[ previous ] [ next ] [ threads ]
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] LAN rule suggestions
 Date:  Tue, 3 Apr 2007 20:37:26 -0400
On 4/3/07, Kurt Mahan <kmahan at xmission dot com> wrote:
> I'm looking for some advice/suggestions/pointers.
> Currently I'm running m0n0wall 1.23 on a WRAP 3 port board.  It works great!
> The DMZ is configured according to the faq article.  All my external facing
> services live in there.  No need to talk to the LAN.
> The default LAN setting is working but it allows everything to exit the
> firewall.  Several articles I've read suggest restricting outgoing packets
> from the LAN to prevent viruses and such from contacting their mothership.
> My LAN has a mix of Linux and Windows boxen.  Any suggestions/examples of
> LAN rulesets?  Any popular ports used by viruses to close?

You're looking at this the wrong way - default allow and block bad
stuff is bad.  The default LAN rule on m0n0wall is allow all, because
it's easier that way and that's the default behavior of most
firewalls. It's not a good idea though.

What you should do is figure out what you need and only permit that.
Default deny and allow only specifically what you require is always
the best thing for security, whether it's a firewall or anything else.
And be as specific and restrictive as possible. If you have an
internal mail server, only allow SMTP outbound from that mail server.
Stuff like that. Enabling logging off to a syslog server and enabling
logging on your LAN allow rule temporarily may help you figure out
exactly what you need to permit. That'll generate a lot of log data
though, so it's probably not something you want to do long term.