What firewall rules should be used for a home based system [closed]

security networking port

I'm just setting up a home wireless network with connection to the internet. The router has settings to configure the firewall rules.

Currently it's set to INBOUND ALL ANY and OUTBOUND ALL ANY.

What rules should I set (if any) to reduce the risk of compromises? The laptops connecting are Vista and XP. We only have simple browsing needs so can I just open up the following inbound ports?

80 HTTP
21 FTP
443 HTTPS

Is this enough for just normal web browsing? Should I set any outbound rules?

Not expecting to use POP or SMTP


Solution 1:

You should allow NO inbound traffic. You should allow the outbound traffic for the protocols that you will be using. Your list is good, although you might want to add DNS and also NTP if you are want to sync time.

Be aware that (by definition) TCP/IP is bi-directional. The directionality referred to here is the direction in which the connection is initiated. Meaning .. if you browse to www.serverfault.com, your PC will send HTTP traffic out to the IP address for serverfault.com. The firewall will recognize that a response is coming, and that response will be allowed in back to your PC. But that is referred to as "outbound" traffic, and you don't need to account for the response in most firewalls.

Suggestion: use Steve Gibson's Shields Up site to test what is allowed in on your firewall and for lots of info about what services are doing what.

Solution 2:

Lose the inbound allow any! Only reason to have that is for active FTP but you can use passive instead. I personally allow any outbound.

If it's only simple browing then you should be good with the ones you have. The only difference is when applets or plugins in web pages want to talk directly to their home servers over something other than HTTP/HTTPS.

Solution 3:

As squillman said, remove the inbound any immediately.

Assuming that the firewall is stateful, all you should need is 'allow any outbound'; return traffic should be allowed through as they will be matched to existing connections in the connection table.

Do you know the model of the router? It would be interesting to see what its default routing/NAT/port forwarding config is.

Related

How to remotely initiate netinstall of CentOS 7?
Is the context of local user of AD-joined machine a domain machine account or of local machine account?
Remotely from Chrome or IE page loads ~60seconds, from Firefox or IE on local machine - instantly
Linux Authentication with Windows 2012R2 Server (Deprecated IMU role)
find: how to not have errors (stderr) when no files exists
Where to Learn CISCO Router Configuration
way to redirect page to www using virtual host configuration in sites-available for apache2?
How to open iptables ports inside a cluster?
Wsus Downstream servers not shown in upstream
Accessing a local program from Citrix VDI
Limiting bandwidth dynamically in Squid
Question about VMWare thin provisioning