Rookie firewall question

[DrGonzoNL]

I have a rookie question about IP-Filtering using IP-lists. When I follow the how to for Spamhaus drop list, I also have to make Firewall rules on the WAN side. I am not intending to have open ports on the WAN side, maybe someday in the future but not for now. From what I understand all incoming traffic will be blocked on the WAN-side.

- If I add the rules on the wan side it seems unneccesary, is that correct?
- If I add the rules to be future proof, would that impact performance? Does it impact RAM per example?

Thanks for your help in advance!

[Mitheor]

Hi,

could you please explain/link what rules are we talking about here?

Unless you have a service that will be listening in your OPNSense/LAN there is no need to create WAN.

[DrGonzoNL]

Thanks for your reply, I have made aliases for several IP blocklists for extra security of my home network. Following https://docs.opnsense.org/manual/how-tos/edrop.html. Some list are Firehol3, Feodo, Spamhaus, BLocklist.de etc.

I have only added the rules  to the LAN side, because I think the WAN side is not necessary. The link does let you also add the rules to the WAN side of the firewall but that is complete closed anyways, so my guess is that would not be necessary.

[Mitheor]

Ok, got it.

So, this is my opinion.

Outbound rules (LAN -> WAN) make sense because they protect your lan devices from connecting to any of those  "dangerous" IP.

Inbound rules (WAN -> LAN) are not needed unless you have a service in your lan listening  (for example a webserver) and you wan´t to protect it from being contacted by those IPs.

As you said, by default, any inbound traffic coming into your router will be dropped unless there is an existing session or an explitit rule allowing it.

[DrGonzoNL]

Thanks for verifying! 

[Mitheor]

You´re welcome