Quick Glance at my Firewall Rule

Would someone mind taking a quick glance at my firewall rules for changes/improvements? Also, the OPENVPN rules tab was created by the openvpn wizard. However, I created the VPN interface and assigned the openvpn server to that interface. I then moved the rule that was automatically created to the VPN rules.

![WAN Rules.JPG](/public/imported_attachments/1/WAN Rules.JPG)
![WAN Rules.JPG_thumb](/public/imported_attachments/1/WAN Rules.JPG_thumb)
![LAN Rules.JPG](/public/imported_attachments/1/LAN Rules.JPG)
![LAN Rules.JPG_thumb](/public/imported_attachments/1/LAN Rules.JPG_thumb)
![VPN Rules.JPG](/public/imported_attachments/1/VPN Rules.JPG)
![VPN Rules.JPG_thumb](/public/imported_attachments/1/VPN Rules.JPG_thumb)
![PIA Rules.JPG](/public/imported_attachments/1/PIA Rules.JPG)
![PIA Rules.JPG_thumb](/public/imported_attachments/1/PIA Rules.JPG_thumb)
![OPENVPN Rules.JPG](/public/imported_attachments/1/OPENVPN Rules.JPG)
![OPENVPN Rules.JPG_thumb](/public/imported_attachments/1/OPENVPN Rules.JPG_thumb)
![Interface assignments.JPG](/public/imported_attachments/1/Interface assignments.JPG)
![Interface assignments.JPG_thumb](/public/imported_attachments/1/Interface assignments.JPG_thumb)

johnpoz

Your wan rules - I would suggest against opening up rdp to the public internet.. Not a good idea. If a must lock it down to specific source IPs - but vpn is much better way to access rdp. Clearly looks like you have vpn running so why would you need rdp open to the public, just vpn in when you want to rdp to something on your network.

All your rules after the default lan are pointless and will never be evaluated. Rules are evaluated top down as traffic enters the interface - first rule to fire wins, no other rules are evaluated.

@johnpoz:

Your wan rules - I would suggest against opening up rdp to the public internet.. Not a good idea. If a must lock it down to specific source IPs - but vpn is much better way to access rdp. Clearly looks like you have vpn running so why would you need rdp open to the public, just vpn in when you want to rdp to something on your network.

All your rules after the default lan are pointless and will never be evaluated. Rules are evaluated top down as traffic enters the interface - first rule to fire wins, no other rules are evaluated.

WAN Rules - Noted. I'll either try to specify a specific IP or just eliminate entirely.

LAN Rules - Should I drag that one down to the bottom then? I created those LAN rules because I needed to specify the WAN gateway since I have PIA running on the entire network.

johnpoz

why do you need your devices to hit your wan IP in the first place? but if your default is to send out your vpn because your letting it grab routes, then yes you need to put stuff that forces traffic out your gateway above the any any rules.

Keep in mind if you want your lan to talk to other segments on your local side you would need to allow that traffic before you send it out your vpn.

Normally I would think you would want to create rules to force specific traffic out your vpn, while normal traffic just goes out your wan and is allowed to your other segments as you want, etc.

Run through your traffic scenarios, and then step down the rules from the top seeing which rules trigger and if that what you want or not, etc.