5 firewall rules I set up that instantly made my home network safer

1 month ago 3

Securing your home network is more critical than ever, as the Internet is a scary place full of terror, and automated tools have made the job of cybercriminals even easier. Setting up a powerful firewall like OPNsense will do most of the work for you, at least once you've set it up.

If you've set up a hardware firewall in your home lab, you're most of the way there. Except, in your home lab, the focus is on containment, keeping things in, so that they don't escape and ruin your home network. For the home network, the focus is on defense and stopping those things getting onto your network in the first place.

With powerful firewall options, including prebuilt devices like those from Firewalla or repurposed old PC hardware, your home network can be secured easily, and you'll learn useful skills. But before I dive into advanced configurations, I set up a handful of firewall rules that set the foundation for everything else.

Network cabinet

Related

5 Default Deny for all incoming traffic

If I'm not asking for it, it's not coming in

The first firewall rule I always set up is deceptively simple, but it sets up the structure for every other rule. That's a default of denying all incoming traffic. You might think that odd, but on a home network, there's no reason that unsolicited inbound connections should be allowed—none, at all.

Incoming connections because an application on a device on the home network has requested data from an external server is fine, mostly, as long as you trust the application or device. Treat internet data packets as information vampires—they don't come in unless explicitly asked.

Treat internet data packets as information vampires—they don't come in unless explicitly asked.

That means you'll end up with a hierarchy of firewall rules that looks similar to:

  • Anti-spoofing rules: The top level of rules filters all traffic but only lets through packets from legitimate sources.
  • User access rules: Now, you set up rules for what users can do, such as HTTP for web access, 443 for VPNs, and similar.
  • Management access rules: Rules for allowing admin tools and addresses to come next so only trusted sources can interact with the firewall's configuration and monitoring.
  • Service-specific denial rules: Blocking unnecessary or vulnerable services, and Geo-blocks, reducing noise and attack vectors.
  • Catch-all deny rule: Drops all traffic that doesn't match previous firewall rules that explicitly allow it through the firewall.

For example, with the Uncomplicated Firewall on Linux systems, you could start with:

# Example UFW configuration
ufw default reject incoming
ufw default allow outgoing
ufw default deny routed

This stops lazy or automated attacks trying to exploit open ports or services on your network. The smaller attack surface you create, the better. And don't forget to block both IPv4 and IPv6.

Network rack close in various switches and avr equipment

Related

5 advanced firewall rules to lock down your home lab

You don't want your home lab to bleed over into your home network.

4 DNS-based filtering

GeoIP blocking reduces the number of computers that could attack

Illustration depicting satellite network around Earth via Iridum Communications. Source: Iridium Communications Inc.

It's a fact of life that some countries are responsible for the majority of all hacks, ransomware attacks, phishing attempts, and other nefarious internet nasties. Enough so that several firewall options specifically exclude IP ranges from those countries from incoming connections to your network. Whether you run OPNsense, pfSense, or another firewall solution, setting up GeoIP blocking makes a lot of sense, and you'll want to block traffic coming in or out of your home network. That's because you never know if something malicious is already on your network, and you don't want ransomware or malware phoning home.

GeoIP blocking isn't perfect on its own, as attackers spoof IP addresses to look like they're coming from safer countries, but it's an easy win in a layered approach to security and works well to reduce the low-hanging fruit that many attackers will aim for.

For OPNsense or many other firewalls, you use the MaxMind GeoIP database to accomplish this. You'll need to register, and create a license key (that's free), and then add the following to the GeoIP settings field (found at Firewall > Aliases > GeoIP Settings on the OPNsense dashboard):

https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=My_License_key&suffix=zip

This downloads the list and allows you to deny any IP traffic from those regions.

 Windows 11 laptop showing settings pages for the Windows firewall

Related

How to set up and use the firewall on Windows 11

The Windows Firewall works well out of the box, but here's how you can set it up

3 Network segmentation

Stick your IoT devices on their own VLAN

Keeping your IoT (Internet of Things) devices on their own network segment is always a good idea. These low-power devices often lack the power or space to run security features your computer wouldn't go without, and you don't want them causing issues. Even if they're not a security worry (which they are), they often fill your network with broadcast, unicast, and multicast packets, which go to every device on your network, slowing everything down for everyone.

# Example rule structure:
LAN: Allow outgoing connections, block incoming connections from IoT VLAN
IoT: Allow outgoing to internet, block outgoing to LAN except for authorized services

Along with putting those IoT devices on their own VLAN, you might still want them to be able to connect to the internet for updates or cloud-based controls. If you're using Home Assistant to control your smart home, you might want to put that on the VLAN as well, and have another set of firewall rules for Home Assistant traffic that can go between the IoT VLAN and your home network.

Nanoleaf Essentials A19 | E26 Smart Bulb set to the color red

Related

Please stop exposing your IoT devices on the internet; your smart light might betray you

If you're not careful, your IoT devices could allow an attacker access to your home network.

2 Install Fail2Ban

Brute force attacks are a pain but they're easily warded off

Setting up a Fail2Ban container

All the clever firewall rules in the world won't stop an attacker from simply logging in via the management portal. You can make it much more difficult for that to happen, first by making sure that the management pages can't be reached outside your home network, but then you can add Fail2Ban to make sure.

This plugin for your firewall monitors the logs for critical services, and looks for unusual patterns that are outside the scope you set. Then, it bans any IP addresses that are behaving oddly. If you've ever been locked out of an online account for fat-fingering your password one too many times, you know how this plugin works. A good place to start is bans is 5 failed login attempts within 10 minutes occur, and then a duration of the ban for first offenders or if they come back.

Deploying a Vaultwarden LXC in Proxmox

Related

5 things you can do to protect your self-hosted password manager

Your private password repository needs to be protected at all costs!

1 Block unnecessary outgoing ports

Working from a position of least privilege is the way

firewalla app screenshots overlaid on the firewalla gold pro

When building a secure firewall, starting with a position of least trust is always best. Don't trust anything on your network, whether a device or a program, until you know it's relatively safe and needs to loosen the restrictions a little. Blocking outgoing ports by default is a good idea, reducing the number of ports a malicious device can use to phone home. But you'll need to balance this with the needs of your home network to talk to the internet, including opening the standard ports that plenty of computing devices rely on.

Some common ports include:

  • HTTP/HTTPS (ports 80 and 443): for web browsing
  • FTP (port 21): File Transfer Protocol for transferring files
  • SMTP (port 25): Simple Mail Transfer Protocol for outgoing email
  • SSH (port 22): Secure Shell for secure remote administration of devices
  • DNS (port 53): Domain Name System used for domain name resolution
  • DHCP (port 67): Dynamic Host Configuration Protocol for issuing IP addresses
  • NTP (port 123): Network Time Protocol
  • VoIP (port 56): Voice over Internet Protocol used for phone conversations

You'll need some of these to be unblocked, but a few are commonly used by compromised systems, like Port 25, which gets used to send spam, Port 53 to hijack your DNS records, and Port 445, which is the SMB (Server Message Block) port. Blocking these three will keep you, and other internet users, safer.

gl-inet-slat-ax1800-router-openwrt

Related

What is port forwarding? Why do I need to do it?

If you want to host applications on your home internet, you'll probably need to port forward. Here's what that means and why.

These settings are the foundation of any firewall I set up, but they're not an exhaustive list

Firewall rules are constantly changing and adjusting, to meet or beat the level of the attackers that are out there. These settings will make you safer, but they are by no means the only settings you should have on your firewall to protect your home network, and there are tons of additional security plugins to any comprehensive firewall to make your network more secure.

Read Entire Article