Firewall Rules on Lan

Jamerson

Dear All,
in the Office we want to restrict the outgoing traffic as some users uses torrents ect.
we want to block every outgoing ports and allow only 443 and 80.
Can someone please advise how to do so ?
create a rule on the top of all to drop anything ? and after create a rule to allow port 80 en 443 ?

thank you so much

ptt

@Jamerson:

we want to block every outgoing ports and allow only 443 and 80.

You also need to allow DNS ;) (TCP/UDP Port 53)

@Jamerson:

create a rule on the top of all to drop anything ? and after create a rule to allow port 80 en 443 ?

No

Please Read:

https://doc.pfsense.org/index.php/Firewall_Rule_Basics

https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

Jamerson

@ptt:

@Jamerson:

we want to block every outgoing ports and allow only 443 and 80.

You also need to allow DNS ;) (TCP/UDP Port 53)

@Jamerson:

create a rule on the top of all to drop anything ? and after create a rule to allow port 80 en 443 ?

No

Please Read:

https://doc.pfsense.org/index.php/Firewall_Rule_Basics

https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

I Forgot to mention, we have a internal Active Directory server,
do we have to allow DNS From DNS server to Internet?
please provide some examples if possible

thank you

pfBasic

@pfBasic:

Out of the 1024 managed ports, you probably only need <10. Ports 80, 443, 22, 123, 53, 25, 465, 993, 995, 1024:65535 - if you allow those ports for TCP/UDP traffic you will very likely have no compatibility issues and your network will be more secure than your average bear's.  :)

Those ports will do most of what You'd want to do on an average network. Anything else you need, just google for the port number.

No block rules needed, anything you don't specifically pass in pfSense is blocked by default (if you deleted all firewall rules on an interface nothing would pass).

Just make some aliases for the ports you want to pass > Make rules that use those aliases.

This is called whitelisting, you delete the default allow any rule, and add rules for the traffic you want to allow. Anything you don't write a rule for will be blocked.

Jamerson

web explained,
I will try to do this as the firewall is remote device and I will be connecting using VPN, hopefully I won't lock my self out.

pfBasic

@Jamerson:

web explained,
I will try to do this as the firewall is remote device and I will be connecting using VPN, hopefully I won't lock my self out.

Just don't close off ports 22, 80, 443. And preferably set up SSH before you start modifying rules if you haven't already.

22  = SSH (you can change this)
80 = HTTP
443 = HTTP/S

These are the three ports that you can access your webgui through,

pfBasic

Also, know what port your VPN operates through before you start to close ports off if that's your only access.

Port 1194 is the standard OpenVPN port, OpenVPN also uses 1197.

I believe some VPN's use 80 or 443.

Bottom line, make sure you know exactly which port YOUR VPN is using before you close anything off.