid, SNMP