Thread: improve ruleset
View Single Post
  #2   (View Single Post)  
Old 21st January 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Wesley, that is a clear and easy to read set of rules; nice job!

The following are for consideration, they are just my suggestions:

  • I prefer block-policy return to block-policy drop. From my experience, such "stealth" settings do not hide your system from port scanning script kiddies very well, and cause delay to legitimate users who either select the wrong port or the right port when a service is down. And, in the same way, I permit ICMP traffic to flow both ways, not just outbound, as you have.
  • Syntax error?
Code:
pass in quick on { !$wifi, !dmz } proto tcp from $lan:network
pass in quick on { !$wifi, $dmz } proto udp from $lan:network
First line has "!dmz" and the second line has "$dmz".
  • I do not allow unrestricted SMTP output, as you have for your LAN users. I only permit TCP traffic to destination port 25 with a limited number of valid MTAs. This is to prevent any platform on my networks from becoming an effective spam-spewing robot. They may still get p0wned, but they will not be able to simulate being their own MTA and spew spam randomly; any e-mail output must go through a valid MTA, where such things should be quickly noticed.

Last edited by jggimi; 21st January 2010 at 07:16 PM.
Reply With Quote