pfsense&Splunk
Floating Rules Examples
Filter traffic from the firewall itself • Filter traffic in the outbound direction (all other tabs are Inbound processing only) • Apply rules to multiple interfaces • Apply filtering in a "last match wins" way rather than "first match wins" ( quick ) • Apply traffic shaping to match traffic but not affect it's pass/block action • Much more.
Before a schedule can be applied to a rule, it must be created under
Firewall > Schedules
Splunks 3 Main components are
Forwarders/Data Input, Indexers, Search Heads
If a packet matches a floating rule and the Quick option is active on that rule,
pfSense will not attempt to filter that packet against any rule on any other group or interface tab.
when creating a rule,
pick the defined schedule from the list.
Firewall rules on Interface and Group tabs
process traffic in the Inbound direction.
SIEM/SPLUNK provides
real-time analysis of security alerts generated by applications and network hardware.
Splunk is one of the most common products used as a
SIEM
Floating Rules are
advanced Firewall Rules which can apply in any direction and to any or multiple interfaces.
Rules on the LAN interface
allowing the LAN subnet to any destination come by default.
SIEM/Splunk Collects
and aggregates log data generated throughout the organization's technology infrastructure
Many firewalls do not need
any Floating Rules
Security Information and Event Management systems
are an extremely useful tool
Scheduled rules will act
as though they do not exist when the scheduled time is not active
Make some complex filtering scenarios easier,
at the cost of being a little harder to follow logically in the GUI.
Firewall Rules Can
be scheduled so that they are only active at certain times of day or on certain specific days or days of the week.
Any log data from any type of machine can
be taken in by Splunk
Floating Rules are parsed
before rules on other interfaces.
Splunk can identify &
categorize incidents and events, as well as analyzes them.
Understanding this order is important when
crafting more complicated sets of rules and when troubleshooting.
Once traffic is passed on the interface it
enters an entry in the state table is created.
Rules can be much more complicated,
especially when floating rules are involved and out direction rules are used.
Firewall are based on
firewall rules
Splunk is used on
host systems and applications to network and security devices such as firewalls and antivirus filters.
Rules in pfSense are processed
in a specific order.
Forwarders/Data Input:
installed or available on servers/hosts provide the data to be used in the SIEM.
Splunk is known for
its ease of configuration and powerful, yet simplistic, search and data manipulation abilities
pfsense Requires no knowledge
of the underlying FreeBSD system
pfSense is an
open source firewall/router computer software distribution based on FreeBSD.
A state table entry allows through
subsequent packets that are part of that connection.
By default schedules clear the states of existing connections when
the expiration time is reached
pfSense Can be configured and upgraded
through a web-based interface
One of the primary purposes of pfSense is
to act as a firewall.
Rules are processed from the
top down, stopping at the first match.
Where no user-configured firewall rules match
traffic is denied.
SIEM improve
visibility and security within a large network.
Indexers
what receives, store, and categorize the data for later use in searching.
Firewall rules control
what traffic is allowed to enter an interface on the firewall.
Search Heads
where the user performs searches and generates reports on the data within Splunk.
Only what is explicitly allowed via firewall rules
will be passed.
pfSense uses include
• LAN / WAN Router. • Internet Cafes. • Wireless Hotspot (Captive Portal) • VPN Router. • Firewall. • DHCP / DNS Server. • Wireless Access Point. • Transparent Squid Proxy Server.
