When first setting up my pfsense box I had trouble getting on the internet. I created a rule to allow all traffic on the WAN. Literally ALL of it. That got my online…clearly…and I never changed it back until now. I now see what I was doing wrong and have fixed it by removing all allow rules on WAN. My question is…Am I totally hosed? Did I invite a ton of malicious actors into my network? What should I do now?
Is there anything that could have saved me in any way? NAT, Windows Firewall, firewalld? etc…?
I scanned all my machines for viruses, malware/spyware, and most of my workstations have ransomware protection in place and nothing was found.
Should I totally re-install all my operating systems and restore my file server from an old backup? Is that the absolute paranoid approach? Nothing looks to be wrong but apparently I don’t know what I’m doing when it comes to networking, just trying to learn.
Did anyone besides people you trust log into your firewall? Did you have a weak or default password? If the answer is yes to either, then reload pfsense.
Nobody but me has logged into the firewall and no default passwords here, I used a randomly generated password from PasswordTech generator that I used and stored in my password manager. I also followed your idea of creating rules blocking the firewall web management ports to all my LANs except a management LAN that you would have to physically visit to connect to.
Yes. NAT. Your devices on the LAN side were never exposed to the internet, unless you had any port forwarding in place. However the admin interface and SSH (if enabled) were probably exposed.
Then it is very unlikely that anyone had access to it
Thanks for your reply. Just to help me understand more you think NAT prevented any bad actors to harm my LAN? You think the only thing that was actually exposed to the internet was my pfsense box (SSH not enabled) but they may have been able to see the login page? I do have the admin page set to a different port (not 80 or 443.)
I’m just trying to gauge whether or not someone could have started hosting some dark web stuff, or made me a tor node on my network or some garbage like that (am I just being paranoid?)
FWIW I can see the logins to pfsense in the syslog and it looks like they were all me doing my configurations. Not even any attempts to log in from what I can tell.
Yes exactly that. If you put an “any / any” rule to the WAN interface you are basicly saying any traffic is allowed to pass the WAN interface. But there is nowhere to go from there. The only things that can be reached are services that are listening on the WAN interface of your pfSense box. Because everything “on the other side” is behind NAT and has an IP in the private RFC 1918 address space, which is not routable from the public internet.
