Other Firewall usage advice

I have a home network and use a pfSense rig behind my cable modem.
I like pfSense but I wonder what should my firewall policy be on downstream machines?
I have lots of FreeBSD Arm devices all networked, None publicly available. I use no open ports on pfSense except default.

Should I run a software firewall on every device behind pfSense?

What are FreeBSD best practices for machines? Firewall everything? Even my Pi?
 
I have a home network and use a pfSense rig behind my cable modem.
I like pfSense but I wonder what should my firewall policy be on downstream machines?
I have lots of FreeBSD Arm devices all networked, None publicly available. I use no open ports on pfSense except default.

Should I run a software firewall on every device behind pfSense?

What are FreeBSD best practices for machines? Firewall everything? Even my Pi?
The general idea of deploying a central firewall is to eliminate the need to use a firewall on each host.
 
I run a firewall on all my FreeBSD servers, and like you I also use pfsense behind my modem. Unless you're adding or changing network services all the time the added maintenance is pretty trivial IMO.
 
I basically agree with gkontos.

There is an old thread about firewall deployment policies in a network: Firewall usefullness in pure *nix network

At that time, I said (user rolfheinrich):
...
At the bottom-line:
You need a firewall and/or NAT at the frontier of a trusted to an untrusted network zone, for most of us this is usually the LAN/WAN boundary, and you need it exactly there regardless of what OS is in charge at that point. Firewall adjustment on clients within trusted networks is not necessary, even not for Windows clients. If admins are leaving firewalls activated on clients in their own trusted LANs, then this shows only that they aren't completely trusting their own act.

In order to support this point of view I place here a link to a picture in Apple's online documentation "Security Overview". For me the basic keyword here is "Boundary of Trust"

https://developer.apple.com/library...erview/Art/security_overview_intro_art_2x.png

If we replace in that picture "... App ..." with " ... Network ..." and "trusted data" with "trusted environment" then IMHO, this illustrates perfectly where the firewall has to be placed. At the red line of course, at the "Boundary of Trust".
 
Before posting I had read this document regarding PLC systems.
I was trying to get a general feel for peoples opinion on the topic.
https://energy.gov/sites/prod/files/Good Practices Guide for Firewall Deployment.pdf

The general practice is to use an Internet based firewall with 2 zones, 1 for outside and 1 for inside. However, there are some exceptions to that rule. Assuming that you want to enforce a a different level of security, you can add more zones to your firewall. For example, you may need to expose a device to the Internet because you are running a service there such as a webserver, etc. In that case, you would create a different zone for that device, usually called DMZ, where you can apply different security policies. Also, you might be hosting a sensitive service like an ERP in your inside environment. You could also create a different inside zone for that.

Larger organisations tend to split their zones into different firewalls. A bank for example, will have 1 Internet based firewall where it can use a few interfaces connected to their VPN concentrators, DMZ reverse proxies, etc. They would also need to use a distribution firewall, that would host sensitive services into different zones again, DB, APP, WEB, etc. And finally they would use perimeter firewalls, for internal users. The main reasons that they split FW are, use of different vendors and better capacity planning.

In any case, a host based firewall is your last resource. You don't want to put the extra burden of stateful inspection to each host.
 
Back
Top