Rules setup - new to firewall administration
-
I just got a SG-3100 up and running on my home network. In setting up the OPT5 firewall, I used the rules in the LAN interface.
Security wise, would best practice be having more specific rules for things like POP3, IMAP, HTTPS, etc., or would these rules suffice?
Thanks.
-
I would suggest writing out what kinds of traffic you want to allow (entering the router on OPT5) and then translating that to rules. Or, what kinds to block if you want to approach it from that direction.
-
@teamits
Bearing in mind there's a default deny all and rules are checked in order and executed on first match.
-
Guess I'll start with the ports that are commonly open.
Since mail needs to be retrieved/sent
TCP port 110 (POP3)
TCP port 143 (IMAP)
TCP port 25 (SMTP)Web browsing
TCP port 80 (HTTP)
TCP port 443 (HTTPS)Download/upload of files
TCP port 20 (FTP)Not sure if I'll need these
TCP port 22 (SSH)
UDP ports 67,68 (DHCP)
TCP/UDP port 53 (DNS)Looking into what's needed for things like FB Messenger, and ports that Apple devices & services use.
-
Not wishing to inadvertently take down my network, I setup another interface as DEV (OPT2) and created the rules for that interface. The default pass any rules were disabled as shown below.
Good thing I set this up on another interface! I plugged into DEV and was unable to reach any websites. I couldn't get into my SG either. How badly did I setup the rules?
Thanks.
-
The source port on outgoing traffic is typically randomized, to simplify things a bit. So the source port should be * like in the two disabled rules. The destination port is what you're connecting to, e.g. 80/443 for a remote web server.
You might consider a rule allowing from source Dev Net:* to "this firewall (self)":443 so you can get to the pfSense.
-
@teamits said in Rules setup - new to firewall administration:
The source port on outgoing traffic is typically randomized, to simplify things a bit. So the source port should be * like in the two disabled rules. The destination port is what you're connecting to, e.g. 80/443 for a remote web server.
You might consider a rule allowing from source Dev Net:* to "this firewall (self)":443 so you can get to the pfSense.
Ah, thank you for that info. I made the source ports * and tried the DEV interface again. Progress! I can get out to the web, access the SG, and resolve addresses when specifying random websites.
I then tried emailing myself from my phone to see if that would come through. Nope. I'm using Apple Mail so I suspect there are some other ports I need to specify. Looking that up and checking the logs as well.
Slowly but surely...I'm seeing the value of having a lab network.
-
Apple has a laundry list. Going to setup some aliases where possible.
https://support.apple.com/en-us/HT202944
-
@ajtradtech said in Rules setup - new to firewall administration:
I'm using Apple Mail
Mail clients do not / should not use port 25. That one is exclusively reserved for inter mail server communication.
Port 110 TCP is for POP access : you retrieving mail from your "mail box" into your mail client.
Port 143 TCP : same thing, but using IMAP.
But ... these port are probably still supported but their usage will stream your mails over the net totally visible.
That's not done any more.
POP has an SSL successor : port 995 TCP - IMAP SSL is using 993 TCP.
The above 4 ports are all about retrieving mail.To send mails, you should be using TCP 587, known as 'mail submission' which could be using SSL (a thing called STARTSSL). Even better, use port 465, which is SMTP over SSL.
This rule :
is optional.There is a last, hidden rule that blocks all traffic.
But there is also a first, hidden rule : the one that permits DHCP traffic ;) -
@Gertjan said in Rules setup - new to firewall administration:
@ajtradtech said in Rules setup - new to firewall administration:
I'm using Apple Mail
Mail clients do not / should not use port 25. That one is exclusively reserved for inter mail server communication.
Port 110 TCP is for POP access : you retrieving mail from your "mail box" into your mail client.
Port 143 TCP : same thing, but using IMAP.
But ... these port are probably still supported but their usage will stream your mails over the net totally visible.
That's not done any more.
POP has an SSL successor : port 995 TCP - IMAP SSL is using 993 TCP.
The above 4 ports are all about retrieving mail.To send mails, you should be using TCP 587, known as 'mail submission' which could be using SSL (a thing called STARTSSL). Even better, use port 465, which is SMTP over SSL.
Thank you! I'll update my rules accordingly. Port 25 is out. TCP 587 is already included (it was on that long list from Apple), and I'll add TCP 993 and 995.
This rule :
is optional.There is a last, hidden rule that blocks all traffic.
But there is also a first, hidden rule : the one that permits DHCP traffic ;)Noted. Btw- I'm communicating all of this over the DEV interface :)
Thanks for your help!
-
@ajtradtech said in Rules setup - new to firewall administration:
Port 25 is out.
Your rule :
You see the 0/0 in front of the rule ? This means the rule isn't used, it didn't match any traffic.
If 0/0 stays 0/0 for a while, you know that that rule is not used at all. This means you can remove it. at first de activate it, leave the rule in place, eventually you can delete it.After all, your mail client shouldn't even use port 25 for sending mail. That's was something from before 2000 (the last century).
Except, if you have a local mail server ....
-
@Gertjan said in Rules setup - new to firewall administration:
@ajtradtech said in Rules setup - new to firewall administration:
Port 25 is out.
Your rule :
You see the 0/0 in front of the rule ? This means the rule isn't used, it didn't match any traffic.
If 0/0 stays 0/0 for a while, you know that that rule is not used at all. This means you can remove it. at first de activate it, leave the rule in place, eventually you can delete it.After all, your mail client shouldn't even use port 25 for sending mail. That's was something from before 2000 (the last century).
Except, if you have a local mail server ....
Noted.
Currently making good use of the Copy function to get the rules implemented on OPT5...
Thanks.
-
Update:
Rules from my DEV interface copied to PROD (formerly OPT5) interface. Added rules for FB Messenger to function. Disabled the default Pass any rules at the bottom.Email- check
Push notifications - check
Address book sync - check
Calendar sync - check
Apple TV- check
FB Messenger- check!There is a slight pause before a YouTube video plays, but I guess that's to be expected with all of the rules to go through along with the port ranges specified on the list from Apple. I have the more specific rules at the top with more general rules with port ranges at the bottom.
Going forward, I'll keep an eye on the rules that don't get touched and disable them.
Thanks to everyone for their input.
