When it comes to firewalls, one has to understand how they function in order to build coherent rules for it. It really helps to understand the TCP/IP stack pretty thoroughly, and understand at what level the rule/filter is enforced.
Sorry if this gets wordy.
For me the easiest way to do this is draw pictures with boxes and arrows.
A box for the firewall, a box for "my system"
Arrow into/out of the firewall to "the internet"
Arrow into/out of the firewall from/to "my system"
Arrows are the traffic
Start with "default deny" that means unless explictly allowed, it will not happen.
pf is "Last match wins" (unless you use quick), so at the top you start with deny all.
Then you ask:
What do I need to allow, in what direction?
Default deny means inbound connections that originate from outside will be rejected
Inbound connections that are a response to OUTBOUND flows (flows that originate inside your network)
Now stand on your firewall and face your internal systems and ask yourself: What do I need to allow?
DNS, NTP, SSH (outbound), HTTP, HTTPS, email. Think about them all, think about TCP/UDP, IPV4, IPV6?
I don't recall exactly how many, but doing this a functional workstation "needed" 10 or 12 ports/services open in the firewall.
Toss in NAT and your ruleset isn't that big or complex.
This is only for allowing traffic out. Traffic inbound originating from outside is still blocked.
You're still standing on your firewall, now turn around and face the world. Ask "Do I need to allow anything originating from out there?" If no, you're done. If yes, you need to think about what and how to pass it through.
Anyway, I've never been fond of a GUI tool to provision my firewall. I understand the appeal, but prefer drawing pictures and using text editors.
Firewall rules you should be able to pretend you're a packet of type ABC, walk the rules and get "allow/deny". If you can't walk your rules, it's likely too complicated.
cooltrainer.org
github.com
