Default LAN Rules
-
Since when does ntp run via tcp?? Who still uses pop?
"can you recommend exactly what I should do? "
No not really how are we suppose to know what you want to allow or block.. If I tell you to lock it down to http and https only and application X breaks.. Then I gave you bad advice.. If you want to lock down your IoT devices for example what I would really suggest is you isolate them to their own vlans. Log their traffic and see what you think.. I can tell you my directv box does some dns, and he phones home via http and https and does some pinging to an outside address, and every now and then makes a connection on 5223..
To be honest once you isolate such devices from your own network and just allow them internet.. What does it matter what ports they choose to talk on? I would be concerned on their bandwidth usage and if talking to somewhere that seems odd.. But do you know what ports they use?? Do I ?? Without looking and watching your not going to have any idea, and most likely just going to break something. Maybe it phones home every day on 80 and 443, but once every 6 weeks it does something on port xyz..
To be honest since you have to ask, you really shouldn't be blocking.. What you should do is isolate said devices your worried about from your normal network would be my 2 cents on the matter. But if you want to start locking stuff down take a look here. https://doc.pfsense.org/index.php/Example_basic_configuration they give a simple run down on how to start locking down outbound ports on your lan or other interfaces.
-
Sorry John, yes that's a mistake ntp on the tcp services. That's pop3s, for Comcast email since I'm not using imap on that.
-
I don't run a DMZ so I'm confused as how to apply the info from:
https://doc.pfsense.org/index.php/Example_basic_configuration
to my setup; unless it means something different than what I think it means.
-
I don't run a DMZ so I'm confused as how to apply the info from:
https://doc.pfsense.org/index.php/Example_basic_configuration
to my setup; unless it means something different than what I think it means.
No DMZ so ignore those rules about that. They are just examples of what others may need so they try to cover as many basic rules as they feel may help. Keep it simple.
-
What ports are used for things like Amazon Prime TV, Netflix, PSN, Xbox live etc?
-
OK, so below is one Debian machine running just for Netflix. No other machines at present here and Microsoft is taboo in my home. :o
All Default Deny rules are for logging purposes for me to easily find what is being blocked or needs to be allowed with out enabling logging for all the default block rules of PFSense. I do not want to be buried alive in logs, so it is easier to be more selective.
Look at how my rules are for Default Deny and if you need to add more for other services here, well I will let you find that out or we will be at this all day. ;)
Xbox website mentions needed ports or just review your logs after initial setup. One description shows DNS forward… ignore I use Unbound, but rule is same.
Anything below the Default Deny to ALL is disabled and not in play. I just keep them for another day.
-
"What ports are used for things like Amazon Prime TV, Netflix, PSN, Xbox live etc?"
All very good questions… And directly to my point.. You are never going to know what application X might use for a port.. So locking down your outbound access is going to be a constant struggle, shit that doesn't work open up port, oh damn this doesn't work open up that port.. How come this doesn't work - oh shit they also use port Y, etc. etc. etc.. Why and the hell are they running protocol C on port D?? That is not its standard port, etc. etc. etc..
That might be fine in a corp setup where you just tell the user tuff titties you can not use application xyz, who ever said xyz was allowed on this network.. But in a home setup its nothing more than a PITA...
-
"What ports are used for things like Amazon Prime TV, Netflix, PSN, Xbox live etc?"
All very good questions… And directly to my point.. You are never going to know what application X might use for a port.. So locking down your outbound access is going to be a constant struggle, shit that doesn't work open up port, oh damn this doesn't work open up that port.. How come this doesn't work - oh shit they also use port Y, etc. etc. etc.. Why and the hell are they running protocol C on port D?? That is not its standard port, etc. etc. etc..
That might be fine in a corp setup where you just tell the user tuff titties you can not use application xyz, who ever said xyz was allowed on this network.. But in a home setup its nothing more than a PITA...
PITA not really. The reason the Default Deny rule is there is to have a Firewall Log entrie so I can just hit the
"Easy Rule: Pass this traffic" icon in the Firewall Log entrie and then go back to the Firewall rules area and
see the new rule made and move or change things like description or other fine tuning.
@johnpoz, understand your view of higher order of right and wrong here. thanks.
Default Deny is not for everyone but I do like to know what is happening in my networks.
For someone new to PFSense or any firewall for that matter it may indeed be a PITA. -
So I added the rules from the links above and I'm finding intermittence in whether these services work or not. This is such a but pain.
-
So I added the rules from the links above and I'm finding intermittence in whether these services work or not. This is such a but pain.
This quote is probably the best way to end the post. I can't stop feeling I kicked a hornet's nest here.
In hindsight I think johnpoz answer was the better answer in a higher order of right and wrong.
It seems more and more home users are using PFSense and rightly so.
Regarding Default Deny, M.Ranum once wrote:"It takes dedication, thought, and understanding to implement a "Default Deny" policy, which is why it is so seldom done." This is especially true for a home environment.
Number 1 for any home user should be the manual. For a DD policy you must know Network basics, protocols and ports etc. If not you may drive yourself mad if your internet hungry kids don't get to you first.
Go back to the Default PFSense Lan rules and call it a day, no harm , no foul.
In my view if you are running Microsoft you have bigger problems anyway in your network. :o
sorry, don't shoot the messenger.
I noticed the "Feedback" post and debated to reply here or on that one. Since your subject line was succinct I wanted to make sure others of future searches were well aware of the possible issues.
I repeat Default Deny is not for everyone. If I sparked your interest, Great!
But on the forums you may be hard pressed to find someone to know what is running on your private network. DD policy requires intimate knowledge of what is running on your machines. Only you can figure that one out. Research before implementing and a good grasp of network protocol and basics is a must. I do not think there will ever be an easy button for this type of setup.
Sorry if I started you down a path you may not have wanted to travel. But, hey, you asked. ;)