Default Ruleset - Block ALL
-
Hi,
I'm new to this forum and just begin to look at pfSense.
To my understanding that a good security isn't it suppose to be "Block ALL" by default instead of "Open ALL" as what pfSense default does?
"Block ALL" - User just need to open the port(s) that needed to use and the rest remind closed.
"Open ALL" - Anything can go anywhere it like. User has to find out what is needed to be closed in order to secure the network.Isn't it "Open what is needed" is much better and secure than "closed what is not needed"?
I'm just trying to understand the way how pfSense does thing.
Thanks / regards.
-
Hi,
Forgot to add, I am basically referring to LAN –> WAN (Internet) access!
Regards.
-
Isn't it "Open what is needed" is much better and secure than "closed what is not needed"?
Yes, it is. The default of allow all on LAN, block all on WAN is more often what people want though. Same default as most all similar systems.
Check out the firewall chapter in the book for more in-depth discussion of that topic and specific recommendations on best practices that are applicable to any firewall.
-
Blocking on LAN sounds great in theory until you start pulling your hair out due to endless users having endless problems using software over the network. Unless your network is very small with few users, or you have a tightly controlled environment, it's usually more trouble than it's worth. But feel free to remove the Allow All rule on LAN and put whatever ruleset in place that you want.
-
Hi cmb and Kom, thank you for your input.
Yes, I do agreed when come to large user based without the tight control of the application usage environment, it will become a headache for the Firewall administrator.
However, if we were to look at the potential threats like malware, botnet and others, where an infected workstation could easily blast out to the Internet via any ports should the rules is not set to deny all by default. Also, it is be much easier to track and identify from the logs where the rejection from as oppose to hunt for the culprit in an “allow all” situation?
just my 2 cents :D
Regards
-
Have fun with that when you're spending your days trying to get the instant messenger de jour working. Or xbox, wii, etc.
Just deactivate the default rule and pass whatever traffic you want to let out.
(You are correct of course. It is more secure. In many environments it's more headache than it's worth.)
-
However, if we were to look at the potential threats like malware, botnet and others, where an infected workstation could easily blast out to the Internet via any ports should the rules is not set to deny all by default.
Which ports are malware, botnet and others restricted from using so that you can have only those open? Think about it for bit.
There's 65K IPv4 ports available.
Most applications randomly select a source port to use and can change frequently. Do a packet capture of a few web browsing sessions.
Destinations ports are typically associated with a particular service. e.g. http/80, https/443, smtp/25, etc. How you going to stop malware, botnets, and others from sending to those if your clients need to access services at those ports?
Barking up the wrong tree if you think you're going to broadly block outbound traffic sufficiently enough to stop malware, botnets, and others and still have functional internet access.
-
I agree with the above that there are diminishing returns, but it's a fun exercise on a small network, especially a mixed one (Windows, Apple, Linux/BSD). For the most basic useability, one doesn't need a lot open (maybe a total of a dozen ports between UDP and TCP). As for the "fun" aspect, ever see HTTPS UDP traffic? I know, you're thinking "BS". Well Google up "Google QUIC" for an answer.
Starting with a default deny and making a decision to add a rule when needed is good so you know what's on your network.
If you've never looked at how noisy Windows is with broadcasts "Hey I'm here", you should.From a pure convenience/consumer standpoint, the pfSense out of the box "allow all from LAN, deny all from WAN" is handy and saves a lot of repeat questions. So in theory, you're correct, in reality it becomes unrealistic.
-
Hi all,
Thank you for the kind input, really appreciate.
Well, I started this because I been listening a lot on "Closed All" and open what is needed only and even read it from the pfSense The Definitive Guide under the "Firewall" chapter.
Guest is really have to see how to balance the two in an office environment, either in friendly or security mode. ::)
Learnt a lot from this exchange. Thanks!
Best regards.
-
Before think about blocking outgoing ports, it should be a nice exercise see why people actually want to install these malware's on 'their' PC's …
Which boils down to : look for those who have this afetr one user session :all the web search bar extensions that a browser can offer.
all the meteo toolbars that exist for that browser ...
changed 5 times their default home page in the same session ....
accepting java updates from everywhere except from java.com ....
same thing about media flash .....
they wind up using several antivirus on the PC ....
etc.Nail down these people, and propose them that they should stop clicking on everything that they see on a web page …