[ER] loadable "typical" firewall rule sets

rcfa

Since I'm just in the middle of setting this new pfSense box, I'm reminded how tedious it is to set up a firewall rule set from scratch.

Given that the old "just NAT it, and you'll be reasonably safe" strategy certainly won't hold water or be applicable once IPv6 hits, I wonder if it wouldn't be a good way of helping the pfSense popularity, if there were loadable rule sets that cover "typical" use cases, e.g. load rules that open up the system for standard web/email/IM/SIP/ssh use.

It would be nice if one could get the basics going with a bit less error potential than having to do all of it from a blank slate, which really pretty much requires someone with a sysadmin-like background to do the job.

Guest

Oh, this sounds reasonable. You mean like the anti-blockout rule ?
But i dont think we want to open ssh and web on any port per default, because this opens up setup vulnerabilities.

Hm - after rereading i believe you mean an inactive ruleset ?
This would be useful to ease those prelife tasks and wont hurt anything.

rcfa

Oh, yeah, totally nothing that's active by default.

I'm thinking of either of two things:

a) rules that can be instantiated "wizard-like" by simply specifying the name of one or more services, e.g. I could select "internet telephony", "web browsing" and "e-mail",

or

b) there are typical usage scenarios that one can load by name such as "home network", or "coffee shop with private and public guest LAN", "VPN pass-through" etc.

Solution a) is probably simpler and leads to less controversial solutions, but yes certainly nothing that activated by default, just something that makes things easier to set up for people who don't know all the ports and protocols involved with particular services, or who are confused with source and destination ports, or simply want to save some time. After all, certain services are so universal that just about everyone needs them, but as it stands, everyone has to set them up from scratch as if it were some custom client server app that nobody else would ever have on their network, and the more manual setup is involved, the easier it is to create subtle errors which then take hours to track down or result in vulnerabilities that people are unaware of.

rcfa

Another thing that could make things a bit easier when setting up rules:

allow specifying lists of ports, rather than just single ports or port ranges.

e.g. web access could be a list of 80, 443, a range of 80-443 would obviously be wrong, and setting up two rules is twice the work (and twice as error prone), as setting up one rule with two ports. It also would make it easier to keep the overview, since there's a fair number of protocols or applications that require lists of ports, which results now in a slew of individual rules even for relatively simple things.

jimp

There's an open ticket in redmine for adding more wizards eventually, feel free to add to it. Though that would be a great thing for people in the community to contribute.

It's extremely difficult to suggest rules for even common scenarios since people will always want to do different things, one person's idea of what a web server does may be different from the next guy's, and mail servers can have all kinds of different services that others do not (Perhaps it's exposing only submission+imap/s, or perhaps it's showing smtp, submission, pop3, pop3s, imap, imaps, webmail, etc…)

As for lists of ports, that's what port aliases are for.

rcfa

@jimp:

As for lists of ports, that's what port aliases are for.

Thanks for rubbing my nose in what should have been obvious. For some reason, in my mind, aliases were only for hosts and networks, totally missed the ports part. That will indeed make things a lot simpler already!
Major "Homer moment": Dough!