Default set of Firewall rules to start with?


#1

Hi,

I have a couple of Peplink Balance one routers and want to increase the security.
Currently there are no firewall rules set and I have no clue what rules to set.

Is there a set of rules that I can download or a list with recommended rules to set?

Thanks in advance!

Rogier


#2

Hi Rogier, it is recommended to change your default inbound firewall rule to deny all. If you do have some inbound access that is needed then you can create allow rules above the default rule. Thanks.


#3

Hmm OK that makes sense, I hope my clients want have to much inconvenience.
Anything better than an no Firewall I guess…


#4

Tried that, almost everything stops working :frowning:
Started allowing SMTP / IMAP with the port numbers as used by the Mail client. Still doesn’t work.
Do I really have to do do this the hard way?

Isn’t there a set of rules I can import to get a baseline?


#5

Hi,

There is no standard firewall rules that can matched back to all the production environment.

If you want to define the firewall rules, you have to list down all the applications involved and understand the requires ports.

For email application ports it can be SMTP, SMTPS, POP, POPS, IMAPS and others for custom email clients.

Recommended, please get those info from the application vendors and allow the service ports accordingly.

Thank You


#6

Please have a look at this Apple KB Article https://support.apple.com/en-us/HT202944
Do I have to add all these rules manually into Outbound and Inbound rules?
How to interpret the given information from Apple to the Rules in Peplink?


#7

Hi Rogier,

As mentioned by Sit Loong, you need to have a clear understanding on services that used in your environment. Then only open the required ports on Inbound and Outbound firewall rules accordingly. The KB from Apple just listed down the ports required by their services. However, this doesn’t reflect to your environment.


#8

Thanks,
Any advice how to start?

I wish there was at least a setting for dummies with low / moderate / high firewall settings like you find on most consumer grade routers.
It would offer non networking experts the opportunity to do at least something rather than giving up and leaving the network wide open…


#9

Hi Rogier,

This has been recommended by Sit Loong here.

Have you work with any local Peplink partner on this?


#10

The link to Sit Lonng is referring back to this page…

No I don’t know a local partner. My supplier (3G Store) referred me to this forum.


#11

ScooterIT,

It looks like you haven’t recently contacted us for support since February. We provide all our Peplink support in house by phone and e-mail for our customers. I’ve got your order information and we’ll reach out to you directly.

Thanks!


#12

There are many of use that have not used routers with this type of depth and complexity who are not complete noobs either.

I think a simple request to be able to view a sample set of complex firewall AND routing rules that we can look at and analyze how they work - and no doubt we could learn something - as opposed to saying “put one in when you find out you need it”. That is a non-answer where nothing is learned, and not very helpful - imo.


#13

Indeed it has been a while on my todo list.
I called a while ago asking about how to set the firewall and was told there was a list with settings. When I called back in February to get more details I did not get much of an answer.
Happy to see that Valery reached out to me earlier today.

I do understand that every environment is different but there should be a tutorial of some form to get started.
For example when I will in the smtp server with port number etc to allow to send traffic out I am still not able to send email to that server. Clearly I am missing something very basic.
Its frustrating that there is no help for solving basic problems like that.

Looking forward to your advice.

Rogier


#14

Thanks!

I love Peplink products for their excellent easy to understand UI.
Not a complete noob myself but getting stumped from the beginning with something basic and having to beg for advice is frustrating.


#15

Hello,

Thank you all for the informational feedback. If it hasn’t been mentioned before we do have a Knowlebase that goes more in depth then the manual. For example see link below specifically for FW setup:

We will take this feedback into consideration moving forward on improving our KB regarding our various features.


#16

Why is it so hard to post a very complex set of fireware and outbound rules as a reference?

Agreed


#17

Frankly this is a very minimal explanation about setting firewall rules.
How about only allowing regular web traffic + Email via IMAP / SMTP with and without SSL to the most common email providers. Say Gmail and MS 365 Exchange. My understanding is that by not setting any firewall rules our doors are wide open…


#18

Hi,

Details guide on how to define the firewall rules can be found in the product user manual (Pages 173-177).

You can download the user manual using the URL below:

If you go through to the user interface for the firewall access rules, you will find that the UI is easy to understand & easy to use. There are only 3 type of firewall rules that you need to define:

1. Outbound Firewall Rules

This table displays all the configured outbound firewall rules and their details. Dragging a rule up/down can change its priority, higher position of a rule signifies higher precedence.

For every new outbound IP session (i.e. sessions going to WAN side), rules will be matched from the top to bottom. The matching process stops when a rule is found to be matched.

If an outbound IP session does not match any of the rules listed, the Default rule will be applied.

2. Inbound Firewall Rules

This table displays all the configured inbound firewall rules and their details. Dragging a rule up/down can change its priority, higher position of a rule signifies higher precedence.

For every new inbound IP session routed to a host on the LAN (i.e. sessions coming from WAN side), rules will be matched from the top to bottom. The matching process stops when a rule is found to be matched.

The inbound firewall rules only apply to the following types of traffic:

  • Inbound WAN 1 traffic where the WAN 1 is in drop-in mode
  • Inbound traffic that is defined in Inbound Services
  • Inbound traffic that is defined in Inbound NAT Mappings

If an inbound IP session does not match any of the rules listed, the Default rule will be applied.

3. Internal Network Firewall Rules

This table displays all the configured internal network firewall rules and their details. Dragging a rule up/down can change its priority, higher position of a rule signifies higher precedence.

For every new internal network IP session (i.e. sessions between LAN / VLAN / Static route networks / PepVPN networks / IPsec networks / L2TP with IPsec clients / PPTP clients), rules will be matched from top to bottom. The matching process stops when a rule is found to be matched.

If an internal network IP session does not match any of the rules listed, the Default rule will be applied.

Note: The device WebUI help menu have actually explain the above type of rules & when you need to define each of the rules.

The complex parts is actually not on how to defined the firewall rules and it’s IT knowledge on the applications that running on the networks. As explain earlier, you need to fully understand the requires service ports for the application in order for you to allow the connections. There are more than millions type of application running in the internet so there is not general guide for this. As mention, you should to get those info from the application support.

Let’s further discuss the posted questions:
web traffic + Email via IMAP / SMTP with and without SSL to the most common email providers. Say Gmail and MS 365 Exchange.

  1. To allow Web Traffic:

Default Ports: DNS (UDP 53), HTTP (TCP 80), HTTPS (TCP 443)
Customize servers: other ports base on the servers
Firewall Rules Type: Outgoing firewall rules

  1. Email
    Gmail: https://support.google.com/mail/answer/78775?hl=en
    Office 365: https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US
    Firewall Rules Type: Outgoing firewall rules

My understanding is that by not setting any firewall rules our doors are wide open…

This is not correct.

Outgoing firewall rules

  • This only control LAN users access internet (Not Applicable)

Inbound firewall rules
The inbound firewall rules only apply to the following types of traffic:

  • Inbound WAN 1 traffic where the WAN 1 is in drop-in mode
  • Inbound traffic that is defined in Inbound Services
  • Inbound traffic that is defined in Inbound NAT Mappings
    Note: If you doesn’t have the above defined, basically no inbound access are allowed.

InterVLANs
InterVLAN traffics and other (Not Applicable)

Thank You


#19

I still find it amazing that you are unwilling to show a complex set of rules for firewall and outgoing that one can read through to understand the capabilities - as well as those not thought of.

A picture is worth a thousand words.


#20

As sitloongs stated the hard part is not setting up the firewall rule in the Peplink, its finding out all the ports and protocols you’ll need to allow out of or into the network. There is no one master list of rules that you can be referred to that says ‘block x, allow x for gmail’ or ‘block x, allow x for VoIP.’ Below is an example of how we can allow outbound VoIP traffic, but this wont apply to everybody since your provider may be different with different ports and destination servers. This rule essentially says any IP address on our network that is going to use port 5060 with a destination address of 8.23.x.x (ip removed by me) and port 5060, allow that traffic.


We had to reference our VoIP providers documentation in order to get those values. Hopefully that helps!