Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Rookie firewall question
« previous
next »
Print
Pages: [
1
]
Author
Topic: Rookie firewall question (Read 2351 times)
DrGonzoNL
Newbie
Posts: 11
Karma: 0
Rookie firewall question
«
on:
May 02, 2020, 02:43:41 pm »
I have a rookie question about IP-Filtering using IP-lists. When I follow the how to for Spamhaus drop list, I also have to make Firewall rules on the WAN side. I am not intending to have open ports on the WAN side, maybe someday in the future but not for now. From what I understand all incoming traffic will be blocked on the WAN-side.
- If I add the rules on the wan side it seems unneccesary, is that correct?
- If I add the rules to be future proof, would that impact performance? Does it impact RAM per example?
Thanks for your help in advance!
Logged
Mitheor
Newbie
Posts: 36
Karma: 1
Re: Rookie firewall question
«
Reply #1 on:
May 02, 2020, 04:00:11 pm »
Hi,
could you please explain/link what rules are we talking about here?
Unless you have a service that will be listening in your OPNSense/LAN there is no need to create WAN.
Logged
DrGonzoNL
Newbie
Posts: 11
Karma: 0
Re: Rookie firewall question
«
Reply #2 on:
May 02, 2020, 04:07:58 pm »
Thanks for your reply, I have made aliases for several IP blocklists for extra security of my home network. Following
https://docs.opnsense.org/manual/how-tos/edrop.html
. Some list are Firehol3, Feodo, Spamhaus, BLocklist.de etc.
I have only added the rules to the LAN side, because I think the WAN side is not necessary. The link does let you also add the rules to the WAN side of the firewall but that is complete closed anyways, so my guess is that would not be necessary.
Logged
Mitheor
Newbie
Posts: 36
Karma: 1
Re: Rookie firewall question
«
Reply #3 on:
May 02, 2020, 04:13:27 pm »
Ok, got it.
So, this is my opinion.
Outbound rules (LAN -> WAN) make sense because they protect your lan devices from connecting to any of those "dangerous" IP.
Inbound rules (WAN -> LAN) are not needed unless you have a service in your lan listening (for example a webserver) and you wan´t to protect it from being contacted by those IPs.
As you said, by default, any inbound traffic coming into your router will be dropped unless there is an existing session or an explitit rule allowing it.
Logged
DrGonzoNL
Newbie
Posts: 11
Karma: 0
Re: Rookie firewall question
«
Reply #4 on:
May 02, 2020, 04:22:08 pm »
Thanks for verifying!
Logged
Mitheor
Newbie
Posts: 36
Karma: 1
Re: Rookie firewall question
«
Reply #5 on:
May 02, 2020, 04:22:49 pm »
You´re welcome
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Rookie firewall question