pfSense Security zones interface
Interface zones design are the logical way to group physical and virtual interfaces on the firewall to log and control the internet traffic. That traffic will be allowed or denied based on pre-determined policies (rules) called ACL (Access control list). There are three basics security zones:
Inside (or LAN) — local resources/systems that should not be accessed by anyone outside of the organization.
Outside (or WAN) — know as public zone, that is outside the control of an organization.
DMZ (demilitarized zone) — public-facing servers of organization, such as web, email, app servers. Resources in the DMZ must be accessible from the outside zone (Internet).
Based on this common three-zone implementation, there are some recommended filtering policies, determining which traffic is allowed to pass or block.
Inside-to-Outside and Inside-to-DMZ: traffic is allowed but restrictions are possible (block specific applications). For example: employee accessing any resource to the DMZ or webpage from a public web-server.
Outside-to-Inside: this type of traffic would be blocked, except if the traffic is in response to a request from a LAN resource. For example: if a local user requests a webpage from a public web server, this traffic from outside to inside is allowed. But traffic initiated from the public network will be completely blocked.
DMZ to Inside: this type of traffic is also will be denied unless the traffic is a response to a request from inside.
Outside to DMZ: this type of network traffic is inspected by a firewall and selectively permitted or denied. It may be services such as email, HTTPS, or DNS. Also, responses from the DMZ to the outside will be dynamically permitted (the firewall will dynamically open a port to allow communication from the DMZ to the outside).
DMZ to Outside: traffic from the DMZ is selectively permitted based on the service requirements and firewall rules.
Depending on the network topology, the pfSense firewall has the following interfaces configuration:
In the coming post, I’m going to configure security policy rules and NAT.