Rules for public Net



  • Hi Guys,
    i am configuring a open free wifi,
    i have the next rules configured
    WAN block all incoming
    LAN "Allow Port , 80,443,53,995,993" anything else will be blocked
    am i set or need to do some more firewalling ?


  • LAYER 8 Netgate

    Why limit your users in such a manner?



  • Free wifi with just web-browsing, DNS and secure mail enabled? Oh well, you get what you pay for.  ;)


  • LAYER 8 Netgate

    I still don't get it but they're your customers.

    Note that you can do secure POP3/IMAP on 110/143 using STARTTLS.

    You probably want to allow 587 for SMTP submit.


  • Banned

    eehm, why not 465 for SMTP with SSL/TLS as you allow 993 for IMAP with SSL/TLS?



  • pop and smtp and pop ssl and smtp ssl ports are added.
    any more suggestions please ?
    its a free wifi and dont want people to be downloading stuff, already blocked the download.
    once the squiad is fixed on 2.2 i will apply it too.



  • @Jamerson:


    its a free wifi and dont want people to be downloading stuff, already blocked the download.
    ...

    What downloading are you thinking of here ? POP3 ?



  • Port 465 (SMTP/S). Some family member needed this enabled on my network for email. It may have been an iOS device, but I am not sure.

    Maybe port 123 for time-sync/NTP?



  • @hda:

    @Jamerson:


    its a free wifi and dont want people to be downloading stuff, already blocked the download.
    ...

    What downloading are you thinking of here ? POP3 ?

    i meant blocking the download ( .exe, .rar, …..)
    people will just browse and no download.
    don't want people to be downloading movies or stuff and slow down the network.



  • Hmmmm.  I'd try to do some bandwidth limiting to keep people under control rather than break the internet for them.



  • I would look at implementing a comprehensive QoS/traffic-shaping configuration as well.



  • If they're using encryption, you can't tell what they're doing. All you can see is what port they're using.



  • @Jamerson:

    i meant blocking the download ( .exe, .rar, …..)
    people will just browse and no download.
    don't want people to be downloading movies or stuff and slow down the network.

    Sorry to say, if you allow ports 80 and 443 then your users will still be able to download EXEs, MOVs… pretty much anything that can be pulled down via http/https. If you want to prevent specific filetypes from being downloaded you should use a web proxy. Dansguardian and Squid are included in the package lists, so you can install these and set them to disallow specific filetypes, such as movies, without preventing normal web browsing.


Log in to reply