I have some port Aliases:
465 SMTPS (Required)
49152:65535 IANA Ephemeral
As you can readily see, several ports are common to more than one Alias (80, 443, 5223, 50318, 59230 in this example).
Am I creating an issue for myself with an Alias-of Aliases as below ?
Protocols are not part of the Alias.
Is it insanely obsessive to subset AllowedPorts into AllowedPortsTCP, AllowedPortsUDP, AllowedPortsTCPUDP so only the appropriate protocol is allowed in a Firewall Rule (— it would be only a few milliseconds to split this way in a database, and only needs three separate firewall rules) ?
What are we making all these port aliases for? If you've got a single allow any to any rule on the subnet/network you have these devices on, everything will just work.
Are you doing this for inside machines or mobile devices to get traffic in from, or out to, the internet? If so, it's not necessary. If you've got internal SERVERS that need these ports, then you do need to set all this up.
So... what are you wanting to do?
A fair question.
My current ageing firewall is more or less the any-any approach you speak of.
For my new pfSense box, I want to implement egress filtering: allowing out the smallest set possible of ports & protocols that enable users to do legitimate stuff.
Some background reading on the topic:
You will also find some discussion in the pfSense book p164 et seq.
Ideally I would like to use the obsessive approach suggested in my question2 — just needs a little database tool to generate the aliases as applications become allowed/disallowed.
allowing out the smallest set possible of ports & protocols that enable users to do legitimate stuff.
What users? Is this a place of business or your home? What "users" are you wanting to limit? Are these strangers on your wifi? Or users with devices you control? Are they BYOD at your place of business/school/etc?
Thanks for your response.
I will answer your question(s), but first an observation: a domestic network or a MegaCorp network are both exposed to essentially the same risks.
*You might argue that MegaCorp has more to lose, but I would counter with: precisely because domestic users have less to lose, they don’t want to lose it. MegaCorp might shrug off a few lost millions …domestic users?
Does filtering egress solve all known problems? Certainly not! Once I allow even humble outgoing HTTP, the smart-UnGodly can attack. But since I CAN filter egress, it seems obvious to me that I should. My front-door will cede to a few dozen blows from a sledgehammer or (maybe) a very skilled lock pick — it still seems obvious to me that I should lock my front-door.
Is filtering egress possible without upsetting users: at MegaCorp yes — they probably have an acceptable use policy — users (by contract) must not get upset
when they drift outside the policy.
And in a domestic network? Also yes: log all blocks and adjust the FW rules to pass whatever seems legitimate after discussion. After a brief settling-in period, all is resolved.*
The current discussion concerns a domestic (home) network with pfSense being a candidate to replace a UTM/USG “borrowed” from a corporate network: the (quite old) UTM/USG is simply too slow for my current domestic connection.
This pfSense box will handle 4 of my 7 domestic nets: IoT; Admin; Guest; and Private VLANs.
pfSense has no “LAN” & no any - any default pass rule (thank God).
any - any is beyond absurd for IoT !
any - any is equally absurd for Admin (FaceBook or WhatsApp on an Admin machine …haha). HTTPS, ICMP echo request, and SSH seems enough to start with, but this might expand a port or two, maybe for Christmas.
I want Guest brutally isolated: internet any (including external DNS); strictly nothing else. Guest machines are not my machines, and as long as they don’t hassle my machines they can do what they want to themselves (this might tighten a little over time if any bad stuff happens).
And that leaves Private: there are 9 computers (soon 10). I’m open to discussion with the users about opening access to anything that seems legitimate. I have a lot of historical FW logs in a db so I know the stuff my users have been doing in the past and will allow anything I deem reasonable to pass.
BL;DR: this is my network: users will live with my rules or seek my agreement to modifications of my rules …or use their phones as hotspots.
a domestic network or a MegaCorp network are both exposed to essentially the same risks.
No not even close sorry!!!
And are managed completely different.. Out of the gate.. And comes down to as well who controls the devices that connect to a corp network.
For starters in a corp - none of those ports you list would even be allowed out in the first place. And more than likely all or 99.9 of all access other than 1 one offs with tons of paper work to allow would be forced out a proxy anyway.
I would be more than happy to debate corp or domestic with you - but if you think it makes sense to spend time on such nonsense in a home setup.. Have fun! Your wasting your time! Your time should be directed at what exe the devices can execute before you worry about what ports they can talk outbound on.. And where they can get such exe in the first place.
Isolation of iot sure - agree, trying to limit it what it can do.. kind of pointless.. Pretty much anything it does is going to be over 80/443 that is a given anyway. Where it does that is the going to be more of concern as to what port it needs. Name some IOT devices that needs anything other than say icmp or 80/443? I have plenty of iot devices in my home - none of them talk on anything other than those ports. Well then need dns - but that is only required local.
I isolate all my iot devices, and log everything they do outbound - they never try and talk outbound on anything other than icmp/80/443..