PFSense: how to tackle a transition from default allow all to default reject all

safepen · September 7, 2024, 8:24am

Hello,

I have used PFSense mainly as a router with some ingress rules but it is time to migrate to a more secure environment and limit the allowed outgoing flows.

Any ideas on how to tackle this project is very welcome: methodology, tools to view the existing traffic flows etc.

My current thinking:

begin with the servers
use NTOP to get an insight in the traffic

Questions:

how to separate “secured” machines from legacy machines.
is the free NTOP version sufficient for this
does it make sense to do this in 2014

Any help will be greatly appreciated.

Thanks

LTS_Tom · September 7, 2024, 10:05am

I don’t understand the ask for that question.
As for using NTOP, that is fine or simply going to “Diagnostics → pfTop” to see the connections and build the rules based on the connections. As for being worth, that is a maybe. Most modern threat actors are using port 443 and an let’s encrypt cert. But there are still ones that don’t and blocking egress could stop on of those.