How secure would this be..

mirkwoody

Let's say..  behind my Pfsense I have a device on a regular un-managed switch which I want to open all ports to on WAN side, or just a whole big range of ports..
In my rule I specific that it should be that that IP only.

Protocol: any
Source: any
port: any..
Destination IP:… Specific.

How sure could I be of that all that traffic wont go anywhere else on my LAN?.
Is this the main reason why people have managed switches with VLAN?.

To be more specific then it is because I have a ISP router with voIP features behind pfsense, and right now I can make outbound calls but nothing happens inbound. And it would be easy to just open all.

I am also thinking of setting up my motherboard onboard-Nic as a optional isolated network, that might be better?.

johnpoz

So after some bot gives someone remote root access to this box you just opened to the internet in prob 37.2 seconds ;) They now have access to everything else on that local network of yours..

"And it would be easy to just open all."

Sure just do that… ;)  Who said security was "easy" heheheeh

Grimson

Use the SIP proxy package or configure a stun server, if your provider offers it. Don't open (all) Ports, that's plain stupid.

kejianshi

Yeah - I've opened SIP servers to the world on all the RTP ports as well as the normal sip login ports because it runs wonderfully that way.  It really does.

Not sure it was 37 seconds, but it was hacked in short order.  Probably days.

JKnott

The normal practice is to block EVERYTHING and then allow only what you need.  Also, a switch, managed or otherwise, has nothing to do with it.  Filtering protocols is a firewall function.

kejianshi

You need 10s of 1000s of ports open or proxied or accessible in some fashion for a internet facing SIP server or Jingle server for xmpp.

Without getting crazy the best I've ever been able to do securely and reliably is as you say not open but a few ports and access SIP via VPN.

Every other solution I've ever tried to set up either didn't work at all because of NAT, or had 1 way audio only because of NAT or worked great and was hacked in short order.

Accessing your server via a PFsense VPN from remote sites or iPhones / Android phones via vpn works very well and is more secure than anything else I've tried.

mirkwoody

So it sounds like it's a good idea that I haven't just opend  ;D.

I just thought… that maybe.. if specified for only that box, that it won't do much harm.. but then part of my also knew it probably wouldn't be good idea.

mirkwoody

@Grimson:

Use the SIP proxy package or configure a stun server, if your provider offers it. Don't open (all) Ports, that's plain stupid.

Not that I am aware of.. maybe more for buisness clients imagine.  It does however seem to use SiP when looking at some config files.

Nope, haven't just opend all :D.

mirkwoody

@JKnott:

The normal practice is to block EVERYTHING and then allow only what you need.  Also, a switch, managed or otherwise, has nothing to do with it.  Filtering protocols is a firewall function.

But i thought… as i come to learn.. that if you setup vlan with managed switch and such, you could totally isolate parts of a network.

kejianshi

You can - That is 100% true.  You can contain a hack if its firewalled from the rest of the network.

Vlans work.  Seperate nic cards with own firewalled subnet also works.

Are these incoming sessions coming from many different IPs or a single SIP provider with 1 IP outside your network?

JKnott

@mirkwoody:

@JKnott:

The normal practice is to block EVERYTHING and then allow only what you need.  Also, a switch, managed or otherwise, has nothing to do with it.  Filtering protocols is a firewall function.

But i thought… as i come to learn.. that if you setup vlan with managed switch and such, you could totally isolate parts of a network.

A managed switch can set up VLANs, where each VLAN is logically, but not physically a separate network.  This provides some security in that devices on one LAN or VLAN cannot easily access those on another.  It can also use MAC filtering, so that only specified devices are allowed to use a switch port  That's about as far as it goes.  With firewalls, you specify which external, incoming connections or traffic you want.  For example, if you had a web site, you'd allow TCP port 80, but not some other protocol, such as FTP.  On my home firewall, I allow SSH and OpenVPN.  Back when I was running my own IMAP mail server, I also allowed IMAPS.