Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewalling for dummies (PFBlocker and Snort on WAN)

    Scheduled Pinned Locked Moved Firewalling
    1 Posts 1 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kevin067
      last edited by

      For the most part I see pfblockerNG and snort is useful when you are nat'ing or have open ports. Such as when your running a webserver or mailserver and have to have open ports. But for the most part the WAN will block everything by default as long as it is unsolicited traffic. And if you really wanted to you can limit these open ports to specific source IP's.  So if I don't have wide open ports I do I even really need to worry about unsolicited incoming traffic on WAN?

      But let's say you end up with some malware on your computer and it initiates outgoing traffic to one of these blocked countries or (snorted blocked) ip's. If you don't "also" pfblock on LAN, as far as I see PFSense will then bypass all your wan blocking rules. And it will fly through no problem. Nor can you even see any firewall logging of this if the outgoing rules didn't  have logging.

      So if I don't have any open ports on WAN (or at least I have limited them to certain IP's) does it even really matter to run pfblocker or snort on WAN interface?  It seems to me it is much more important to put your efforts into the LAN outgoing side. Because once something get's through on outgoing you can't stop it anyway on the WAN side.

      Which raises the question, suppose I do want to block even (unintended) solicited traffic on the WAN side how do you do it?

      And on Snort I am not sure if it makes sense for it to monitor the LAN interface.

      And does snort also get bypassed when solicited traffic is initiated by the LAN? I think I heard it is different and monitor's in the floating rules and is the very first in the chain. I see it alerting on even blocked ip's so it must be before all the other rules.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.