m0n0wall firewall rules - looking for suggestions / sample configurations

R

rodsfree

[H]ard|Gawd
Joined
Dec 13, 2004
Messages
1,417
I'm setting up a m0n0wall / pfsense router and I'm looking for suggestions for the rules.

I've got 3 ports.
WAN
LAN
and DMZ

...thinking about adding a wireless card later.

Any and all help will be appreciated.

Thanks,
Rod

 
big daddy fatsacks said:
block all in
block all out
allow what you need in
allow what you need out
Click to expand...

I'd kinda figured out that much....
I was looking for something a little more specific.

 
to do what? we could tell you all kinds of things that just wouldn't matter if you're never going to use them.
 
I'm happy enough with block all in, allow all out, plus holes poked for incoming ssh and the like. It appears to keep state for outgoing connections, which makes things simpler.
 
I was kinda hoping for ....common ports that you should allow in and out.
Some of the best rules for setting up and isolating my DMZ from my LAN but allowing essential access.

Tweaks that might make things easier or make it run smoother or faster.

I'm just getting started with this thing and I need some help, not some cyrptic statements.

I looking for a little help getting unconfused, if that makes sense.

 
LittleMe said:
to do what? we could tell you all kinds of things that just wouldn't matter if you're never going to use them.
Click to expand...
exactly, you need to tell us what you need to do to get a more specific answer than the one i gave you. i have no idea what "essential access" or "common ports" you need.

for me, i need to open the following:
outbound port 80
outbound port 22
outbound port 3389
inbound port 80
inbound port 3389

ports 80 and 3389 inbound need to be rdr to 2 different computers in my home network. for all i know all you need to open up is outbound port 80 though.
 
Personally, I don't block outgoing ports; You could say I'm more afraid of what's trying to get in than what's trying to get out. :)

Then it's only a case of finding out what specific things you do that need incoming ports opened.
Do you run any kind of servers?
Do you use any kind of file sharing? (Most work better with a few incoming ports opened)
Do you play any games online? (Most don't need incoming ports opened, but some might.)
 
Ok,
So what you guys are telling me is that there aren't any common rules.
That you'd advise a newbie to use for building this type of router.

Like for email, ftp, web surfing, - you know common essential things.

Thanks,

 
rodsfree said:
Like for email, ftp, web surfing, - you know common essential things.
Click to expand...

The problem was (until you just listed the above) that there aren't common things when it comes to firewalls. I make use of RDP and SSH in my home network, is it common? Maybe for people on this forum, but most likely not all of them.

Outbound
E-mail 25 and/or 110 depending on what you are doing
FTP - TCP 21
web surfing - TCP 80
 
rodsfree said:
Ok,
So what you guys are telling me is that there aren't any common rules.
That you'd advise a newbie to use for building this type of router.

Like for email, ftp, web surfing, - you know common essential things.

Thanks,
Click to expand...

Indeed. For normal use, allowing all outbound traffic, and no incoming (except answers to outgoing connections, which is implicit) will do fine.

If you want to block outgoing traffic as well, you will have to open some ports, like 80 (for web surfing), DNS at 53, https at 443, whatever your IM of choice uses, games (if any), ftp (messy, since there's no single dedicated data port, though 21 for the control connection is standard), and I've probably forgotten a few.

Looking at my rules, the only one you might want is:
6881 - 6999: BitTorrent. It's not strictly neccesary, but will markedly improve performance.
(The rest is http, ssh, mysql, ntpd and vnc servers, none of which are likely to be relevant for you.)
 
Well,
Long weekend coming - I guess I'll tinker and research.
I'll post something later.

 
You must log in or register to reply here.
Back
Top