pfSense Security Configuration Guide

This comprehensive guide will help you securely configure your pfSense firewall following industry best practices and security standards.

1. Initial Setup and Access Control

Change Default Admin Username

The default admin username should be changed to prevent unauthorized access attempts:

1. Navigate to System → User Manager
2. Click on the admin user
3. Change the username to something unique
4. Save and apply changes

Enable HTTPS for Web Interface

Always use HTTPS for the web interface to protect credentials:

1. Navigate to System → Advanced → Admin Access
2. Set Protocol to HTTPS
3. Configure a valid SSL/TLS certificate (System → Cert Manager)
4. Set strong cipher suites

Restrict Management Access

Limit web interface access to specific networks:

1. Go to Firewall → Rules → LAN
2. Create rules that allow access only from management networks
3. Disable access from WAN interface
4. Consider using a dedicated management VLAN

2. Firewall Rules Best Practices

Principle of Least Privilege

Apply the principle of least privilege to all firewall rules:

• Only allow necessary traffic
• Deny by default, allow by exception
• Use specific source and destination addresses
• Avoid "any to any" rules

Enable Logging

Enable logging on important rules for security monitoring:

• Log all deny rules for security analysis
• Log critical allow rules
• Review logs regularly using Status → System Logs → Firewall
• Consider forwarding logs to a SIEM system

Rule Ordering

Order rules correctly for optimal performance and security:

1. Place more specific rules at the top
2. Place frequently matched rules higher
3. Keep deny rules appropriately positioned
4. Review and clean up unused rules regularly

3. Network Security Configuration

Configure VLANs

Segment your network using VLANs:

• Create separate VLANs for different security zones (DMZ, Guest, Internal, Management)
• Configure inter-VLAN firewall rules
• Isolate untrusted networks
• Navigate to Interfaces → Assignments → VLANs

Enable IDS/IPS

Install and configure Snort or Suricata for intrusion detection:

1. Install Snort or Suricata from System → Package Manager
2. Configure rulesets (ET Open, Snort VRT)
3. Enable on WAN and critical interfaces
4. Tune rules to minimize false positives
5. Enable blocking mode after tuning

NAT Configuration

Secure NAT and port forwarding:

• Limit port forwards to specific source IPs when possible
• Use non-standard ports where appropriate
• Enable logging on NAT rules
• Regularly audit port forwards for necessity

4. Service Hardening

SSH Access

If SSH is required, secure it properly:

1. Navigate to System → Advanced → Admin Access
2. Enable SSH only if necessary
3. Use key-based authentication
4. Change default port (22)
5. Restrict access to management networks
6. Disable password authentication

DNS Configuration

Configure DNS securely:

• Use DNS Resolver (unbound) instead of DNS Forwarder
• Enable DNSSEC validation
• Configure DNS over TLS for privacy
• Use reputable DNS servers (Cloudflare, Quad9)
• Navigate to Services → DNS Resolver

NTP Configuration

Ensure accurate time synchronization:

1. Configure NTP servers at Services → NTP
2. Use multiple reliable time sources
3. Enable NTP authentication if supported
4. Set correct timezone at System → General Setup

5. VPN Security

OpenVPN Configuration

Secure OpenVPN setup:

• Use certificate-based authentication
• Enable TLS authentication
• Use strong encryption (AES-256-GCM)
• Set appropriate DH parameters (2048-bit minimum)
• Configure client-specific overrides when needed
• Enable compression only if necessary (security risk)

IPsec Configuration

For IPsec VPN tunnels:

• Use IKEv2 instead of IKEv1
• Use strong encryption (AES-256)
• Enable Perfect Forward Secrecy (PFS)
• Use strong authentication (certificates preferred)
• Set appropriate key lifetimes

6. Monitoring and Maintenance

Regular Updates

Keep your system updated:

• Check for updates regularly at System → Update
• Subscribe to pfSense security announcements
• Test updates in a non-production environment first
• Maintain configuration backups before updates

Backup Configuration

Regular backups are essential:

1. Navigate to Diagnostics → Backup & Restore
2. Download configuration regularly
3. Store backups securely offline
4. Encrypt backup files
5. Test restore procedures periodically

Log Monitoring

Monitor logs for security events:

• Review firewall logs daily at Status → System Logs → Firewall
• Monitor system logs for errors
• Check authentication logs for failed attempts
• Configure remote syslog for centralized logging
• Set up log rotation to manage disk space

7. Additional Security Measures

Install Security Packages

Consider these additional security packages:

• pfBlockerNG - IP and DNS blocking, GeoIP filtering
• Snort/Suricata - Intrusion detection and prevention
• Squid + SquidGuard - Web proxy and content filtering
• ntopng - Network traffic analysis

Disable Unused Services

Reduce attack surface by disabling unnecessary services:

• Disable unused network interfaces
• Remove unnecessary packages
• Disable unused protocols (RIP, OSPF if not needed)
• Turn off UPnP unless absolutely required

Enable Notifications

Configure system notifications:

1. Go to System → Advanced → Notifications
2. Configure email notifications
3. Set up alerts for system events
4. Monitor package update notifications

8. Security Checklist

9. Additional Resources

• Official pfSense Documentation
• pfSense Video Tutorials
• pfSense Community Forum

← Back to Home