Which firewalls are unnecessary?

craibuc · November 3, 2017, 4:00pm

The Omnia’s firewall has the following rules enabled by default:

I’d like to know which I can disable or remove and still allow my network to function.

The situation

My ISP offers a static IPv6 address at an extra cost; currently, I have a dynamically-assigned IPv4 address.
I have fewer than 10 network-aware devices that could be on my home network
Typical outbound usages: http/s, s/ftp, torrenting (udp), smtp/pop3/imap, exchange server access; openvpn client
Inbound usage: none currently, maybe OpenVPN server in the future

Questions:

Allow-MLD - is there a reason for multi-casting on a home network?
Do I need IPv6 on my home network?
Which rule allows devices on the home network to get an IP address? The Allow-DHCP-Renew seems like it’s for devices outside of my network.
What do the esp and udp rules do?

ssdnvv · November 4, 2017, 10:23am

I simply disabled the last two ones of your displayed rules with no further effect.
The IPv6-rules can be simply disabled when you disable the use of IPv6 in general. I remember to make the use of a single rule somewhere that completely kills IPv6 but right now I can’t tell you where exactly.
But it would be nice if someone experienced could explain the reason for each rule.

xsys · November 8, 2017, 10:16am

I wanted to discuss this topics here What is minimal/best secure firewall configuration but it seems almost no one is into it. I personally have deleted all rules except Allow DHCP renew. I also don’t use IPv6 and any inbound services. Consequently all home devices [PC, tablet, mobile, IPTV box] work fine.

xsys · November 8, 2017, 10:24am

Allow DHCP Renew allows the router to receive updates of its WAN IP address, therefore it is good to have it allowed
Allow PING is better to have disabled, hence the router will not respond to ping requests from the Internet, what makes it kinda hidden for hacker scanners

Nones · November 8, 2017, 11:14am

But appropriate RFC standard recommends responding to ping for all network devices

vcunat · November 8, 2017, 11:40am

With ping I expect you’ll harm yourself more than any (potential) attackers.

Jirka · November 8, 2017, 1:47pm

Can you little bit elaborate this? I am interested

vcunat · November 8, 2017, 1:56pm

Attackers don’t need to ping your machine. IIRC it’s also typical nowadays that they directly connect to the service they try to attack (e.g. SSH) without any port scanning or pinging, but I’m no expert on this.

Of course, you may also switch your diagnostic approaches away from ping and then you don’t need to care, but I personally find it useful in typical cases.

ssdnvv · November 8, 2017, 3:38pm

Sry, but disabling PING doesn’t give you any additional security - what matters, is if you have open ports or not.
So the only reasons thing to harden security is closing ports.

xsys · November 8, 2017, 3:48pm

Here we are talking about ping reply on WAN interface with public IP address, i.e. to the Internet. There is no need to block ping reply on WAN interface with private IP, LAN or corporate networks.
On WAN interface I haven’t seen any situation when ping reply would be needed or used as diagnostic tool, that it would be any useful. Therefore disabling makes no harm.

On the other hand, it may harm your router in some [rare?] cases:

xsys · November 8, 2017, 3:49pm

Yes, it is first condition - to have all services disabled and all ports stealth [not only “closed”] on WAN interface.
I use https://www.grc.com/x/ne.dll?bh0bkyd2 for detecting open/closed/stealth ports.