Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    LAN to WAN best practice - discrete rules or global allow?

    Firewalling
    6
    6
    2383
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      magtam last edited by

      Is there a general consensus on best practice for LAN to WAN firewall rules?

      Do you typically just fall back to the default global allow rule (any LAN to any WAN on any port) or do you specify individual rules to allow for HTTP, HTTPS, Email, VPN, SSH, FTP etc traffic?

      I understand the latter gives you more control and potentially more security but with the expense of complexity and upkeep. Personally I've gone down the individual rule route but I'm now reconsidering whether I should just not bother and revert back to a global allow rule.

      Interested in hearing the forum's views.

      1 Reply Last reply Reply Quote 0
      • N
        Nullity last edited by

        I decided to try the whitelisting method simply as an educational experience but it ended up being so simple & easy that I decided to stick with it. Overall, I think I have only ~20+ ports allowed among a dozen aliases.

        I dunno if it's really worth it though since any untrusted service could just use port 80/443.

        The most useful aspect, for me, is that I'm more aware of what legit services are running.

        1 Reply Last reply Reply Quote 0
        • K
          kpa last edited by

          I use individual allow rules for logging purposes only. One other application for them would be policy routing but I don't have multi-WAN.

          Performance wise there's no difference unless we are starting to talk about hundreds of individual allow rules. The amount of rules does not affect the number of states created at all, it makes no difference if the state was created by an individual rule or the global allow rule. The performance after the states have been created and the incoming packets are matched only against existing states will be identical.

          More security? Maybe in some very rare cases, as noted the bad guys can easily use a common destination port for their traffic and you won't be able to block them by pure IP level filtering. You'll need more heavy duty tools like a proxy for that.

          1 Reply Last reply Reply Quote 0
          • H
            Harvy66 last edited by

            I have a few AAA games that randomly use one of tens of thousands of ports making white-listing impractical. Unless I plan to white-list ports 10,000-60,000, which seems to defeat the purpose.

            1 Reply Last reply Reply Quote 0
            • beremonavabi
              beremonavabi last edited by

              I'm just a normal Joe-Bag-O_Donuts type of guy.  From what I've read, the best practice is to block everything (both in and out) globally and only allow specific things through the firewall when needed (that's even in the "Firewall Rule Best Practices" section of the pfSense Book).  The first section of this:

              http://ranum.com/security/computer_security/editorials/dumb/index.html

              also touches on that.  HOWEVER, as just a normal person at home (with a wife who keeps adding game after game after game after game to her system and they all want some huge block of ports available), that's just a ridiculous amount of work.  I started out that way and ended up scrapping it fairly quickly.  For a business, yes.  It's a good idea.  There are corporate assets to protect and, hopefully, a staff to do the work.  In that case, you'd block everything in and out, and do a survey to figure out which people/applications/IPs need what IPs/port to got through the firewall and when.  Then you'd set up rules to allow only those.

              1 Reply Last reply Reply Quote 0
              • P
                pan_2 last edited by

                Since 2.3 there is a neat feature in rules section - counters (current states and total traffic passed through specific rule).
                Even if you okay with "allow all" rule, creating more specific rules have small benefit of actually seeing how much and which traffic goes out from you.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post

                Products

                • Platform Overview
                • TNSR
                • pfSense
                • Appliances

                Services

                • Training
                • Professional Services

                Support

                • Subscription Plans
                • Contact Support
                • Product Lifecycle
                • Documentation

                News

                • Media Coverage
                • Press
                • Events

                Resources

                • Blog
                • FAQ
                • Find a Partner
                • Resource Library
                • Security Information

                Company

                • About Us
                • Careers
                • Partners
                • Contact Us
                • Legal
                Our Mission

                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                Subscribe to our Newsletter

                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                © 2021 Rubicon Communications, LLC | Privacy Policy