Hi,
I have been trying to find something like a standard / best practices ruleset for a home router for quite some time, to no avail. Something like you'd expect to find on any standard home router you can buy off the shelf. "Specification":
However then come the not so straightforward things:
Is there something like a project which compiles and keeps up to date such a standard configuration? Like the OPNsense project, but not as appliance, just the pf/firewall config? It can't be that everyone hand-crafts his firewall for such a standard purpose on his own (and being his own source of error, in particular if being a beginner in such things, rather than relying on a community-reviewed proven ruleset).
Main interest is pf/FreeBSD, but I appreciate other pointers as well.
Thanks a lot in advance for any hints / pointers.
Best regards
Edvard
I have been trying to find something like a standard / best practices ruleset for a home router for quite some time, to no avail. Something like you'd expect to find on any standard home router you can buy off the shelf. "Specification":
- one WAN interface
- one LAN interface
- NAT for IPv4
- Gateway for IPv4
- All incoming stuff blocked from WAN
- All incoming stuff allowed from LAN (or maybe only allow certain services here... optional)
- All outgoing/forwarding stuff allowed
However then come the not so straightforward things:
- "Do the right thing" for IPv6 (I am new to IPv6 but finally want to tackle this... The full story is probably out of "pf" scope, but as far as "pf" is concerned, do "the right thing" to be a functional IPv6 firewall/gateway)
- All the fancy special rules you can read in live/production configs on home routers about bogon networks, about martians, about special rules for ICMP, ICMPv6, etc, etc. Prevent flooding attacks, detect attacks, no clue what actually is today's "standard best practice" to setup a standard home firewall/gateway without too much extravagancies like subscribing to services who provide real-time information about botnet IPs or whatever you could imagine here
- Optionally: do also "the right thing" if I additionally got OpenVPN running to connect the router to the company network
Is there something like a project which compiles and keeps up to date such a standard configuration? Like the OPNsense project, but not as appliance, just the pf/firewall config? It can't be that everyone hand-crafts his firewall for such a standard purpose on his own (and being his own source of error, in particular if being a beginner in such things, rather than relying on a community-reviewed proven ruleset).
Main interest is pf/FreeBSD, but I appreciate other pointers as well.
Thanks a lot in advance for any hints / pointers.
Best regards
Edvard