Which Port Numbers to open from LAN to WAN?

UltraLinuz

My local network has three zones DMZ, LAN,WIFI

The network from and to the DMZ is very much restricted to the services that are required by the server in that area
The WIFI can only go to the WAN port but can do more or less whatever god has forbidden
The LAN consist of several local servers that can only connect to the outside world for the services needed, but there are several PC's in the LAN that want to be able to access the internet for webbrowsing etc.

In principle I do not want to allow any traffic from these PC's to the internet, but it looks like that I've somehow set the ports that allow communication to the outside world to strict. Could somebody give me advice which ports to really open or what a good strategy is? a link to a proper article is of course also highly appriciated.

« edit by Gruensfroeschli for readibility »

jigpe

You need 80,443,53 for HTTP

jigp
pfSense 1.2.x Davao City

Cry Havok

The ports you need to open depends on what you mean by "etc" ;)

I'd suggest you start by leaving it fully locked down and install Squid to control the web browsing.  Then identify the "etc" part and open ports accordingly.

jigpe

Havoc: I have 80,443,53 and ftp. 4 ports. Why is it that i could do VPN+RemoteDesktop and ETC Virtually.. Any idea how to get rid of this? Thanks

jigp
Davao City pfsense 1.2.2

Cry Havok

What kind of VPN - OpenVPN, IPsec or PPTP?  Remember that rules apply separately to each interface, that IPsec and PPTP are separate logical interfaces and needs their own rules and that the OpenVPN interface can't be filtered in 1.2.2.

jigpe

"What kind of VPN - OpenVPN, IPsec or PPTP?  Remember that rules apply separately to each interface, that IPsec and PPTP are separate logical interfaces and needs their own rules and that the OpenVPN interface can't be filtered in 1.2.2."

Does it work on 1.2.3RC2? 2.0 is tempting but im still exploring it there..Also Havok, Im not sure with the ports to open though…443,80,53 is okay right?

jigp
Davao City

Cry Havok

I'm not sure about 1.2.3 onwards - you'll have to try searching the forum for the latest information.

Those ports are "ok" if those are the only ports you require.  Only you can know the answer to that.

jigpe

Thank you Havok :)

Good morning :)

jigp
1.2.x