Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Default Permit: a Dumb idea

    Scheduled Pinned Locked Moved Firewalling
    34 Posts 12 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimpJ
      jimp Rebel Alliance Developer Netgate
      last edited by

      @KOM:

      Unless your home users are cyber-criminals, I really don't see the advantage of locking down your LAN at home, other than as an exercise.

      Not necessarily, you could also potentially prevent infection from spreading or prevent a bot from reaching a C&C server.

      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • ?
        A Former User
        last edited by

        @jimp:

        Not necessarily, you could also potentially prevent infection from spreading or prevent a bot from reaching a C&C server.

        Exactly. Any new program wanted or not, sticks out like a pimple on the end of your nose.
        Marcus also said FTP should have been taken out back behind the shed years ago and shot. That talk was also a decade ago.
        If I was using FTP still then I would have a dedicated interface for just that use.
        Default deny all on every interface here. Each computer running linux also has ufw set Deny in and Reject out.
        Who needs cyber-criminals when Windows 10 is around.ย  ???
        But to have this set up out of the box for PfSense would be chaos. ::)

        1 Reply Last reply Reply Quote 0
        • P
          pfBasic Banned
          last edited by

          On the topic of learning through pfSense and the kind of activity your WAN side ports see, try running these two custom rules in Suricata or Snort (change drop to alert or run as IDS if you just want to see for fun).

          @pfBasic:

          drop tcp !$MY_NET any -> any !$MY_PORT (msg:"The Golden Rule, TCP"; classtype:network-scan; sid:9000; rev:1;)
          drop udp !$MY_NET any -> any !$MY_PORT (msg:"The Golden Rule, UDP"; classtype:network-scan; sid:9001; rev:1;)
          

          Where $MY_NET and $MY_PORT are variables you'll need to specify as necessary for your own network in /usr/local/pkg/suricata/suricata_yaml_template.inc under the "vars:" section.

          It will just show you that every network out there is getting scanned all the time, scanning for vulnerabilities is often not discriminatory, just a dragnet.

          As a sidenote, whitelisting your LAN won't do a thing about probes on your WAN, but it is interesting in terms of general security on pfSense.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            "or prevent a bot from reaching a C&C server."

            I honestly do not agree with such an argument at all.. If your going to want your bot to talk to your CC why would you not just use a common port like 80/443 so its traffic for one is hidden with all the normal traffic and on a port that would be open almost everything.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • P
              pfBasic Banned
              last edited by

              @johnpoz:

              "or prevent a bot from reaching a C&C server."

              I honestly do not agree with such an argument at all.. If your going to want your bot to talk to your CC why would you not just use a common port like 80/443 so its traffic for one is hidden with all the normal traffic and on a port that would be open almost everything.

              I know not a damn thing about this stuff but I had always wondered about this exactly. It seems like if you were writing malware and trying to avoid detection (not to mention blocking) it would be a lot less suspicious (and surrounded by a lot more static) to have your malware phone home on port 80 (or something along those lines) than 23 or something less common?

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                You assume bot writers have anything that resembles intelligence. There will be smart ones, but there are more dumb ones.ย  :D

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • ?
                  A Former User
                  last edited by

                  @pfBasic:

                  @johnpoz:

                  "or prevent a bot from reaching a C&C server."

                  I honestly do not agree with such an argument at all.. If your going to want your bot to talk to your CC why would you not just use a common port like 80/443 so its traffic for one is hidden with all the normal traffic and on a port that would be open almost everything.

                  I know not a damn thing about this stuff but I had always wondered about this exactly. It seems like if you were writing malware and trying to avoid detection (not to mention blocking) it would be a lot less suspicious (and surrounded by a lot more static) to have your malware phone home on port 80 (or something along those lines) than 23 or something less common?

                  Guys, the idea is to increase your odds of finding said offender. That is enough for me to do it. Keep the haystack as small as you can.

                  1 Reply Last reply Reply Quote 0
                  • P
                    pfBasic Banned
                    last edited by

                    @jimp:

                    You assume bot writers have anything that resembles intelligence. There will be smart ones, but there are more dumb ones.ย  :D

                    Haha, good to know!

                    @webtyro:

                    Guys, the idea is to increase your odds of finding said offender. That is enough for me to do it. Keep the haystack as small as you can.

                    You certainly don't need to convince me, my LAN is already whitelisted for whatever reason. But I do like hearing all this feedback from you guys on the topic!

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      For more references:

                      • Port trends: https://isc.sans.edu/trends.html
                      • Port activity graphs: https://isc.sans.edu/port.html

                      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • KOMK
                        KOM
                        last edited by

                        I honestly do not agree with such an argument at all.

                        Same here.

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          Evidence disagrees with your disagreement. Check the data in the links I just posted.

                          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • H
                            Harvy66
                            last edited by

                            pfSense out of the box: Works for 99.99% of traffic
                            pfSense with uPNP enabled: Works for 99.999999% of traffic

                            If you find the default block permissions are a "bad idea", you're somewhere between the 0.01% and the 0.000001%. You're a special snowflake. For the rest of us people, it works just fine and it makes us safer.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.