The Zero Trust Model is the most secure way to control egress. For clarity, here are the elements of our zero trust model:
- Operating in whitelist mode (block all, allow some)
- Feature enabled (with appropriate plan): Don’t Talk To Strangers
- Default LAN Allow All rule removed, or at least disabled
This approach ensures that no device can make an outbound connection of any kind, no matter the protocol, destination, or port. If you try to make a connection to say to one of Google’s IPs on TCP port 443, here’s what you’ll get:
curl https://18.104.22.168… this connection fails with:
curl: (7) Failed to connect to 22.214.171.124 port 443: Connection refused
However, compare with this one:
curl https://www.google.com… this connection succeeds!
PING 126.96.36.199 (188.8.131.52): 56 data bytes
92 bytes from google-public-dns-a.google.com (184.108.40.206): Destination Host Unreachable
And yet this one…
$ ping google-public-dns-a.google.com
PING google-public-dns-a.google.com (220.127.116.11): 56 data bytes
64 bytes from 18.104.22.168: icmp_seq=0 ttl=59 time=16.982 ms
The difference is that when a successful (non-blocked) DNS query is answered, a temporary outbound firewall hole is opened for the period of the TTL.
Assuming you are starting from a default installation of mostly-default pfSense settings, here are your steps:
- Contact support to change your plan to allow for DTTS (Don’t Talk To Strangers) feature set
- Log into your dashboard -> Advanced -> Enable DTTS as shown here:
- Create (and enable) a LAN Firewall Rule to allow LAN DNS queries
- Create (and enable) a LAN Firewall Rule to allow LAN port 80 access for the block page to function
- Turn off your pfSense default LAN Allow All rule (shown here as disabled as they are unbolded) or, alternatively check "Automatically manage DTTS rules in firewall" in Services -> DNSthingy:
- Create any required Enablers (IP destinations with ports and protocols to allow in absence of DNS requests) by going to Rules -> DTTS tab
- For each Rule Set in use, enable the relevant Enablers, including ones pre-built
Most environments that choose the Zero Trust Model end up with at least a few “misbehaving” apps that require special permission to make Internet-bound connections without preceding DNS queries. This is why it’s important to pay attention to the Enabler section.
To observe all attempted (but dropped) traffic, enable ADAM level 6 logging and in an ssh window observe with the following query:
tail -f /var/log/dnsthingy/dnsthingyipe.log |grep "IPE DROP"
The logs are also visible at http://mytools.management/log from within the LAN.
To view real-time dynamic rules created, run this at the command-line:
pfctl -s rules -a "dnsthingy/*"
To view all rules for the IP4 address of 10.0.1.48
pfctl -s rules -a "dnsthingy/4/10/0/1/48"
For any questions or support please contact firstname.lastname@example.org and keep computing securely!