Suggest a good basic setting for firewall?



  • Hello all!
    I was just watching a video on youtube about allowing / preventing port 80 / 443 as examples of WAN_IN rules

    So I began tho think, should I set rules to allow ONLY port 80 / 443/ and my ssh?

    Would that reduce intrusions and flyby malware / etc attacks?
    Or, would it just be good business to only allow ports 80 / 443 / for folks who are average web surfers?

    Thanks for providing any comments


  • Banned

    you're talking generally about white listing your LAN.

    The advantage is you have more control over traffic leaving your LAN.

    If you are using an allow any any any… rule on LAN then obviously anything on your LAN that wants to get out can go anywhere it wants.

    If you have no rules on LAN then no traffic is getting out.

    If you remove the allow any any any… rule then you can write rules and aliases to specify exactly what gets out of your LAN.

    I happen to whitelist my LAN, but I personally did it as an educational exercise to learn wtf firewall rules are and how they work.

    While whitelisting your LAN theoretically (and to some extent really does) lock down your network, it is just one more measure towards security and won't make you safe by itself. I would expect a real threat or malware to be able to exit a network on common ports, but maybe not.

    With that being said, I still recommend it! It's really not difficult to set up, and just by setting it up you understand exactly what is exiting your LAN.

    You will need more than 80/443 though (probably). You likely also want some ports for email, SSH, DHCP, DNS, NTP, and the high ports.
    A few aliases, some quick googling and anyone can set up whitelisting.



  • Thanks for a great solution!  My next step is to read all I can on whitelisting

    I am experimenting with the Ubiquiti Edgerouter X and Lite as well as PfSense.  I want to provide the best protection without handicapping use of staff in a number of offices ranging from 1 staff on site to 12-20 on site.

    Once I get enough "live" use from each, I  can present to the management and recommend how to proceed.  It appears I may use both depending on the amount of staff at the location.

    I ordered 3 SG2440 appliances, and have built another 6 pfsense boxes out of Dell Optiplex 390/990/9020 computers.  They all work great.

    The ubiquiti routers are real work horses.  So after I can see which is easier to manage at really remote locations, I can dump the crappy  belkin/dlink WalMart routers that are in place now

    Again, thanks for the response.  It will help me tremendously

    @pfBasic:

    you're talking generally about white listing your LAN.

    The advantage is you have more control over traffic leaving your LAN.

    If you are using an allow any any any… rule on LAN then obviously anything on your LAN that wants to get out can go anywhere it wants.

    If you have no rules on LAN then no traffic is getting out.

    If you remove the allow any any any… rule then you can write rules and aliases to specify exactly what gets out of your LAN.

    I happen to whitelist my LAN, but I personally did it as an educational exercise to learn wtf firewall rules are and how they work.

    While whitelisting your LAN theoretically (and to some extent really does) lock down your network, it is just one more measure towards security and won't make you safe by itself. I would expect a real threat or malware to be able to exit a network on common ports, but maybe not.

    With that being said, I still recommend it! It's really not difficult to set up, and just by setting it up you understand exactly what is exiting your LAN.

    You will need more than 80/443 though (probably). You likely also want some ports for email, SSH, DHCP, DNS, NTP, and the high ports.
    A few aliases, some quick googling and anyone can set up whitelisting.


Log in to reply