Do my rules appear to be sane?



  • I should add that I have a floating block + don't log for IPv6 which is why my final allow any is only IPv4.



  • Your very first rule matches everything so nothing beneath that does anything at all.



  • @cmb:

    Your very first rule matches everything so nothing beneath that does anything at all.

    When I edit that rule, it says Destination: OPT7.
    It looks like it didn't remove that rule when I removed the interface.

    It wasn't a wildcard.  The blocks still worked, so it looks like it was just UI.
    Other than that, are they sane?



  • Ah, yeah in that case it wouldn't have been in the ruleset at all.

    Other than that, seems sane.



  • @cmb:

    Ah, yeah in that case it wouldn't have been in the ruleset at all.

    Other than that, seems sane.

    Ok, cool, thanks.
    I have a few oddities in NAT (such I have the firewall listening for HTTPs on a nonstandard port, but an internal NAT rule for port 443.
    I wanted to make sure I had the LAN side of the rules looking ok (as the NAT rules are working exactly how I wanted).



  • I redid my LAN rules once I found out I could nest aliases, could I possibly as for just a quick spot check again to rule out any brainfarts?
    (blacked out port at the top is publicly accessible and non-standard (hurrah security through obscurity!))