Basic firewall questions

  • I have some really basic questions I was hoping someone could answer:

    1. in PFSense are all inbound ports closed by default in the firewall until I open them? What about outbound ports? For example, how can I access the web, wouldnt that use outbound port 80, but I dont see an outbound port 80 port open??

    2. If I enable inbound port 443 for https, is that MORE secure than enabling port 80 for http? Or is opening a port, opening a port plain and simple?

    Thanks  :)

  • Rebel Alliance Developer Netgate

    The default WAN rules block everything incoming. There is a rule on LAN that allows traffic out by default, but you can remove this or alter it to your liking.

    443 would be more secure as long as you're actually using HTTPS on that port and not just HTTP. In that case, the connection will be encrypted, and thus more secure. Opening a port is risky either way, but 443 is much less of a risk than 80, especially if you have a real signed cert instead of a self-signed cert.

  • How is a real signed cert more secure than a self signed cert?  I was under the impression that it was both using the same bit encryption / technology / connection, only the  difference was one was approved by a authority and the other was not… So that random people would know if the server they were connecting to was endorsed by this authority, thus more peace of mind when connecting to it.

    But if im connecting to my own server, I know its trustworthy (because its mine!) and thus my self signed certificate is creating a secure connection just as good as one that I pay for from an authority??

    or it doesnt work this way at all :(

  • Rebel Alliance Developer Netgate

    It's less secure because you are always prompted and given a certificate error, because its trust chain can't be verified.

    It's easier for someone to replace that with their own cert and go unnoticed because people get complacent about cert errors in that case.

    The actual encryption is still good, but it's the endpoint verification part that gets cloudy.

  • Where would be the cheapest place to get a certificate that would just get rid of that annoying nag screen and provide some sense of security?

  • I got mine from godaddy for under $30 a year and a second one for under $15 a year (3 year minimum purchase).  Shop around and I think you will find several providers in that same range.


  • HTTPS certificates, for authentication, are only a protection for the client connecting to your server.  It's their way of knowing that it really is the server they think it is.  Always assuming that the client actually checks the certificate, as the onus is on them.

    From a server perspective, all you do is offer the certificate, and leave it to the client to decide if they want to continue connecting, or not.


Log in to reply