Hi!
Just wondering if it makes any sense to use IP Block Lists on WAN interface having no open ports at all?
What’s your opinion?
The IP Address Blocklists block both incoming and outgoing. So it might still be worth having enabled.
You should look at which sort of IP Blocklist makes sense for outgoing protection for your specific network, dependent on its critical aspects. Then you can turn on those IP Blocklists and see what sort of outgoing hit rate you get from the IP Blocklists Logs and based on that decide if you keep using the blocklist or not for your particular network circumstances.
But such a config will only protect malware infected internal clients from connecting bot’s hosts. Will not strengthen WAN interface (so LAN) against incoming threats.
That is correct.
But it would… at least let you know you had bots attempting to communicate.
Moreover, if you have a lot of IoT devices on the green, blue, orange, etc. rails, you will see what they are actually using/communicating on, no?
Yes, you may try to find a list covering servers for little staff like WiFi plugs or lamps.
Sounds like a job for wire-shark or TCP dump?
I just add the firewall rule of blocking the server’s access. The drawback to it will block NTP queries and updates, but you can always add the rule to allow red to access a public time server (if needed). Then authorise only known IP addresses that would connect by VPN or IPsec.