Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Default LAN Rules

    Scheduled Pinned Locked Moved General pfSense Questions
    17 Posts 6 Posters 6.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ? This user is from outside of this forum
      Guest
      last edited by

      I still have my default LAN rules in place from initial install. WHat should I do if anything to them to further secure but not limit my connection.

      1 Reply Last reply Reply Quote 0
      • ? Offline
        A Former User
        last edited by

        For a start try:
        https://doc.pfsense.org/index.php/Example_basic_configuration
        I also recommend using the "Search" in this forum before posting any question. I have found it to be a great source of info.
        Also after you start setting up some rules if you have a "Default Deny All" at the bottom of the rules list and have it set to Log, any blocked communications you will see the protocols that you may or may not want to enable in the Firewall logs.
        Default Deny is the best policy, allow only what you need, not what you want. :o …....It is a different mindset.

        ##about the search remark, I am in earnest. It is to me a great resource. Almost everytime I go searching I am always finding a tidbit of info or post that shows me something new. Many times it is better than what I was originally searching for. Always learning it seems.

        1 Reply Last reply Reply Quote 0
        • H Offline
          Harvy66
          last edited by

          Extra LAN rules won't protect you from external threats, only internal ones.

          1 Reply Last reply Reply Quote 0
          • ? Offline
            A Former User
            last edited by

            @Harvy66:

            Extra LAN rules won't protect you from external threats, only internal ones.

            ??? On the surface it may seem that way but you may want to rethink that. Just a thought.

            1 Reply Last reply Reply Quote 0
            • N Offline
              NOYB
              last edited by

              @Harvy66:

              Extra LAN rules won't protect you from external threats, only internal ones.

              Depends on what you consider to be an external threat.  I consider browsing to be an external threat.

              1 Reply Last reply Reply Quote 0
              • ? This user is from outside of this forum
                Guest
                last edited by

                I was just curious as is I should change the default allow to all rules. If so, can you recommend exactly what I should do? Aside from PC's, I have several smart TV's and PS4's that must be able to get through the router. How should I configured these rules; if any change is needed to reduce outgoing risk?

                1 Reply Last reply Reply Quote 0
                • M Offline
                  mer
                  last edited by

                  @jbhowlesr:

                  I was just curious as is I should change the default allow to all rules. If so, can you recommend exactly what I should do? Aside from PC's, I have several smart TV's and PS4's that must be able to get through the router. How should I configured these rules; if any change is needed to reduce outgoing risk?

                  One way of determining "normal" traffic for your network is to do packet captures.  If your pfSense box is acting as a DHCP server check the logs/status of that, then you know your normal MAC addresses (handy if a device shows up that you don't know about). 
                  From a pf configuration I've been running for a while, these udp and tcp ports allowed from the LAN side let pretty much "normal" stuff work (browsing, email.  The numbered ports are to let a couple of things like Spotify through)

                  udp_svcs="{ domain, ntp, https, 1935, 1194, 3551 }"
                  tcp_svcs="{ domain, http, https, ntp, pop3s,smtps, 1935, 1194, 3551 }"

                  So you could start with those and when something breaks you look at the logs.
                  Don't forget that a rule with the above ports goes above a default deny rule on the LAN tab.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Since when does ntp run via tcp??  Who still uses pop?

                    "can you recommend exactly what I should do? "

                    No not really how are we suppose to know what you want to allow or block.. If I tell you to lock it down to http and https only and application X breaks..  Then I gave you bad advice..  If you want to lock down your IoT devices for example what I would really suggest is you isolate them to their own vlans.  Log their traffic and see what you think.. I can tell you my directv box does some dns, and he phones home via http and https and does some pinging to an outside address, and every now and then makes a connection on 5223..

                    To be honest once you isolate such devices from your own network and just allow them internet..  What does it matter what ports they choose to talk on?  I would be concerned on their bandwidth usage and if talking to somewhere that seems odd.. But do you know what ports they use??  Do I ??  Without looking and watching your not going to have any idea, and most likely just going to break something.  Maybe it phones home every day on 80 and 443, but once every 6 weeks it does something on port xyz..

                    To be honest since you have to ask, you really shouldn't be blocking.. What you should do is isolate said devices your worried about from your normal network would be my 2 cents on the matter.  But if you want to start locking stuff down take a look here.  https://doc.pfsense.org/index.php/Example_basic_configuration they give a simple run down on how to start locking down outbound ports on your lan or other interfaces.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • M Offline
                      mer
                      last edited by

                      Sorry John, yes that's a mistake ntp on the tcp services.  That's pop3s, for Comcast email since I'm not using imap on that.

                      1 Reply Last reply Reply Quote 0
                      • ? This user is from outside of this forum
                        Guest
                        last edited by

                        I don't run a DMZ so I'm confused as how to apply the info from:

                        https://doc.pfsense.org/index.php/Example_basic_configuration

                        to my setup; unless it means something different than what I think it means.

                        1 Reply Last reply Reply Quote 0
                        • ? Offline
                          A Former User
                          last edited by

                          @jbhowlesr:

                          I don't run a DMZ so I'm confused as how to apply the info from:

                          https://doc.pfsense.org/index.php/Example_basic_configuration

                          to my setup; unless it means something different than what I think it means.

                          No DMZ so ignore those rules about that. They are just examples of what others may need so they try to cover as many basic rules as they feel may help. Keep it simple.

                          1 Reply Last reply Reply Quote 0
                          • ? This user is from outside of this forum
                            Guest
                            last edited by

                            What ports are used for things like Amazon Prime TV, Netflix, PSN, Xbox live etc?

                            1 Reply Last reply Reply Quote 0
                            • ? Offline
                              A Former User
                              last edited by

                              OK, so below is one Debian machine running just for Netflix. No other machines at present here and Microsoft is taboo in my home. :o
                              All Default Deny rules are for logging purposes for me to easily find what is being blocked or needs to be allowed with out enabling logging for all the default block rules of PFSense. I do not want to be buried alive in logs, so it is easier to be more selective.
                              Look at how my rules are for Default Deny and if you need to add more for other services here, well I will let you find that out or we will be at this all day.  ;)
                              Xbox website mentions needed ports or just review your logs after initial setup.  One description shows DNS forward… ignore I use Unbound, but rule is same.
                              Anything below the Default Deny to ALL is disabled and not in play. I just keep them for another day.

                              Screenshot-1.png
                              Screenshot-1.png_thumb

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ Offline
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                "What ports are used for things like Amazon Prime TV, Netflix, PSN, Xbox live etc?"

                                All very good questions… And directly to my point..  You are never going to know what application X might use for a port..  So locking down your outbound access is going to be a constant struggle, shit that doesn't work open up port, oh damn this doesn't work open up that port..  How come this doesn't work - oh shit they also use port Y, etc. etc. etc..  Why and the hell are they running protocol C on port D??  That is not its standard port, etc. etc. etc..

                                That might be fine in a corp setup where you just tell the user tuff titties you can not use application xyz, who ever said xyz was allowed on this network..  But in a home setup its nothing more than a PITA...

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • ? Offline
                                  A Former User
                                  last edited by

                                  @johnpoz:

                                  "What ports are used for things like Amazon Prime TV, Netflix, PSN, Xbox live etc?"

                                  All very good questions… And directly to my point..  You are never going to know what application X might use for a port..  So locking down your outbound access is going to be a constant struggle, shit that doesn't work open up port, oh damn this doesn't work open up that port..  How come this doesn't work - oh shit they also use port Y, etc. etc. etc..  Why and the hell are they running protocol C on port D??  That is not its standard port, etc. etc. etc..

                                  That might be fine in a corp setup where you just tell the user tuff titties you can not use application xyz, who ever said xyz was allowed on this network..  But in a home setup its nothing more than a PITA...

                                  PITA not really. The reason the Default Deny rule is there is to have a Firewall Log entrie so I can just hit the
                                  "Easy Rule: Pass this traffic" icon in the Firewall Log entrie and then go back to the Firewall rules area and
                                  see the new rule made and move or change things like description or other fine tuning.
                                  @johnpoz, understand your view of higher order of right and wrong here. thanks.
                                  Default Deny is not for everyone but I do like to know what is happening in my networks.
                                  For someone new to PFSense or any firewall for that matter it may indeed be a PITA.

                                  1 Reply Last reply Reply Quote 0
                                  • ? This user is from outside of this forum
                                    Guest
                                    last edited by

                                    So I added the rules from the links above and I'm finding intermittence in whether these services work or not. This is such a but pain.

                                    1 Reply Last reply Reply Quote 0
                                    • ? Offline
                                      A Former User
                                      last edited by

                                      @jbhowlesr:

                                      So I added the rules from the links above and I'm finding intermittence in whether these services work or not. This is such a but pain.

                                      This quote is probably the best way to end the post. I can't stop feeling I kicked a hornet's nest here.
                                      In hindsight I think johnpoz answer was the better answer in a higher order of right and wrong.
                                      It seems more and more home users are using PFSense  and rightly so.
                                      Regarding Default Deny, M.Ranum once wrote:"It takes dedication, thought, and understanding to implement a "Default Deny" policy, which is why it is so seldom done." This is especially true for a home environment.
                                      Number 1 for any home user should be the manual. For a DD policy you must know Network basics, protocols and ports etc.  If not you may drive yourself mad if your internet hungry kids don't get to you first.
                                      Go back to the Default PFSense Lan rules and call it a day, no harm , no foul.
                                      In my view if you are running Microsoft you have bigger problems anyway in your network. :o
                                      sorry, don't shoot the messenger.
                                      I noticed the "Feedback" post and debated to reply here or on that one. Since your subject line was succinct I wanted to make sure others of future searches were well aware of the possible issues.
                                      I repeat Default Deny is not for everyone. If I sparked your interest, Great!
                                      But on the forums you may be hard pressed to find someone to know what is running on your private network. DD policy requires intimate knowledge of what is running on your machines. Only you can figure that one out. Research before implementing and a good grasp of network protocol and basics is a must. I do not think there will ever be an easy button for this type of setup.
                                      Sorry if I started you down a path you may not have wanted to travel. But, hey,  you asked.  ;)

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.