Default LAN Rules



  • I still have my default LAN rules in place from initial install. WHat should I do if anything to them to further secure but not limit my connection.



  • For a start try:
    https://doc.pfsense.org/index.php/Example_basic_configuration
    I also recommend using the "Search" in this forum before posting any question. I have found it to be a great source of info.
    Also after you start setting up some rules if you have a "Default Deny All" at the bottom of the rules list and have it set to Log, any blocked communications you will see the protocols that you may or may not want to enable in the Firewall logs.
    Default Deny is the best policy, allow only what you need, not what you want. :o …....It is a different mindset.

    ##about the search remark, I am in earnest. It is to me a great resource. Almost everytime I go searching I am always finding a tidbit of info or post that shows me something new. Many times it is better than what I was originally searching for. Always learning it seems.



  • Extra LAN rules won't protect you from external threats, only internal ones.



  • @Harvy66:

    Extra LAN rules won't protect you from external threats, only internal ones.

    ??? On the surface it may seem that way but you may want to rethink that. Just a thought.



  • @Harvy66:

    Extra LAN rules won't protect you from external threats, only internal ones.

    Depends on what you consider to be an external threat.  I consider browsing to be an external threat.



  • I was just curious as is I should change the default allow to all rules. If so, can you recommend exactly what I should do? Aside from PC's, I have several smart TV's and PS4's that must be able to get through the router. How should I configured these rules; if any change is needed to reduce outgoing risk?



  • @jbhowlesr:

    I was just curious as is I should change the default allow to all rules. If so, can you recommend exactly what I should do? Aside from PC's, I have several smart TV's and PS4's that must be able to get through the router. How should I configured these rules; if any change is needed to reduce outgoing risk?

    One way of determining "normal" traffic for your network is to do packet captures.  If your pfSense box is acting as a DHCP server check the logs/status of that, then you know your normal MAC addresses (handy if a device shows up that you don't know about). 
    From a pf configuration I've been running for a while, these udp and tcp ports allowed from the LAN side let pretty much "normal" stuff work (browsing, email.  The numbered ports are to let a couple of things like Spotify through)

    udp_svcs="{ domain, ntp, https, 1935, 1194, 3551 }"
    tcp_svcs="{ domain, http, https, ntp, pop3s,smtps, 1935, 1194, 3551 }"

    So you could start with those and when something breaks you look at the logs.
    Don't forget that a rule with the above ports goes above a default deny rule on the LAN tab.


  • Rebel Alliance Global Moderator

    Since when does ntp run via tcp??  Who still uses pop?

    "can you recommend exactly what I should do? "

    No not really how are we suppose to know what you want to allow or block.. If I tell you to lock it down to http and https only and application X breaks..  Then I gave you bad advice..  If you want to lock down your IoT devices for example what I would really suggest is you isolate them to their own vlans.  Log their traffic and see what you think.. I can tell you my directv box does some dns, and he phones home via http and https and does some pinging to an outside address, and every now and then makes a connection on 5223..

    To be honest once you isolate such devices from your own network and just allow them internet..  What does it matter what ports they choose to talk on?  I would be concerned on their bandwidth usage and if talking to somewhere that seems odd.. But do you know what ports they use??  Do I ??  Without looking and watching your not going to have any idea, and most likely just going to break something.  Maybe it phones home every day on 80 and 443, but once every 6 weeks it does something on port xyz..

    To be honest since you have to ask, you really shouldn't be blocking.. What you should do is isolate said devices your worried about from your normal network would be my 2 cents on the matter.  But if you want to start locking stuff down take a look here.  https://doc.pfsense.org/index.php/Example_basic_configuration they give a simple run down on how to start locking down outbound ports on your lan or other interfaces.



  • Sorry John, yes that's a mistake ntp on the tcp services.  That's pop3s, for Comcast email since I'm not using imap on that.



  • I don't run a DMZ so I'm confused as how to apply the info from:

    https://doc.pfsense.org/index.php/Example_basic_configuration

    to my setup; unless it means something different than what I think it means.



  • @jbhowlesr:

    I don't run a DMZ so I'm confused as how to apply the info from:

    https://doc.pfsense.org/index.php/Example_basic_configuration

    to my setup; unless it means something different than what I think it means.

    No DMZ so ignore those rules about that. They are just examples of what others may need so they try to cover as many basic rules as they feel may help. Keep it simple.



  • What ports are used for things like Amazon Prime TV, Netflix, PSN, Xbox live etc?



  • OK, so below is one Debian machine running just for Netflix. No other machines at present here and Microsoft is taboo in my home. :o
    All Default Deny rules are for logging purposes for me to easily find what is being blocked or needs to be allowed with out enabling logging for all the default block rules of PFSense. I do not want to be buried alive in logs, so it is easier to be more selective.
    Look at how my rules are for Default Deny and if you need to add more for other services here, well I will let you find that out or we will be at this all day.  ;)
    Xbox website mentions needed ports or just review your logs after initial setup.  One description shows DNS forward… ignore I use Unbound, but rule is same.
    Anything below the Default Deny to ALL is disabled and not in play. I just keep them for another day.



  • Rebel Alliance Global Moderator

    "What ports are used for things like Amazon Prime TV, Netflix, PSN, Xbox live etc?"

    All very good questions… And directly to my point..  You are never going to know what application X might use for a port..  So locking down your outbound access is going to be a constant struggle, shit that doesn't work open up port, oh damn this doesn't work open up that port..  How come this doesn't work - oh shit they also use port Y, etc. etc. etc..  Why and the hell are they running protocol C on port D??  That is not its standard port, etc. etc. etc..

    That might be fine in a corp setup where you just tell the user tuff titties you can not use application xyz, who ever said xyz was allowed on this network..  But in a home setup its nothing more than a PITA...



  • @johnpoz:

    "What ports are used for things like Amazon Prime TV, Netflix, PSN, Xbox live etc?"

    All very good questions… And directly to my point..  You are never going to know what application X might use for a port..  So locking down your outbound access is going to be a constant struggle, shit that doesn't work open up port, oh damn this doesn't work open up that port..  How come this doesn't work - oh shit they also use port Y, etc. etc. etc..  Why and the hell are they running protocol C on port D??  That is not its standard port, etc. etc. etc..

    That might be fine in a corp setup where you just tell the user tuff titties you can not use application xyz, who ever said xyz was allowed on this network..  But in a home setup its nothing more than a PITA...

    PITA not really. The reason the Default Deny rule is there is to have a Firewall Log entrie so I can just hit the
    "Easy Rule: Pass this traffic" icon in the Firewall Log entrie and then go back to the Firewall rules area and
    see the new rule made and move or change things like description or other fine tuning.
    @johnpoz, understand your view of higher order of right and wrong here. thanks.
    Default Deny is not for everyone but I do like to know what is happening in my networks.
    For someone new to PFSense or any firewall for that matter it may indeed be a PITA.



  • So I added the rules from the links above and I'm finding intermittence in whether these services work or not. This is such a but pain.



  • @jbhowlesr:

    So I added the rules from the links above and I'm finding intermittence in whether these services work or not. This is such a but pain.

    This quote is probably the best way to end the post. I can't stop feeling I kicked a hornet's nest here.
    In hindsight I think johnpoz answer was the better answer in a higher order of right and wrong.
    It seems more and more home users are using PFSense  and rightly so.
    Regarding Default Deny, M.Ranum once wrote:"It takes dedication, thought, and understanding to implement a "Default Deny" policy, which is why it is so seldom done." This is especially true for a home environment.
    Number 1 for any home user should be the manual. For a DD policy you must know Network basics, protocols and ports etc.  If not you may drive yourself mad if your internet hungry kids don't get to you first.
    Go back to the Default PFSense Lan rules and call it a day, no harm , no foul.
    In my view if you are running Microsoft you have bigger problems anyway in your network. :o
    sorry, don't shoot the messenger.
    I noticed the "Feedback" post and debated to reply here or on that one. Since your subject line was succinct I wanted to make sure others of future searches were well aware of the possible issues.
    I repeat Default Deny is not for everyone. If I sparked your interest, Great!
    But on the forums you may be hard pressed to find someone to know what is running on your private network. DD policy requires intimate knowledge of what is running on your machines. Only you can figure that one out. Research before implementing and a good grasp of network protocol and basics is a must. I do not think there will ever be an easy button for this type of setup.
    Sorry if I started you down a path you may not have wanted to travel. But, hey,  you asked.  ;)