Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Rules for public Net

    Scheduled Pinned Locked Moved Firewalling
    13 Posts 8 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jamerson
      last edited by

      Hi Guys,
      i am configuring a open free wifi,
      i have the next rules configured
      WAN block all incoming
      LAN "Allow Port , 80,443,53,995,993" anything else will be blocked
      am i set or need to do some more firewalling ?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Why limit your users in such a manner?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M
          muswellhillbilly
          last edited by

          Free wifi with just web-browsing, DNS and secure mail enabled? Oh well, you get what you pay for.  ;)

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            I still don't get it but they're your customers.

            Note that you can do secure POP3/IMAP on 110/143 using STARTTLS.

            You probably want to allow 587 for SMTP submit.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • 2
              2chemlud Banned
              last edited by

              eehm, why not 465 for SMTP with SSL/TLS as you allow 993 for IMAP with SSL/TLS?

              1 Reply Last reply Reply Quote 0
              • J
                Jamerson
                last edited by

                pop and smtp and pop ssl and smtp ssl ports are added.
                any more suggestions please ?
                its a free wifi and dont want people to be downloading stuff, already blocked the download.
                once the squiad is fixed on 2.2 i will apply it too.

                1 Reply Last reply Reply Quote 0
                • H
                  hda
                  last edited by

                  @Jamerson:

                  …
                  its a free wifi and dont want people to be downloading stuff, already blocked the download.
                  ...

                  What downloading are you thinking of here ? POP3 ?

                  1 Reply Last reply Reply Quote 0
                  • N
                    Nullity
                    last edited by

                    Port 465 (SMTP/S). Some family member needed this enabled on my network for email. It may have been an iOS device, but I am not sure.

                    Maybe port 123 for time-sync/NTP?

                    Please correct any obvious misinformation in my posts.
                    -Not a professional; an arrogant ignoramous.

                    1 Reply Last reply Reply Quote 0
                    • J
                      Jamerson
                      last edited by

                      @hda:

                      @Jamerson:

                      …
                      its a free wifi and dont want people to be downloading stuff, already blocked the download.
                      ...

                      What downloading are you thinking of here ? POP3 ?

                      i meant blocking the download ( .exe, .rar, …..)
                      people will just browse and no download.
                      don't want people to be downloading movies or stuff and slow down the network.

                      1 Reply Last reply Reply Quote 0
                      • K
                        kejianshi
                        last edited by

                        Hmmmm.  I'd try to do some bandwidth limiting to keep people under control rather than break the internet for them.

                        1 Reply Last reply Reply Quote 0
                        • N
                          Nullity
                          last edited by

                          I would look at implementing a comprehensive QoS/traffic-shaping configuration as well.

                          Please correct any obvious misinformation in my posts.
                          -Not a professional; an arrogant ignoramous.

                          1 Reply Last reply Reply Quote 0
                          • H
                            Harvy66
                            last edited by

                            If they're using encryption, you can't tell what they're doing. All you can see is what port they're using.

                            1 Reply Last reply Reply Quote 0
                            • M
                              muswellhillbilly
                              last edited by

                              @Jamerson:

                              i meant blocking the download ( .exe, .rar, …..)
                              people will just browse and no download.
                              don't want people to be downloading movies or stuff and slow down the network.

                              Sorry to say, if you allow ports 80 and 443 then your users will still be able to download EXEs, MOVs… pretty much anything that can be pulled down via http/https. If you want to prevent specific filetypes from being downloaded you should use a web proxy. Dansguardian and Squid are included in the package lists, so you can install these and set them to disallow specific filetypes, such as movies, without preventing normal web browsing.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.