The Zero Trust Model is the most secure way to control egress. For clarity, here are the elements of our zero trust model:
- Operating in whitelist mode (block all, allow some)
- Feature enabled (with appropriate plan): Don’t Talk To Strangers
- Default LAN Allow All rule removed , or at least disabled
This approach ensures that no device can make an outbound connection of any kind, no matter the protocol, destination, or port. If you try to make a connection to say to one of Google’s IPs on TCP port 443, here’s what you’ll get:
curl https://18.104.22.168 … this connection fails with:
curl: (7) Failed to connect to 22.214.171.124 port 443: Connection refused
However, compare with this one:
curl https://www.google.com … this connection succeeds!
PING 126.96.36.199 (188.8.131.52): 56 data bytes92 bytes from google-public-dns-a.google.com (184.108.40.206): Destination Host Unreachable
And yet this one…
$ ping google-public-dns-a.google.comPING google-public-dns-a.google.com (220.127.116.11): 56 data bytes64 bytes from 18.104.22.168: icmp_seq=0 ttl=59 time=16.982 ms
The difference is that when a successful (non-blocked) DNS query is answered, a temporary outbound firewall hole is opened for the period of the TTL.
Assuming you are starting from a default installation of mostly-default pfSense settings, here are your steps:
- Contact support to change your plan to allow for DTTS (Don’t Talk To Strangers) feature set
- Log into your dashboard -> Advanced -> Enable DTTS as shown here:
- Create (and enable) a LAN Firewall Rule to allow LAN DNS queries
- Create (and enable) a LAN Firewall Rule to allow LAN port 80 access for the block page to function
- Turn off your pfSense default LAN Allow All rule (shown here as disabled as they are unbolded) or, alternatively check “Automatically manage DTTS rules in firewall” in Services -> adam:ONE
- Create any required Firewall Rules
Most environments that choose the Zero Trust Model end up with at least a few “misbehaving” apps that require special permission to make Internet-bound connections without preceding DNS queries. In cases like this, Enablers are needed as outlined here: Enablers on pfSense
All attempted (but dropped) dns-less traffic can also be observed following the troubleshooting article here: Troubleshooting services behind DTTS® on pfSense
To view real-time dynamic rules created, run this at the command-line:
pfctl -s rules -a "adamnet/*"
To view all rules for the IP4 address of 10.0.1.48
pfctl -s rules -a "adamnet/4/10/0/1/48"