I have been using Watchguard firewalls for the past few years. Scince a couple of months I am using an OPNsense appliance. In Watchguard you have the option to use "any-external".
So a rule for webtraffic firewall rule in Watchguard would be:
source: vlan-guest destination: any-external ports:80/443 TCP/UDP
In OPNsense you don't have the any-external option, so this means you allow webtraffic to all other VLANs aswell. (see the picture in enclosure).
How can i define my webtraffic rule more securely? (I don't whish to use proxy's).
Create an alias with your internal networks, e.g. net_internal and change your rule to:
Proto Source Port Destination Port
IPv4 TCP/UDP Wifi_Gast_net 1024:65535 !net_internal ports_HTTP_HTTPS
Note the exlcamation mark (!). In the rule you have to check NOT checkbox. Then webtraffic is only allowed to hosts outside (= not inside) your network.
Thanks for the info and tip.
Hbc, another question: Do you use this firewall rule for internet traffic? Doest it mean that all source port connections from 1024-65535 are allowed to the external network (WAN)?
I am used to only allow traffic with destiniation port connections from 80 and 443 (HTTPS/HTTP) so the users on the guest network only can webbrowse and not uploading FTP,... What is your advice?
Proto Source Port Destination Port
IPv4 TCP/UDP Wifi_Gast_net 1024:65535 !net_internal ports_HTTP_HTTPS
I assume your alias ports_HTTP_HTTPS is defined like:
So every traffic with source port range 1024:65535 to ports 80,443 is allowed. In your case only to external (=not inside) networks.
Except for some special protocols like DNS, NTP or IKE, clients should use unprivileged ports >1024 as source port. Of course you can use 'any' source port, but at least for web traffic a port below 1024 should never happen.
I use 1024:65535 for every rule as source port range and never had problems.
Thanks hbc, i changed my webtraffic rules on every vlan with source ports unpriviledged ports and destinations not internal and it works. Thanks!
hbc, so u are using a source port in every firewall rule? Either the source port is configured as unpriviledged ports or a specific port (DNS, NTP,...).
Is there a list of protocols which use specific ports instead of unpriviledged ports as source port?
Thanks for the help and advice.
QuoteEither the source port is configured as unpriviledged ports or a specific port (DNS, NTP,...). Is there a list of protocols which use specific ports instead of unpriviledged ports as source port?
Well, there is not
the one list that shows protocols with special source ports, but if you run a restrictive firewall and just enable certain services, you can lookup what the protocol expects that you want to allow - and of course you can see in firewall logs if there are protocols that need source ports <1024.
NTP: Src port 123/udp depends on mode https://www.inetdaemon.com/tutorials/internet/ntp/ (https://www.inetdaemon.com/tutorials/internet/ntp/)
IKE: Src port 500/udp is defined https://en.wikipedia.org/wiki/Internet_Key_Exchange (https://en.wikipedia.org/wiki/Internet_Key_Exchange)
DNS: Src port 53/udp is pretty legacy. No modern dns client or resolver should use fixed port 53 any more. I think you would be even save with src ports >1024
NetBIOS-ns: Src port 137/udp https://wiki.wireshark.org/NetBIOS/NBNS (https://wiki.wireshark.org/NetBIOS/NBNS)
As a rule of thumb, I would go with src port >1024 with new protocol rules. If there are problems, you can check livelog and check source port.
Hbc, Really thanks for all the info. Are their other firewall rule best practices like this any-external and unpriviledge source ports you can advice?