this post was submitted on 13 Oct 2023
7 points (88.9% liked)

homelab

6589 readers
1 users here now

founded 5 years ago
MODERATORS
CMonster@lemmy.ml
7
How do you organize your firewall rules? (lemmy.world)
submitted 2 years ago by root@lemmy.world to c/homelab@lemmy.ml
4 comments fedilink hide all child comments
 

I have a few VLANs, and in each one I basically have it organized like this:

  • Determine whether or not that device will need internet access, and add to an alias if so that will give it port 80, 443 and 123 and whatever else may be needed for wan on that VLAN (for example, ports to connect to blizzard, steam, etc).
  • Some devices (like my home assistant server) will get access to specific ports for MQTT, to talk to my LG TV, etc)

Is that best practices, or is it better to basically have each device listed with the specific ports they will need? The only problem I can see with they way I have it now is that some devices that get glommed into the wan alias will also get access to ports they do not need. Eg. A phone that is in the wan alias may also get access to blizzard, steam ports, etc.

Pic

top 4 comments
sorted by: hot top controversial new old
[–] oleorun@real.lemmy.fan 3 points 2 years ago (1 children)

Create service groups and host groups, then assign the appropriate host groups the proper service(s).

So if you have a web server only, it gets the webserver host group containing http and https tcp ports.

But if you have an application that uses web ports plus another port, just add the appropriate service group.

Essentially, think additive permissions: start restrictive, then add ports/service groups as necessary.

I hope that makes sense.

[–] root@lemmy.world 2 points 2 years ago* (last edited 2 years ago) (1 children)

That does make sense, thank you. I kind of have that started in a way, for example I have port aliases for games grouped in one alias, I have ports for crypto mining into an alias, etc. Now I guess I just need to break up the hosts more and give them the necessary (and minimum amount of) permissions

Edit: @oleorun@real.lemmy.fan made some changes to my Smart VLAN. Does this look a bit like what you mean?

[–] oleorun@real.lemmy.fan 2 points 2 years ago (1 children)

My man, that ruleset looks beautiful.

[–] root@lemmy.world 1 points 2 years ago

Thank you!