@Antibiotic said in Port restriction rule!:
estrict ports to expose to world ( do not leave WAN )
There is a huge difference in expose to world, ie allow that unsolicited inbound to your wan from the internet, or forwarded inbound to something behind the internet, and allow a client outbound to the internet that wants to talk on those ports.
The checklist is worded horrible in making that distinction - and the references are from 2000,2001..
But you do you.. Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated. Or of blocking doesn't really matter if you have no allow between them... Some of that stuff makes no sense to be honest... Block 80/443 except for external webservers.. Well no shit, where else would you be going to for webservers.. And your firewall wouldn't blocking traffic for stuff on your own network talking to each other.
That is a pretty dated horribly written guide from 2000, I wouldn't given it to much credence to be honest.. BGP.. What on your network would be talking outbound to the internet via BGP? They list ntp as port 37.. That is the old timeservice and hasn't been used in like forever. Then they also list NTP on 123..
Out of the box pfsense does not "expose" anything to the world - the wan is default deny and their are no rules.. Nothing is getting to pfsense or stuff behind it, unless pfsense or something behind it requested the conversation.
It says to block ping.. You want to block your clients from pinging something out on the internet? Mentions dns TCP, that is not only used for zone transfer, that is used when the response is too big for UDP as well.. They mention finger, you worried about blocking outbound to finger, what the maybe 2 servers still running that - if any ;)