Firewalling for dummies (PFBlocker and Snort on WAN)
-
For the most part I see pfblockerNG and snort is useful when you are nat'ing or have open ports. Such as when your running a webserver or mailserver and have to have open ports. But for the most part the WAN will block everything by default as long as it is unsolicited traffic. And if you really wanted to you can limit these open ports to specific source IP's. So if I don't have wide open ports I do I even really need to worry about unsolicited incoming traffic on WAN?
But let's say you end up with some malware on your computer and it initiates outgoing traffic to one of these blocked countries or (snorted blocked) ip's. If you don't "also" pfblock on LAN, as far as I see PFSense will then bypass all your wan blocking rules. And it will fly through no problem. Nor can you even see any firewall logging of this if the outgoing rules didn't have logging.
So if I don't have any open ports on WAN (or at least I have limited them to certain IP's) does it even really matter to run pfblocker or snort on WAN interface? It seems to me it is much more important to put your efforts into the LAN outgoing side. Because once something get's through on outgoing you can't stop it anyway on the WAN side.
Which raises the question, suppose I do want to block even (unintended) solicited traffic on the WAN side how do you do it?
And on Snort I am not sure if it makes sense for it to monitor the LAN interface.
And does snort also get bypassed when solicited traffic is initiated by the LAN? I think I heard it is different and monitor's in the floating rules and is the very first in the chain. I see it alerting on even blocked ip's so it must be before all the other rules.