What firewall rules should be used for a home based system [closed]
I'm just setting up a home wireless network with connection to the internet. The router has settings to configure the firewall rules.
Currently it's set to INBOUND ALL ANY and OUTBOUND ALL ANY.
What rules should I set (if any) to reduce the risk of compromises? The laptops connecting are Vista and XP. We only have simple browsing needs so can I just open up the following inbound ports?
80 HTTP
21 FTP
443 HTTPS
Is this enough for just normal web browsing? Should I set any outbound rules?
Not expecting to use POP or SMTP
Solution 1:
You should allow NO inbound traffic. You should allow the outbound traffic for the protocols that you will be using. Your list is good, although you might want to add DNS and also NTP if you are want to sync time.
Be aware that (by definition) TCP/IP is bi-directional. The directionality referred to here is the direction in which the connection is initiated. Meaning .. if you browse to www.serverfault.com, your PC will send HTTP traffic out to the IP address for serverfault.com. The firewall will recognize that a response is coming, and that response will be allowed in back to your PC. But that is referred to as "outbound" traffic, and you don't need to account for the response in most firewalls.
Suggestion: use Steve Gibson's Shields Up site to test what is allowed in on your firewall and for lots of info about what services are doing what.
Solution 2:
Lose the inbound allow any! Only reason to have that is for active FTP but you can use passive instead. I personally allow any outbound.
If it's only simple browing then you should be good with the ones you have. The only difference is when applets or plugins in web pages want to talk directly to their home servers over something other than HTTP/HTTPS.
Solution 3:
As squillman said, remove the inbound any immediately.
Assuming that the firewall is stateful, all you should need is 'allow any outbound'; return traffic should be allowed through as they will be matched to existing connections in the connection table.
Do you know the model of the router? It would be interesting to see what its default routing/NAT/port forwarding config is.