LAN to WAN best practice - discrete rules or global allow?



  • Is there a general consensus on best practice for LAN to WAN firewall rules?

    Do you typically just fall back to the default global allow rule (any LAN to any WAN on any port) or do you specify individual rules to allow for HTTP, HTTPS, Email, VPN, SSH, FTP etc traffic?

    I understand the latter gives you more control and potentially more security but with the expense of complexity and upkeep. Personally I've gone down the individual rule route but I'm now reconsidering whether I should just not bother and revert back to a global allow rule.

    Interested in hearing the forum's views.



  • I decided to try the whitelisting method simply as an educational experience but it ended up being so simple & easy that I decided to stick with it. Overall, I think I have only ~20+ ports allowed among a dozen aliases.

    I dunno if it's really worth it though since any untrusted service could just use port 80/443.

    The most useful aspect, for me, is that I'm more aware of what legit services are running.



  • I use individual allow rules for logging purposes only. One other application for them would be policy routing but I don't have multi-WAN.

    Performance wise there's no difference unless we are starting to talk about hundreds of individual allow rules. The amount of rules does not affect the number of states created at all, it makes no difference if the state was created by an individual rule or the global allow rule. The performance after the states have been created and the incoming packets are matched only against existing states will be identical.

    More security? Maybe in some very rare cases, as noted the bad guys can easily use a common destination port for their traffic and you won't be able to block them by pure IP level filtering. You'll need more heavy duty tools like a proxy for that.



  • I have a few AAA games that randomly use one of tens of thousands of ports making white-listing impractical. Unless I plan to white-list ports 10,000-60,000, which seems to defeat the purpose.



  • I'm just a normal Joe-Bag-O_Donuts type of guy.  From what I've read, the best practice is to block everything (both in and out) globally and only allow specific things through the firewall when needed (that's even in the "Firewall Rule Best Practices" section of the pfSense Book).  The first section of this:

    http://ranum.com/security/computer_security/editorials/dumb/index.html

    also touches on that.  HOWEVER, as just a normal person at home (with a wife who keeps adding game after game after game after game to her system and they all want some huge block of ports available), that's just a ridiculous amount of work.  I started out that way and ended up scrapping it fairly quickly.  For a business, yes.  It's a good idea.  There are corporate assets to protect and, hopefully, a staff to do the work.  In that case, you'd block everything in and out, and do a survey to figure out which people/applications/IPs need what IPs/port to got through the firewall and when.  Then you'd set up rules to allow only those.



  • Since 2.3 there is a neat feature in rules section - counters (current states and total traffic passed through specific rule).
    Even if you okay with "allow all" rule, creating more specific rules have small benefit of actually seeing how much and which traffic goes out from you.