Not blocking the world
At what point does it make more sense for outbound traffic to have a default deny IP rule and permit GeoIP regions with reputation turned on vs having a bunch of things blocked? Is there a resource usage number I should be watching there? For example, under feeds it says not to select them all. I currently block most of the GeoIP top spammers and have a few lists of known bad guys (PRI1 mostly) but just want to make sure there isnt an easier way. I know my list isnt nearly the whole world but just like to hear what others think.
The default behavior of any router worth its salt is to block unsolicited incoming requests. Doesn't matter where from, it should block. So geoIP blocking really isn't worth messing with as it's already blocked unless it's return traffic that you are soliciting from behind the firewall. So there is a default block already. Exception to this is if you have something that requires open ports for external inbound connections that are not replies to internal requests. Example, I have OpenVPN configured so I have that port open. So I am using geoIP blocking except for the country I am using the VPN in, as I need to reach the the router and make a connection when I am on travel. It's TLS and there is a cert and user/password to get in, but it can't hurt to have the extra blocking enabled. Otherwise I wouldn't bother with geoIP blocking as it is redundant with what the firewall is already doing.
As for what can get out from inside, I do only allow certain ports for the apps that we have that connect to internet vendors (example, gaming apps like STEAM). I have those ports allowed, with an explicit block at the bottom.
I think it makes more sense, if you don't have ports open on the WAN side, to use an IDS like SNORT or SURACATA on the LAN interface, looking for connections to malicious actors and blocking them. On the WAN side, again, it's redundant with the firewall itself unless you have ports open.
@riften If we look at the default behavior of the pfSense firewall (block all on the WAN port and allow all on the LAN port) then look at pfBlockerNG (which is where this is posted and is all about blocking) this is what I am thinking about. An IDS is great but it is a compliment to and not a replacement of firewall rules. Thus on the external traffic I could deny all except North America, Europe, and wherever else minus top spammers instead of blocking a ton of regions/things in those regions but there has to be a tipping point at which it makes sense to do that. In my experience blocking outbound by default is going to create a bunch of management overhead as it will break a lot of things, but having many hundreds of thousands of IPs blocked will require a bigger box. I am trying to find "just works" safety with minimal false positives that can run on an SG-1100 for a home network.
NollipfSense last edited by
I am trying to find "just works" safety with minimal false positives that can run on an SG-1100 for a home network.
I can tell you it's a continual process for about six to nine months before getting to "just works." I am also learning that network administration for a home is a full time part-time job...good luck!
If there was an option for the auto IP rules to block first then allow (block/reject/pass/match) then the idea of default deny would be a lot more accessible. Currently the auto rules are all some variety of pass/match/block/reject. So if I want to block some top spammers then allow geo regions all in pfblocker followed by a pfsense default deny rule it isnt automatically possible. Maybe thats a feature @BBcan177 can add someday. Block outgoing by default, allow what is needed.