Docs sg3100 firewall #3620
Docs sg3100 firewall #3620
Conversation
Codecov Report
@@ Coverage Diff @@
## develop #3620 +/- ##
========================================
Coverage 85.04% 85.04%
========================================
Files 37 37
Lines 2367 2367
Branches 260 260
========================================
Hits 2013 2013
Misses 290 290
Partials 64 64Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Thanks @b-meson for the very detailed update to the docs ! I've followed this guide and set up a sg-3100 as you've described and the SecureDrop instance and workstation work well.
The one concern I have with the rules as described is that the anti-lockout rule is such that any host on the LAN network can communicate with the firewall over 80 and 443. In this case, the app server which is configured on the LAN network can communicate with the firewall's web interface, which, I think, should be avoided. I see 2 options:
- Disable the anti-lockout rule (system -> advanced -> admin access -> disable webConfigurator anti-lockout rule), ensuring that a rule to allow communication from workstationto the router's web interface is in place.
- Put the app server on the OPT1 interface and (optionally) disable the anti lockout rule for the LAN interface (which will now have mon server and workstation).
Other minor comments inline.
docs/network_firewall.rst
Outdated
| :ref:`Hardware Guide <hardware_guide>`. | ||
|
|
||
| We currently recommend the `pfSense SG-3100 | ||
| <https://store.netgate.com/SG-3100.aspx>`__, which has 6 interfaces: WAN, |
There was a problem hiding this comment.
nit: It actually has 3 interfaces/NICs (WAN, OPT, and LAN) but it does indeed have 6 ports (WAN, OPT and LAN1 through LAN4)
| @@ -99,6 +99,38 @@ chosen: | |||
| - Monitor Gateway: ``10.20.3.1`` | |||
| - Monitor Server (OPT2) : ``10.20.3.2`` | |||
|
|
|||
| 3 NIC Example (SG-3100) | |||
There was a problem hiding this comment.
It it possible to make the numbering 5. b. for 3 NIC Example and 5. a. for the 4 NIC Example? Admins might think they must complete both.
There was a problem hiding this comment.
I attempted to do here but it actually looks much worse and is less clear. I did make that change in the other suggested section.
docs/network_firewall.rst
Outdated
| As described earlier, the SG-3100 has an internal switch on the LAN interface | ||
| which means we can place the *Application Server* and *Admin Workstation* on | ||
| the same subnet and gateway. This example assumes you place the | ||
| *Admin Workstation* on LAN1 and the *Application Server* on LAN2. |
There was a problem hiding this comment.
I don't think it matters which LAN ports the admin workstation and application server are connected to (as long as it's one of the four LAN ports) since it's a simple switch.
There was a problem hiding this comment.
It does not. I was slightly confused about which port to put the App and Admin servers so I figured I would be more verbose just to help future admins.
There was a problem hiding this comment.
I just removed the line This example assumes you place the *Admin Workstation* on LAN1 and the *Application Server* on LAN2. As you said, it shouldn't matter but i think having too much language could be confusing.
docs/network_firewall.rst
Outdated
|
|
||
| - Application Subnet: ``10.20.2.0/24`` | ||
| - Application Gateway: ``10.20.2.1`` | ||
| - Application Server (OPT1): ``10.20.2.2`` |
There was a problem hiding this comment.
Application server is now on LAN, not OPT1
docs/network_firewall.rst
Outdated
|
|
||
| - Monitor Subnet: ``10.20.3.0/24`` | ||
| - Monitor Gateway: ``10.20.3.1`` | ||
| - Monitor Server (OPT2) : ``10.20.3.2`` |
There was a problem hiding this comment.
Monitor server in this case in on OPT1, not OPT2
docs/network_firewall.rst
Outdated
|
|
||
| |Configure LAN Interface| | ||
|
|
||
| #. **3 NIC Example (SG-3100):** |
There was a problem hiding this comment.
Same as above, would it be possible to make them 5.a. and 5.b.?
docs/network_firewall.rst
Outdated
| 4 NIC Example | ||
| ~~~~~~~~~~~~~ | ||
|
|
||
| If you are using a firewall that has a dedicated port for each component of |
There was a problem hiding this comment.
nit: dedicated NIC or dedicated interface
|
|
||
| **LAN interface:** | ||
|
|
||
| |3 NIC Firewall LAN Rules| |
There was a problem hiding this comment.
nit: you can move the admin workstation TCP / rule under the deny from LAN to OPT1 which should prevent the workstation from reaching the server over any port that 22.
docs/network_firewall.rst
Outdated
| @@ -371,8 +439,28 @@ In order to use the firewall to isolate the *Application Server* and the *Monito | |||
| Server* from each other, we need to connect them to separate interfaces, and then set | |||
| up firewall rules that allow them to communicate. | |||
|
|
|||
| Setup the Firewall Rules | |||
There was a problem hiding this comment.
Nit: setup->set up (only one word when used as a noun)
docs/network_firewall.rst
Outdated
| Set Up LAN | ||
| '''''''''' | ||
|
|
||
| Although we setup the LAN interface during the Setup Wizard we need to make |
|
@emkll instead of this:
Can we instead modify the anti-lockout rule to only allow routing from the |
b-meson
force-pushed
the
docs-sg3100-firewall
branch
from
c8fef87 to
da24532
Compare
|
I pushed an update and rebased on top of
|
Good catch ! Since it's fairly straightforward to crop out, I suggest we do so.
The anti-lockout rule automatically created by pfsense and cannot be modified. I suggest we caution the admin that the rules will need to be applied with care and in order as to not get locked out from the admin UI (as it would require a console reset to regain access to the interface). |
|
|
||
| |3 NIC LAN Interface| | ||
|
|
||
| Disable Anti-Lockout Rule |
There was a problem hiding this comment.
nit: At line 668, we refer to the (old) anti-lockout rule. Can we either move this anti-lockout related section down there or move the warning here to avoid confusion?`
EDIT: I take this comment back. While it does help streamline the guide, upon re-review, I think it's important to state these warning at both stages of the configuration.
There was a problem hiding this comment.
Thanks for addressing the review items @b-meson. With those additions, the docs are good to merge from my perspective. Thanks for your attention to detail on these.
One last note, is that it might be a good idea to move the newly created anti-lockout rules to the top in order to minimize the chances of adding a rule that will negate them, but I don't think it should block merge.
Status
Ready for review
Description of Changes
Fixes #3520.
Testing
A reviewer should factory reset a SG-3100 and follow the 3NIC configuration steps. After setting the firewall rules, they should be able to run through an end-to-end SecureDrop installation and be able to reach the Source interface, the Journalist Interface, and receive OSSEC alerts.
If you made changes to documentation:
make docs-lint) passed locallyNotes
I noticed at the very bottom of the
Disable DHCP server on Firewallscreenshot, there is an Admin Gateway IP which we could probably crop out since it may be confusing. Additionally, this PR does not touch the.xmlfiles which I think we should add as its own issue / commit.