Allow any to WAN rule, what protocols and why?

senser · August 06, 2020, 08:37:04 AM

Generally you would only need to allow TCT/UDP to any on wan for a home router, I guess...but the default is to allow all protocols. The list of those protocols is long, many of them i have no clue about. Wouldn't it be better for me to allow TCP/UDP only? Thanks.

lar.hed · August 06, 2020, 11:44:26 AM

What I think you are referring to, is white list only what you need, everything else is blacklisted?

I just did this, since that is how I like this. I made a bunch of misstakes on the way, so I say this: Are you sure you need to?

If you are only running the most normal vanilla stuff, you need to allow port:
80 - HTTP
443 - HTTPS
53 - DNS or 853 for DNS-over-TLS (Unbound Plus)

Maybe:
123 - NTP

Thats about that. But are you sure you like to walk this very tiny road down?

senser · August 08, 2020, 07:12:58 PM

Yes, I wonder if I should be be more strikt and allow only TCP/UDP to Any on WAN instead of all protocols or if that is a bad idea.

I dont want to allow only certain ports, that is too tedious. :)

lar.hed · August 08, 2020, 08:19:33 PM

I do not see the point in only allowing UDP/TCP ports - not worth it at all.

As I wrote, I have done alot to get into a "whitelist" kind och installation, and man it is still giving me problems (with MultiWAN for the moment, everything else seems to work). So I say this: Don't do it.

chemlud · August 08, 2020, 08:23:53 PM

As long as you don't understand what you are doing: Don't do. ;-)

That said: for normal browsing port 80/443 and TCP(/UDP) (plus DNS via OPNsense port 53) is enough. But only you know what all your clients need on your network.

Allow any to WAN rule, what protocols and why?

senser

August 06, 2020, 08:37:04 AM

lar.hed

August 06, 2020, 11:44:26 AM #1

senser

August 08, 2020, 07:12:58 PM #2

lar.hed

August 08, 2020, 08:19:33 PM #3

chemlud

August 08, 2020, 08:23:53 PM #4