Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suggest a good basic setting for firewall?

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 648 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      detox
      last edited by

      Hello all!
      I was just watching a video on youtube about allowing / preventing port 80 / 443 as examples of WAN_IN rules

      So I began tho think, should I set rules to allow ONLY port 80 / 443/ and my ssh?

      Would that reduce intrusions and flyby malware / etc attacks?
      Or, would it just be good business to only allow ports 80 / 443 / for folks who are average web surfers?

      Thanks for providing any comments

      1 Reply Last reply Reply Quote 0
      • P
        pfBasic Banned
        last edited by

        you're talking generally about white listing your LAN.

        The advantage is you have more control over traffic leaving your LAN.

        If you are using an allow any any any… rule on LAN then obviously anything on your LAN that wants to get out can go anywhere it wants.

        If you have no rules on LAN then no traffic is getting out.

        If you remove the allow any any any… rule then you can write rules and aliases to specify exactly what gets out of your LAN.

        I happen to whitelist my LAN, but I personally did it as an educational exercise to learn wtf firewall rules are and how they work.

        While whitelisting your LAN theoretically (and to some extent really does) lock down your network, it is just one more measure towards security and won't make you safe by itself. I would expect a real threat or malware to be able to exit a network on common ports, but maybe not.

        With that being said, I still recommend it! It's really not difficult to set up, and just by setting it up you understand exactly what is exiting your LAN.

        You will need more than 80/443 though (probably). You likely also want some ports for email, SSH, DHCP, DNS, NTP, and the high ports.
        A few aliases, some quick googling and anyone can set up whitelisting.

        1 Reply Last reply Reply Quote 0
        • D
          detox
          last edited by

          Thanks for a great solution!  My next step is to read all I can on whitelisting

          I am experimenting with the Ubiquiti Edgerouter X and Lite as well as PfSense.  I want to provide the best protection without handicapping use of staff in a number of offices ranging from 1 staff on site to 12-20 on site.

          Once I get enough "live" use from each, I  can present to the management and recommend how to proceed.  It appears I may use both depending on the amount of staff at the location.

          I ordered 3 SG2440 appliances, and have built another 6 pfsense boxes out of Dell Optiplex 390/990/9020 computers.  They all work great.

          The ubiquiti routers are real work horses.  So after I can see which is easier to manage at really remote locations, I can dump the crappy  belkin/dlink WalMart routers that are in place now

          Again, thanks for the response.  It will help me tremendously

          @pfBasic:

          you're talking generally about white listing your LAN.

          The advantage is you have more control over traffic leaving your LAN.

          If you are using an allow any any any… rule on LAN then obviously anything on your LAN that wants to get out can go anywhere it wants.

          If you have no rules on LAN then no traffic is getting out.

          If you remove the allow any any any… rule then you can write rules and aliases to specify exactly what gets out of your LAN.

          I happen to whitelist my LAN, but I personally did it as an educational exercise to learn wtf firewall rules are and how they work.

          While whitelisting your LAN theoretically (and to some extent really does) lock down your network, it is just one more measure towards security and won't make you safe by itself. I would expect a real threat or malware to be able to exit a network on common ports, but maybe not.

          With that being said, I still recommend it! It's really not difficult to set up, and just by setting it up you understand exactly what is exiting your LAN.

          You will need more than 80/443 though (probably). You likely also want some ports for email, SSH, DHCP, DNS, NTP, and the high ports.
          A few aliases, some quick googling and anyone can set up whitelisting.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.