Enablers on pfSense

Purpose of Enablers:

adam:ONE and any Adam products that include DTTS (Don’t Talk To Strangers) sometimes require specific outbound firewall permissions since DTTS prevents any connection attempts that were not preceded with an allowed DNS query, or for applications that cache DNS queries beyond the TTL (time to live). We call such rule overrides “Enablers”.

Enablers on pfSense via Firewall Rules:

Enablers are rapidly-changing firewall rules which are executed dynamically on a per Policy basis. As such, they do not apply by default to all devices on a given interface/subnet, but only to devices assigned to Policies where such an enabler is turned on. On FreeBSD-based operating systems, this needs to be specified in kernel (pf), and, as a result, is not a scalable solution to do with a large amount of enablers.

Comparatively on Linux, NFQUEUE allows the decision-making process to be moved to user space and is therefore scalable to thousands of firewall rule changes per minute without impacting the overall performance. For this reason, Enablers are available on Adam products on the dashboard user interface, but only for Linux-based gateways, including ASUS router, ClearOS 7 and later, Ubiquiti USG (Unified Security Gateway).

How to create Enablers:

On pfSense web user interface choose Firewall -> Rules and click on one of your non-WAN interfaces such as LAN and choose Add (the two options intuitively allow you to add the rule to the top or bottom of your rules):

Create as tight and narrow a rule as possible to eliminate the possible misuse of outbound channels that do not require valid DNS queries. Here’s a practical example of how Google, Facebook and Apple environments can be added:

NOTE: When rules are created like this in the pfSense UI, the Enabler on your dashboard UI should remain turned off.

How do we know what the firewall rule should look like for a specific enabler? I have Quickbooks Online enabler currently turned on.

To determine what the firewall rule should look like, you need to know the destination for eg. QuickBooks Online needs to get to, and create a rule to allow that TCP/UDP traffic, or make an alias and allow traffic to that alias.
Many services publish what their IP and ports need to be enabled on the firewall, but sometimes you may need to check the log to see what is blocked to find the required destination.

In your experience, are more enablers needed because of the former or the latter problem here?

Can you confirm , that if I have the WhatsApp enabler on in my pfsense firewall rules, that I should have the WhatsApp Managed Subscription toggled Off in my aDamnetworks Dashboard in the Policies section ?

Hey @Chris_G, great question.
You still need the managed subscription for the DNS layer.

The DTTS bypass rule is for non-DNS traffic that certain apps such as Whatsapp use and require in order to function.
It’s ideal for everything to be allowed via DNS, but some apps are designed to do direct IP connections.