This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall rules, how do you do yours..

Good morning all,

Out of interest, how do people form their rules on the XG V18 firewall within a home environment? I'm currently doing a device / vendor type mapping using MAC lists. So Ring cameras are within a MAC list and then I've got a rule just for the Ring devices and required ports. I did consider separating rules into separate ports, but rule bloat potentially. Well see...

Same for Nest, same for kitchen appliances etc.

The machine I have for XG Home is a Dell R220, so plenty of grunt as I've only got an ADSL 70/20 connection.

Current circa 25 devices on the network, but will grow significantly if I can find wireless light switches rather than the bulb route etc. Yes more risk, but the rules wil be nailed in a way that they can talk on non required ports.

IOT VLAN can only talk out to the WAN, not cross subnets/VLAN etc.

Sticky MAC is also on some of the switch ports re wired devices.

OTT for home, but then why not. Not something I'd deploy to my parents TBH, I'm probably going to put my spare Untangle device in for their connection mainly for the web filtering etc.

Cheers,

Mike

This thread was automatically locked due to age.

0 rfcat_vk over 5 years ago

Hi Mike,

I will start the ball rolling for you. My clienteles counts a bit high because I have IP4 and IPv6 and the XG currently cannot handle the same device with two IP addresses.

I like to experiment with rules and policies so my counts might be a bit higher than a typical home user.

I have 3 LAN networks on 3 separate interfaces

1/. IoT with seperate AP

2/. VoIP using a VLAN

3/. a general device network.

The IoT has a firewall rule for the weird ones that must connect to the internet server to provide access and most of them have extra ports requirements. Also covers printers, TV, foxtel and media player.

Some use the web proxy without issues others require exceptions or use the SSL/TLS.

VoIp, two phones to different phone companies, a generic rule covering both with specific FQDN to the phone company servers.

The general access has

1/. a rule with specific clients to cover mail scanning

2/. a rule that again covers specific clients for HTTPS scanning

3/. a general rule allowing access to the IoT servers

4/. a rule for iPhones and iPad because I cannot get them to work with the HTTPS scanning, same applications are just plain grumpy.

Then there are rules

1/. for NTP

2/. redirect dud DNS queries

3/. inter LAN access to support IoT devices but only from specific devices.

Finally there are a limited number IPv6 rules because XG IPv6 does not provide the same level of firewall support as IP4.

I find ddebugging device access is easier with individual rules.

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Mike Scott over 5 years ago in reply to rfcat_vk

All makes sense and agree re easier troubleshooting with individual rules.

Still not sure whether to use web content policies, IPS etc. for Samsung TVs etc. They're locked to the required ports and such. I originally has the content filtering categories set the same across the network segments, no porn etc. However as I'm doing MAC list based rules, now thinking of turning off web filtering on the various IOT/AV devices, but leaving it on for the end user devices etc.

I did considering doing a global NTP rule, but decided for the moment I'm sticking with per device requirement etc.
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 5 years ago in reply to Mike Scott

Hi Mike,

if you do any web surfing from your AV devices I would suggest you will need web policiesto scan the URLs and IPS because some sites send junk. One of TVs was always being attacked, not sure why?

IoT devices need the most protection because they have very poor security and in a lot of cases use the suppliers servers which are located throughout the world and are susceptible to being hacked.

Just my thoughts.

Ian
Cancel
Vote Up 0 Vote Down

Cancel