• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Egress filtering best practices

Scheduled Pinned Locked Moved General pfSense Questions
4 Posts 3 Posters 2.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • ?
    Guest
    last edited by Nov 20, 2013, 2:28 AM

    I've been using pfSense since about 2006 (I think) initially as a result of deploying it as a solution at the company I was working for.  Since then I've been using it at home, and have built it up, torn it down, and tried several different configurations.  It's like the best bad habit I have…  In any event, during my time using it at home the one area I've always had trouble understanding, or knowing when "enough is enough" is related to egress (outbound) filtering from my LAN.  Or in other words, what's my baseline for setting up outbound rules where I can step back and feel confident that I'm allowing the traffic out, without allowing too much (or too little for that matter.)  What I'm looking for is some guidance on "best practices" for opening up outbound traffic from within my network, and not having to pick apart every single event / request that leaves my network, or even travels between my networks.  I've followed some information I read in the pfSense guide (Such as allowing MSRPC on the LAN only) but again, if you remove the default allow all rule, and then open it up protocol by protocol, I feel like I'm bound to always be missing something.

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Nov 25, 2013, 3:42 PM

      That is impossible to answer without picking apart your network requests. Each LAN is different. Different clients, different servers, different software, different requirements.

      Some can be happy with only allowing tcp/udp 53 and tcp/80 and tcp/443. Others need much more. It really depends on your network and what you really need to let out.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • N
        Nachtfalke
        last edited by Nov 25, 2013, 9:24 PM

        In my environment I created two rules and two aliases.
        The one alias is known as "TCP_Ports" and the other is "UDP_Ports".
        One firewall rule covers UDP traffic and as detsination ports "UDP_Ports". The same I did for TCP.

        Then it makes it easy to just add the ports you need with a helpful description to the alias.
        So starting with the basics like DNS, http, https will be good. Later probably adding some ports needed for E-Mail and so on.
        So you probably never opend to much ports.

        And if you feel you opened to much just have a look into your aliases and check yopur descriptions and decie if this service/port is still available on your network and you need it.

        1 Reply Last reply Reply Quote 0
        • ?
          Guest
          last edited by Dec 3, 2013, 2:21 AM

          Thanks for the replies / guidance on this.  I think it was ultimately a matter of questioning myself on a better way of doing it, although I suppose there is some pride to be taken in a well-defined ruleset.  ;)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            [[user:consent.lead]]
            [[user:consent.not_received]]