Document setting up pfSense firewall with SecureDrop rules

[runasand]

We have a set of rules for the pfSense firewall that we recommend, but no guide that talks about actually setting up the firewall with said rules. The Netgate APU2 installation guide (PDF) may help with this as well.

[runasand]

The hardware guide recommends a pfSense firewall with a minimum of three NICs. It is my understanding that we should instead recommend a firewall with a minimum of four NICs. I know @garrettr recently purchased one for testing purposes. I decided to hold off on purchasing a firewall due to not knowing if I should purchase the same as @garrettr or not.

@garrettr; have you had a chance to test the new firewall? If yes, is it one that you think we should recommend?

[garrettr]

@runasand I haven't had a chance to test the new firewall yet.

[garrettr]

Unfortunately, I think we really need to resolve this for 0.3.

[garrettr]

Ok, I've spent/wasted a lot of time this week trying to set up the 5-port Mini-ITX firewall. I have finally gotten in working, but I have also decided that we should not recommend its use, for the following reasons:

1. I just purchased one of these a few weeks ago, but I noticed today that it is "currently unavailable" on Amazon, and "We don't know when or if this item will be back in stock.". Any required component that we recommend should be readily available.

2. I wasted an enormous amount of time trying to set this up with the two NICs that are on the motherboard (just happened to be unlucky enough to try them first, and assume that they worked).

   I was able to assign the interfaces, but connecting to either WAN or LAN was spotty (sometimes didn't work, sometimes had to unplug/plug in again, or wait what seemed like an unreasonably long time for the interface to get picked up). With the WAN, I was able to get my ISP to assign an IP via DHCP (although I was required to power cycle my modem), but even once it had been assigned an IP, neither any hosts on the LAN nor the router itself was unable to ping or connect to the internet.

   As it turns out, this is a common problem and has been reported by at least one other customer on Amazon.

   After seeing that customer report, I reset to factory defaults and re-assigned interfaces, using a different set of NICs for WAN and LAN. Everything worked immediately and without problems.

So: it's out of stock for an unknown amount of time, and often ships with 1 or more broken NICs. This thing is garbage and I think the best alternative is probably to use the netgate router that we already recommend, with the addition of a 4+ port switch plugged in to the LAN port. There is a security trade-off here, since we can no longer use pfSense to firewall between the app and monitor servers.

@dolanjs What do you think?

[dolanjs]

@garrettr, we can still have the app and monitor servers on separate fw ports when using a 3 port (1 WAN, 2 LAN) firewall like the netgate.

When using the netgate there is a default rule that only allows access to the FW web interface from the LAN1 port (not the WAN or OPT1 ports).

For the initial install I'd plug the switch/hub into the FW's LAN1 port and the admin workstation and monitor server in the hub/switch. The app server should be plugged into the Netgate's OPT1 port.

[garrettr]

For the initial install I'd plug the switch/hub into the FW's LAN1 port and the admin workstation and monitor server in the hub/switch. The app server should be plugged into the Netgate's OPT1 port.

Yeah, I've started documenting that approach. Is there any reason it's better to have app on OPT1 and mon on the switch instead of the other way around?

[dolanjs]

Not much of a reason. If we are going to ensure the all fw rules in the securedrop environment enforce least access, then the FW rule that allows access to the netgate web interface should be restricted to the admin workstation's IP address. If we restrict that access to the admin workstation's specific IP address then it really doesn't mater which server is plugged into LAN1 or OPT1 ports.

[garrettr]

the admin workstation's specific IP address

Yeah, but that's assigned by DHCP. Are you suggesting we assign it a static IP? I think we could do that since Tails persistence has an option (which we enable) to save Networking configurations.

[dolanjs]

For the initial install the the admin workstation is assigned an ip address by dhcp, but while setting up the firewall dhcp is disabled. So if the admin needs to reconfigure the firewall after the initial install the admin workstation will need an ip address.

[dolanjs]

@garrettr the doc looks great. Like the way you ordered the sequence of events.

you think we should add terminology section for network firewall and add a screenshot of the the final configured state of the pfsense web gui?

[Taipo]

Just a note that these APU2 and APU4 units are out of stock. pFSense are recommending http://store.pfsense.org/SG2440/ as the current replacement.

[conorsch]

@Taipo thanks for pointing this out! I've opened a new issue, #1072, for updating the docs.