Setting up Zero Trust on pfSense

The Zero Trust Model is the most secure way to control egress. For clarity, here are the elements of our zero trust model:

  • Operating in whitelist mode (block all, allow some)
  • Feature enabled (with appropriate plan): Don’t Talk To Strangers
  • Default LAN Allow All rule removed , or at least disabled

This approach ensures that no device can make an outbound connection of any kind, no matter the protocol, destination, or port. If you try to make a connection to say to one of Google’s IPs on TCP port 443, here’s what you’ll get:

curl https://216.239.38.120 … this connection fails with:
curl: (7) Failed to connect to 216.239.38.120 port 443: Connection refused
However, compare with this one:
curl https://www.google.com … this connection succeeds!
Another example:
PING 8.8.8.8 (8.8.8.8): 56 data bytes92 bytes from google-public-dns-a.google.com (8.8.8.8): Destination Host Unreachable
And yet this one…
$ ping google-public-dns-a.google.comPING google-public-dns-a.google.com (8.8.8.8): 56 data bytes64 bytes from 8.8.8.8: icmp_seq=0 ttl=59 time=16.982 ms

The difference is that when a successful (non-blocked) DNS query is answered, a temporary outbound firewall hole is opened for the period of the TTL.

Assuming you are starting from a default installation of mostly-default pfSense settings, here are your steps:

  1. Contact support to change your plan to allow for DTTS (Don’t Talk To Strangers) feature set
  2. Log into your dashboard -> Advanced -> Enable DTTS as shown here:
  3. Create (and enable) a LAN Firewall Rule to allow LAN DNS queries
  4. Create (and enable) a LAN Firewall Rule to allow LAN port 80 access for the block page to function
  5. Turn off your pfSense default LAN Allow All rule (shown here as disabled as they are unbolded) or, alternatively check “Automatically manage DTTS rules in firewall” in Services -> adam:ONE
    :
  6. Create any required Enablers (IP destinations with ports and protocols to allow in absence of DNS requests) by going to Rules -> DTTS tab
  7. For each Policy in use, enable the relevant Enablers, including ones pre-built

Most environments that choose the Zero Trust Model end up with at least a few “misbehaving” apps that require special permission to make Internet-bound connections without preceding DNS queries. This is why it’s important to pay attention to the Enabler section.

To observe all attempted (but dropped) traffic, enable ADAM level 6 logging and in an ssh window observe with the following query:

tail -f /var/log/dnsthingy/dnsthingyipe.log |grep "IPE DROP"

The logs are also visible at http://mytools.management/log from within the LAN.

To view real-time dynamic rules created, run this at the command-line:

pfctl -s rules -a "dnsthingy/*"

To view all rules for the IP4 address of 10.0.1.48
pfctl -s rules -a "dnsthingy/4/10/0/1/48"

For any questions or support please contact support@adamnet.works and keep computing securely!