Recommendations for sensible ruleset?

dal8moc · 24 May 2023 19:27

Hi all,
I finally changed all firewall defaults to blocked. It was an eye opening experience how many connections the devices in my net wanted. And while I did block quite a few I have trouble defining rules for allowing traffic.
For instance in the telefonica net the wifi calling apparently uses IPSEC to connect to the o2 net (AS6805). I don’t see a workable approach to include all ipv4 addresses in that asn in a firewall rule. Of course I could allow port 500 to all outgoing targets. But that seems too wide a rule. Am I missing something here? Or am I to paranoid?

hvacguy · 24 May 2023 19:50

You are much braver than I.
I have not changed my default to blocked.
In this post Jon uses ASN to make a firewall rule.

Your first option of opening port 500 to the users that need it.
I find nothing wrong with that.
You could limit it to 1 County within red.

dal8moc · 24 May 2023 20:28

Thank you for the linked thread. The solution Jon applied there seems perfect - if one could use the match-set feature in the rules part on the WUI. I don’t want to modify the iptables directly.

The problem I see with opening port 500 might be negligible. But consider voip. The german carrier Deutsche Telekom (AS3320) apparently expects udp ports 1025-65535 open for RTP streams. As my phones are calling from green - yes I know, they should be isolated at least by vlan - I’d need to open the whole house instead of a couple of windows (ports). And since I can’t really specify all ipv4 addresses in that block as separate rules I’d open it to red. That more or less defeats the point of a firewall in my opinion. I did change the source part to the telephone ip though but I’m not particularly happy with such a rule.

Same points could be made for apple, amazon aws (tuya), microsoft (teams!), google etc. Still I’m pretty happy with forward blocking. And I strongly recommend that setting after you got a feeling for ipfire. It seems daunting at first. But since you can switch that behaviour instantly you could start slowly and add rules as you go.

hvacguy · 24 May 2023 23:00

This was a educational one for me.
About service groups
That is the way to go if you need multiple ports
to leave your LAN.

dal8moc · 25 May 2023 05:26

Thanks again. I already use the groups for port groups. I was looking into building groups for ASNs but that is a somewhat futile attempt. Especially as I‘m not sure how often the IP ranges belonging to an ASN change. And knowing me I probably will forget to manually update the list.

Another hurdle is the way you build host/network groups. You have to setup the single hosts/networks first and build the group afterwards. It might be a valid way but its to cumbersome for me. I mark your answer as a solution though.

jon · 25 May 2023 16:13

See:

output looks like this:

[root@ipfireAPU ~] # ASN=1
[root@ipfireAPU ~] # location list-networks-by-as --format=ipset --family=ipv4 ${ASN} > "/etc/ipset/AS${ASN}.ipset"
[root@ipfireAPU ~] # cat /etc/ipset/AS${ASN}.ipset
create AS1v? hash:net family inet hashsize       64 maxelem 1048576 -exist
flush AS1v?
add AS1v? 45.176.150.0/23
add AS1v? 91.225.188.0/22
add AS1v? 140.106.216.0/24
add AS1v? 140.106.223.0/24
add AS1v? 155.133.112.0/21
add AS1v? 205.207.214.0/24
add AS1v? 212.94.84.0/22
[root@ipfireAPU ~] #