Firewall port numbers



  • As a non ICT person I ve got (maybe!) a silly question !

    under firewall > rules …..specially the rule ¨default allow LAN to any rule¨is one of my concerns !

    Does it make sense to NMAP every device in my lan and make alliasses for its portnumbers ?...so its blocks all the others !

    Or is this complete useless ! (and a lot of work !)


  • LAYER 8 Global Moderator

    Huh?

    So do you have other lan segments, ie opt interfaces that you want to firewall traffic between..  Or just out the wan interface to the internet?

    If you want to limit your clients from talking out to the internet on other than standard ports, say http, https, ftp, ssh, etc..  Then sure you can lock that down on your lan tab..  If your wanting to limit traffic between your own network segments..  What would be the point of allowing every port the other devices is listening on?  Might as well just be the any any rule in that case.

    You do understand that if a device is not listening on the port, does not matter if the traffic is allowed on that port.  You would firewall when the the port is being listened on, but you don't want specific clients to get to it.  So doing a nmap to find every port a device is listening on, and the allowing all those ports would be useless yes.



  • Hi @Herminator,

    I think it all depends on whether or not you want to control your users. But it's much better especially for security purposes to list them all. Just my opinion.  :)


  • LAYER 8 Netgate

    You do realize that the rule on LAN is one that allows connection FROM LAN HOSTS into the firewall and not TO LAN HOSTS from other locations like WAN, right?
    The only things that will show up in an nmap scan are ports the LAN hosts are listening for inbound connections on. And only TCP at that.

    For the typical home network chasing outgoing ports for every stupid app gets to be a real drag.



  • @Derelict:

    For the typical home network chasing outgoing ports for every stupid app gets to be a real drag.

    It can be a real drag, but the better way is start with a default deny, then open up a few.  For most normal stuff (web, email, vpn, ntpclient)  it's really not that much.  I'll provide what I've got allowed later when I get back home, but it's probably about 12 or so ports, between UDP and TCP.  Various *nix clients, Windows 7 clients on the LAN side.  So far wife hasn't complained about things not working.  Yes, I know I don't need to do this, but it was more an experiment as to "what is really needed" and "it's my network and I can do what I want (know exactly what I'm sending to the world)".

    I was actually suprised a how small the list is.  HTTP/S, DNS, NTP, OPENVPN, SSH covers the bulk of typical home user traffic.


  • LAYER 8 Global Moderator

    Unless you play games, they are all going to have their own ports.  Agreed, typically its a small list.  You don't need to open ntp, pfsense does the ntp and you sync off pfsense.

    But we are not even sure what the OP is wanting to do.. He talks about scanning his clients.. What does that have to do with their outbound traffic to the internet?



  • @johnpoz:

    Unless you play games, they are all going to have their own ports.  Agreed, typically its a small list.  You don't need to open ntp, pfsense does the ntp and you sync off pfsense.

    But we are not even sure what the OP is wanting to do.. He talks about scanning his clients.. What does that have to do with their outbound traffic to the internet?

    Absolutely nothing  ::)  That's why I directed the response at Derelict.  Agree on the NTP;  the list was from a homebrew I had been using (FreeBSD with pf) before I grabbed a SG2440.

    I'm guessing the OP may not understand how pfSense works/is intended to be used.


  • LAYER 8 Global Moderator

    "I'm guessing the OP may not understand how pfSense works/is intended to be used."

    Agreed ;)  I think its more than just pfsense and just networking/firewalls in general..

    But to be honest, in a home setup I really don't buy the lock every port down other than the ports you use/common to the public net.  What does it get you other than grief when someone in the house trying to do something that doesn't work, or you yourself something doesn't work because you blocked outbound traffic on xyz..

    Do you think that is going to stop viruses from phoning the mothership?


  • LAYER 8 Netgate

    @johnpoz:

    But to be honest, in a home setup I really don't buy the lock every port down other than the ports you use/common to the public net.  What does it get you other than grief when someone in the house trying to do something that doesn't work, or you yourself something doesn't work because you blocked outbound traffic on xyz..

    Exactly. My mothership would be listening on a common port anyway. It's stupid and a waste of time. I'm not firewalling and segmenting a bunch of PoS terminals.

    You'd still have to pass NTP to LAN address unless that  is a magic, hidden rule too.



  • @Derelict:

    @johnpoz:

    But to be honest, in a home setup I really don't buy the lock every port down other than the ports you use/common to the public net.  What does it get you other than grief when someone in the house trying to do something that doesn't work, or you yourself something doesn't work because you blocked outbound traffic on xyz..

    Exactly. My mothership would be listening on a common port anyway. It's stupid and a waste of time. I'm not firewalling and segmenting a bunch of PoS terminals.

    You'd still have to pass NTP to LAN address unless that  is a magic, hidden rule too.

    Nope, I understand it's not going to stop malware and such (gee, everyone has http open, so lets use that  ;D ).  It was more of a learning experience for me when I went from a dialup to broadband a while ago.  Nothing more than that, just me trying to be aware of the traffic that is on/generated by my machines at home.  I'm sure you've done it, but for anyone that has never sniffed a network with Windows machines may not realize how noisy they are on a network (SMB and related stuff,  multicast DNS things) and trying to figure out how to turn them off took me down "GUI hell".  I just wanted to be aware of what was normal for me.


  • LAYER 8 Global Moderator

    That is fine, but curious why did you offer up to a user that clearly doesn't have clue one to how any of it works anyway..

    "but the better way is start with a default deny,"

    You know how much grief its going to cause this guy when this doesnt work, that doesn't work, etc. etc..

    Pfsense uses a default any any on the lan out of the box for a reason… Because if they didn't a vast majority of users wouldn't have a clue how to get it working.. ;)



  • I keep forgetting the target audience.


  • LAYER 8 Global Moderator

    I do it all the time myself.. You would hope people smart enough to use pfsense would have a basic understanding of the concepts involved with tcp/firewalling/routing, etc.  But the more I read threads here the more I am reminded that a large portion of pfsense users are just completely clueless to any of even the most basic concepts.

    And sad to say many of them don't even want to learn..  They just want information spoon fed to them, what do they click to get x working without even basic understanding of how x works.

    But what makes it all worth it is those few people that want to learn, and spreading the love of our psfsense to those new learners ;)

    I agree with you that a default deny, or even just logging of traffic can be a huge learning experience to what sort of traffic a OS might spew about..  What is needed, what is fluff and nonsense can be a large undertaking for someone new to the concepts for sure.


  • Banned

    …jjeeeeeh, same with my car mechanic, always talks about tech stuff, although only thing I want is to DRIVE the car...



  • Can I thank you all for the input !
    And yes Johnpoz ! although lots and lots of reading its often quit difficult to understand the basics ! …Ive got to do it all by myself !
    Anyway your  answer makes a lot clear to me ! (still much to learn and todo !).....


Log in to reply