Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Default Permit: a Dumb idea

    Scheduled Pinned Locked Moved Firewalling
    34 Posts 12 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      brolloks
      last edited by

      Hi everyone,

      I am in the process of replacing our current Pfsense firewall which runs on desktop hardware that was slapped together aeon ago with some nice new Netgate/Pfsense hardware.

      I have also been going through our current setup and configuration and doing some research about best practices and came across the "The Six Dumbest Ideas in Computer Security" by Marcus Ranum. http://ranum.com/security/computer_security/editorials/dumb/index.html

      He describes Default Permit and that it is a really dumb idea, which makes sense.

      My question to you all:
      How many of you are actually using your firewall with the default deny policy in place?
      How did you go about implementing it in your environment in terms of knowing what to allow? I can imagine this will be a nightmare for organizations that don't have clear defined policy in place that governs which software is allowed.

      Appreciate all your input.

      Thanks.

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        How many of you are actually using your firewall with the default deny policy in place?

        I manage all of the equipment here and I know all of the users.  Default deny on WAN, default allow on LAN.  I don't have the time to be chasing firewall issues for my LAN clients.

        1 Reply Last reply Reply Quote 0
        • K
          kpa
          last edited by

          I see no reason to change default deny for any reason, it is the sane default for a security device of any kind.

          Application firewalls running on individual hosts may be a different case. You don't want to present a mostly computer illiterate user a system that uses a default deny application firewall that nags constantly about new and updated software if he/she wants to allow it access to internet.

          1 Reply Last reply Reply Quote 0
          • B
            brolloks
            last edited by

            @KOM:

            How many of you are actually using your firewall with the default deny policy in place?

            I manage all of the equipment here and I know all of the users.  Default deny on WAN, default allow on LAN.  I don't have the time to be chasing firewall issues for my LAN clients.

            At the moment I am in the same boat. Have got deny on WAN and allow on LAN with the things I want to block added on top.

            I am just curious to know how someone or team for that matter would manage a setup where they have got deny on LAN and only allow what is required.
            I am a single person managing EVERYTHING at a medium sized organisation, so time is always against me. :P

            1 Reply Last reply Reply Quote 0
            • B
              brolloks
              last edited by

              @kpa:

              I see no reason to change default deny for any reason, it is the sane default for a security device of any kind.

              Application firewalls running on individual hosts may be a different case. You don't want to present a mostly computer illiterate user a system that uses a default deny application firewall that nags constantly about new and updated software if he/she wants to allow it access to internet.

              Good point, but even the guys from Pfsense recommends using a default deny on your LAN for long term use as best practise. But I can understand how difficult this could be to implement for an organisation that has been using default allow.

              A default deny strategy for firewall rules is the best practice (The Pfsense Book)

              1 Reply Last reply Reply Quote 0
              • JKnottJ
                JKnott
                last edited by

                How many of you are actually using your firewall with the default deny policy in place?

                Every firewall I've worked on starts with the default deny all to which I add exceptions for the stuff I want.  That's the way a firewall should work, in my not so humble opinion.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • 6
                  6h057
                  last edited by

                  Are you saying that the default firewall setting for LAN to WAN traffic is recommended to be set to deny?  That is an administration nightmare.  Block all inbound from the untrusted network (WAN > LAN), allow all outbound from the trusted network (LAN > WAN), add specific rules to allow inbound connections such as vpn and add specific rules to block outbound connections such as hosts restricted from accessing WAN.  Having to write specific rules to allow outbound traffic through a firewall when there are so many services running on systems that require access, such as update services, seems insane.

                  In regards to the article, which was written in 2005, the writer is criticizing the policy of default allow on a WAN > LAN connection, or a default allow on system execution (allowing any executable to run just because a user clicked on it).

                  Point is, if you trust it, allow it, and if you don't trust it, don't allow it, but don't make your job harder.

                  1 Reply Last reply Reply Quote 0
                  • P
                    pfBasic Banned
                    last edited by

                    @brolloks:

                    How many of you are actually using your firewall with the default deny policy in place?
                    How did you go about implementing it in your environment in terms of knowing what to allow? I can imagine this will be a nightmare for organizations that don't have clear defined policy in place that governs which software is allowed.

                    I thought everyone?
                    Why use a firewall if it is just allowing everything?

                    My network is just a home network so it's pretty easy to setup, I don't have a clue how complex a professional business network would be.

                    But for home setup, just write pass rules to allow the type of traffic you use on the ports you use and get rid of any allow any any rules. You probably know any special ports you need open for stuff beyond internet, email, ssh, etc. So something like this on your LAN should get a generic home network up and running.
                    Allow IPv4 TCP LAN any any $YOUR_PORTS_ALIAS
                    Allow IPv4 TCP/UDP any any 1024:65535
                    Allow IPv4 TCP/UDP LANnet any LANaddress $DNS_DHCP_NTP_ALIAS
                    Allow IPv4 TCP/UDP LANnet any LANaddress $SSH_WEBGUI

                    1 Reply Last reply Reply Quote 0
                    • N
                      Nullity
                      last edited by

                      As a learning exercise I setup a default deny on my LAN and discovering the ports that were required were much less numerous than I'd assumed.

                      I dunno if it's actually any safer or secure but it feels safer… At the least, I'm more aware of my network.

                      Please correct any obvious misinformation in my posts.
                      -Not a professional; an arrogant ignoramous.

                      1 Reply Last reply Reply Quote 0
                      • B
                        brolloks
                        last edited by

                        @Nullity:

                        As a learning exercise I setup a default deny on my LAN and discovering the ports that were required were much less numerous than I'd assumed.

                        I dunno if it's actually any safer or secure but it feels safer… At the least, I'm more aware of my network.

                        That is what I thought as well. It would give you a broader perspective about what is going through your firewall.

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          Default deny is the best practice overall, but it's not the best default practice out-of-the-box for a firewall distribution like this.

                          You can switch to a default deny on LAN strategy in a couple clicks if you want it, but the behavior most people expect is to be able to plug into a default install and be able to reach from LAN to WAN and beyond, Facebook and lolcats flowing freely.

                          I've been involved in networks setup both ways. It's all up to the needs and security level of the site. Default deny is more secure, but it can feel like playing whack-a-mole as you sort things out and inevitably you forgot to allow something that only happens once a week/month/year and you'll have to go back and tune it regularly when things mysteriously fail to work.

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • P
                            pfBasic Banned
                            last edited by

                            Agree with the above about it not being as complex as it seems and probably not needing as many ports as you think.

                            Here's an old post on firewalling that's still relevant and helpful to get you going.
                            @jflsakfja:

                            Firewalling
                            Always whitelist, NEVER blacklist. In other words, start with everything disallowed (pfsense's default is exactly that) and only allow what is absolutely needed. The same applies for outgoing filtering. Head over to Firewall>aliases> and set up a ports alias. The ports you should allow outgoing are:

                            | 21 | FTP, if you have the need to access hosts over FTP |
                            | 22 | SSH, if you remotely administer systems |
                            | 25 | SMTP if planning to send email (technically your ISP should only allow outgoing 25 to its relay hosts) |
                            | 80 | HTTP, if planning to access any website, essential for updating systems |
                            | 123 | NTP, maybe not needed depending on your preferences |
                            | 443 | HTTP/S, see HTTP note |
                            | 465 | SMTP/S, see SMTP note |
                            | 547 | DHCP, only needed on interfaces that pfsense will automatically provide IPs for |
                            | 993 | IMAP/S, if you want to access a remote IMAP account |
                            | 995 | POP3/S, if you want to access a remote POP3 account |
                            | 1024 to 65535 | unprivileged ports, you don't have any control over these, make a note to remember what ports are privileged |

                            Name the alias something that is easy to remember, like I don't know, how about "outgoing_ports"?

                            Create another alias, pfsense_ports

                            | X | pfsense's webgui port. See note |
                            | Y | pfsense's ssh port. See notes below |

                            A note on the webgui and ssh port: The port chosen must be X , where 0 > X < 1024. Same goes for Y. The first allowed port is 1 and the last allowed port is 1023. Choose a port not in use by any other service (DHCP, NTP). These first 1024 ports are called privileged ports, and greatly help us in administering our systems. A relatively random port (eg not 0, not 81) will allow for some security through obsurity.

                            There's a ton of info on that thread if you're interested, https://forum.pfsense.org/index.php?topic=78062.0

                            Also, if you're ever wondering what port is used for something you need, or trying to find a privileged port to use that isn't already widely in use the wikipedia page on ports is great.
                            https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

                            1 Reply Last reply Reply Quote 0
                            • K
                              kpa
                              last edited by

                              @pfBasic:

                              Agree with the above about it not being as complex as it seems and probably not needing as many ports as you think.

                              Here's an old post on firewalling that's still relevant and helpful to get you going.
                              @jflsakfja:

                              Firewalling
                              Always whitelist, NEVER blacklist. In other words, start with everything disallowed (pfsense's default is exactly that) and only allow what is absolutely needed. The same applies for outgoing filtering. Head over to Firewall>aliases> and set up a ports alias. The ports you should allow outgoing are:

                              | 21 | FTP, if you have the need to access hosts over FTP |
                              | 22 | SSH, if you remotely administer systems |
                              | 25 | SMTP if planning to send email (technically your ISP should only allow outgoing 25 to its relay hosts) |
                              | 80 | HTTP, if planning to access any website, essential for updating systems |
                              | 123 | NTP, maybe not needed depending on your preferences |
                              | 443 | HTTP/S, see HTTP note |
                              | 465 | SMTP/S, see SMTP note |
                              | 547 | DHCP, only needed on interfaces that pfsense will automatically provide IPs for |
                              | 993 | IMAP/S, if you want to access a remote IMAP account |
                              | 995 | POP3/S, if you want to access a remote POP3 account |
                              | 1024 to 65535 | unprivileged ports, you don't have any control over these, make a note to remember what ports are privileged |

                              Name the alias something that is easy to remember, like I don't know, how about "outgoing_ports"?

                              Create another alias, pfsense_ports

                              | X | pfsense's webgui port. See note |
                              | Y | pfsense's ssh port. See notes below |

                              A note on the webgui and ssh port: The port chosen must be X , where 0 > X < 1024. Same goes for Y. The first allowed port is 1 and the last allowed port is 1023. Choose a port not in use by any other service (DHCP, NTP). These first 1024 ports are called privileged ports, and greatly help us in administering our systems. A relatively random port (eg not 0, not 81) will allow for some security through obsurity.

                              There's a ton of info on that thread if you're interested, https://forum.pfsense.org/index.php?topic=78062.0

                              Also, if you're ever wondering what port is used for something you need, or trying to find a privileged port to use that isn't already widely in use the wikipedia page on ports is great.
                              https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

                              Yeah… but in reality filtering outbound by protocol and port numbers doesn't work. It already breaks with passive FTP that requires a (from your point of view) randomly chosen data port at the remote end. And this is just a start of the issues you have when trying to keep a suitable set of ports open on the outgoing direction by protocol and port number, good luck setting up BitTorrent on such environment.

                              1 Reply Last reply Reply Quote 0
                              • P
                                pfBasic Banned
                                last edited by

                                I've never used FTP, but I'm pretty sure it would work that way.

                                Your traffic leaves through the FTP port and will be assigned an unprivileged port on the remote end.

                                Bit torrent has worked with no issues on my network just like that.

                                I think that people just view this as being way more complex than it is for a home network. When you scale it up to thousands of users doing different things in a production environment then I'm sure it would be something that would require a lot of time and effort and might not be worth doing at all.
                                On a home network, you can literally write a few aliases, a few rules and it will just work.

                                1 Reply Last reply Reply Quote 0
                                • D
                                  doktornotor Banned
                                  last edited by

                                  @pfBasic:

                                  Your traffic leaves through the FTP port and will be assigned an unprivileged port on the remote end.

                                  Hmmm… nope.
                                  http://slacksite.com/other/ftp.html

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by

                                    "Your traffic leaves through the FTP port and will be assigned an unprivileged port on the remote end."

                                    Yes that would be the control channel connection to port 21.  But then is your client using active, it will tell the server via the control channel to connect to it on some random high port.  If your client is using passive it will get told to connect to the server via some random high port.  Neither connection would work via a locked down setup.

                                    Now if your server is behind this sort of connection.  You need to allow it to go out to any random port via source port 20.  And if the server is going to allow for passive clients then you have to forward the range of high ports it will use to the server to allow this passive connection.

                                    FTP is one of the prime examples of how nat can break stuff, along with it being a difficult protocol to use a locked down default deny setup.  The IPs and ports to be used in the data connection are contained in the control channel.  So you with nat you can run into the problem with the client or server giving out its rfc1918 address for the actual public one, etc.

                                    While I am all for a default deny, as mentioned if you want such a setup - its click click and there you go default deny outbound.  But having that the default setup when you first setup pfsense would only drastically increase the number of it doesn't work posts ;)  And your typical user is just going to create the any any rule outbound anyway.  Since that is how their typical soho off the shelf home router is designed to function.

                                    Shoot look at how many post there are on how come opt1 doesn't work.. since the only interface that out of the box is allow any any is your lan.  When you add an interface it is your default deny policy..  Browse the forum - how many posts are there asking why their opt interfaces doesn't work ;)

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    1 Reply Last reply Reply Quote 0
                                    • P
                                      pfBasic Banned
                                      last edited by

                                      Like I said, I've never used FTP before so i apologize for the confusion.

                                      I didn't read the article as it's not something I use, but if it is something OP needs then maybe don't do this, or read the article and decide for yourself. But I can confirm that bittorrent works with this type of configuration, no problems.

                                      Even if you did use something like passive FTP, if you use it on only a few computers then you can still do this, just assign static IP's whitelist for your LAN, then give the few computers that need it more permissive rules.

                                      1 Reply Last reply Reply Quote 0
                                      • P
                                        pfBasic Banned
                                        last edited by

                                        @johnpoz:

                                        While I am all for a default deny, as mentioned if you want such a setup - its click click and there you go default deny outbound.  But having that the default setup when you first setup pfsense would only drastically increase the number of it doesn't work posts ;)  And your typical user is just going to create the any any rule outbound anyway.  Since that is how their typical soho off the shelf home router is designed to function.

                                        Shoot look at how many post there are on how come opt1 doesn't work.. since the only interface that out of the box is allow any any is your lan.  When you add an interface it is your default deny policy..  Browse the forum - how many posts are there asking why their opt interfaces doesn't work ;)

                                        Yeah I certainly believe you. But I do think that your average home user can run a whitelisted LAN with minimal setup, a little troubleshooting, and a lot of reading through this forum.
                                        If I can do it then anyone can, I have no computer science, IT, networking background of any type at all. But there are enough smart people on this forum sharing their knowledge that even my network (I believe) is pretty damn secure for a home network and runs very well.

                                        1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by

                                          " a little troubleshooting, and a lot of reading through this forum. "

                                          Your typical user is not up to either of those ;)

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          1 Reply Last reply Reply Quote 0
                                          • P
                                            pfBasic Banned
                                            last edited by

                                            Good point, so I guess I'd modify my original statement to say that white-listing your LAN is not too difficult for a small home network assuming you are willing to do a little troubleshooting and a lot of reading if it becomes necessary.

                                            I'd still recommend doing exactly that to any new user, if for no other reason that to learn the basics about what's going on. While you're figuring it out you can always keep that allow LAN to anyone anywhere on the top, disable it while you're working on setting up your white-listing rules and then re-enable until the next time you want to work on it.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.