Egress filtering best practices



  • I've been using pfSense since about 2006 (I think) initially as a result of deploying it as a solution at the company I was working for.  Since then I've been using it at home, and have built it up, torn it down, and tried several different configurations.  It's like the best bad habit I have…  In any event, during my time using it at home the one area I've always had trouble understanding, or knowing when "enough is enough" is related to egress (outbound) filtering from my LAN.  Or in other words, what's my baseline for setting up outbound rules where I can step back and feel confident that I'm allowing the traffic out, without allowing too much (or too little for that matter.)  What I'm looking for is some guidance on "best practices" for opening up outbound traffic from within my network, and not having to pick apart every single event / request that leaves my network, or even travels between my networks.  I've followed some information I read in the pfSense guide (Such as allowing MSRPC on the LAN only) but again, if you remove the default allow all rule, and then open it up protocol by protocol, I feel like I'm bound to always be missing something.


  • Rebel Alliance Developer Netgate

    That is impossible to answer without picking apart your network requests. Each LAN is different. Different clients, different servers, different software, different requirements.

    Some can be happy with only allowing tcp/udp 53 and tcp/80 and tcp/443. Others need much more. It really depends on your network and what you really need to let out.



  • In my environment I created two rules and two aliases.
    The one alias is known as "TCP_Ports" and the other is "UDP_Ports".
    One firewall rule covers UDP traffic and as detsination ports "UDP_Ports". The same I did for TCP.

    Then it makes it easy to just add the ports you need with a helpful description to the alias.
    So starting with the basics like DNS, http, https will be good. Later probably adding some ports needed for E-Mail and so on.
    So you probably never opend to much ports.

    And if you feel you opened to much just have a look into your aliases and check yopur descriptions and decie if this service/port is still available on your network and you need it.



  • Thanks for the replies / guidance on this.  I think it was ultimately a matter of questioning myself on a better way of doing it, although I suppose there is some pride to be taken in a well-defined ruleset.  ;)