OPNsense Forum
English Forums => General Discussion => Topic started by: Noctur on March 06, 2016, 12:05:17 am
-
I'm new to firewalls, trying to install opnsense for my home network. I've installed opnsense - great and easy process. I'm ready to install openvpn tunnel, suricata and have already had some success with getting them going. But, because I have absolutely no experience with firewalls - I've simply relied on the home router/ap firewall - I don't know where to begin with the firewall rules.
I've spent several days scouring this site and others looking for an initial set of firewall rules that would be helpful for a home user with no experience, but have not been able to find a clear stepwise guide. The rules out there all appear to be additional setups for those who already have their set in place and want to enhance for additional function.
My request is this:
1) If I've missed an initial firewall rules setup guide, would you please list a link and I'll pursue it myself without additional bother to others. Out of the box it appears that opnsense doesn't have any basic rules and doesn't provide internet access and doesn't seem to provide a beginner's settings in the online documentation.
2) If one doesn't exist, would someone please give an example, then list the several modes that should be blocked by a home user? I've found one guide that suggests 'block all on WAN, then lists the various ports that should be opened on the LAN and have followed it, but I am unable to get internet access through. It seems there aren't any 'pass' rules in the WAN tab that allow anything through.
I just don't know where to start. But, I suggest there is a demand for a basic settings tutorial that gets it installed, basic rules in place, and passes internet. There are lots of people interested in doing this now. Check Kickstarter or Indegogo for the small, dedicated security appliances that are being funded because there isn't a simple 'how-to' for the basic home user to set up an opnsense firewall/appliance. They're all interested in a higher degree of security than what is offered by their router/ap.
If the reason something like this doesn't already exist is because the intent is to sell preconfigured appliances or consulting services please let me know and I'll go away. TIA
-
The simple answer is there is no "one size fits all" solution for a firewall and it requires you to do some research about what a firewall is and what you can do with it, this is a complex subject with a steep learning curve (if you're new to firewalls).
If you've successfully installed OPNsense then you should have a firewall that will allow you to surf the internet and not have anything nasty making connections to any machines on your LAN. I assume you do have internet access at the moment? Other than that you'll have to give some information about what you're trying to do, what machines on your LAN do you need to expose to the internet etc., etc.
As for your comment about there not being any "pass rules for the WAN", the feature you're looking for (in any firewall) is NAT - Network Address Translation. You'll find a page in the Web UI for that under Firewall/NAT or just enter 'nat' in the search box in the top-right corner of the UI.
-
Thank you for your reply. It has pointed me in a direction for more study - NAT.
As for firewall rules and devices behind the firewall needing a pass rule, being a home network and probably typical of 99.9% of all home networks, there's nothing that needs to present a face to the internet as yet. I'm not running a web server or streaming video or hosting torrents. I absolutely understand that there's no one 'right' setup for all. But there's probably a 'good' default solution for the home user. If we start with 'good' then the curious user can research over time and with increased use familiarity to get into the configuration intracacies.
Thank you again for your reply.
Let me suggest for discussion by the seniors and opnsense founders that you should consider providing a version, or an installation menu choice, that will meet the needs of 99% of the home network users like me that provides a good, basic firewall that works out of the box to pass internet to internal network without requiring someone knowing or finding a post that they have to tic the 'enable DNS forwarding' option (or similar) burried in the system settings to get it to work. The major expansion in opnsense's user base will come from the unwashed newbs like me who recognize the need for improved security and don't know the first thing about how to enable it. IT professionals have already made their choice in open source firewall systems.
-
As I mentioned earlier, if you have no need of ports being open or anything being forwarded to the LAN then the initial configuration will allow you to surf the internet and stop anything nasty getting in - that is the default configuration. You'll see what the default rules are when you look at the NAT pages in the UI.
OPNsense is still a relatively new project although it is a fork of PFsense so if you're in need of more comprehensive documentation you should take a look at the PFsense pages and you'll get the idea of what's possible. The documentation for OPNsense is available via the main page but it's still a work in progress. You can also take a look at some of these sites: http://preview.tinyurl.com/OPNsense - they'll give you an idea about configuring OPNsense through the web UI. Don't forget to take a backup of your configuration before you make changes to the firewall.
-
Don't forget to take a look at the new docs, they are already quite comprehensive and are being further extended for 16.7:
https://docs.opnsense.org/
-
Don't forget to take a look at the new docs, they are already quite comprehensive and are being further extended for 16.7:
https://docs.opnsense.org/
Oops, sorry about that I thought I'd included a link for the docs. :( I must say the documentation is moving along quite well and is extremely easy to read and understand. :) Now if only I could sort out my VLAN problem but that's for another thread.