How do I block all traffic by default (Block all except what I explicitly allow)?

I want all ports for outgoing/incoming traffic to be blocked unless they are from a local source (e.g. source is 192.168.1.*) unless I explicitly open the port (in case I want to set up OpenVPN or some such later on) and for local traffic I only want the ports which are required by samba, ssh and the web ui to be open.

How would I do this?

I basically got this far by myself:

Allows me to block all non-local traffic, allowing 127.0.0.1 seemed to be essential for SAMBA if I recall correctly, source is just 192.168.1.1-192.168.1.254. And everything that doesn't fit this bill (i.e. local network or localhost) will be dropped.

I didn't figure out how to block everything and only allow specific ports through though. But this at least covers my basics except I'd like only one IP address to be able to access SSH and the Web UI, and all the others to only be able to access samba shares, anyone?

Zitat von subzero79

In the output chain you need to accept destination 192.168.x not source. The rule will not match and reach the end. All request from lan clients will accepted but then firewall will block the response, basically useless.

You should at least permit…

Do you actually need outgoing packets open for incoming ones? I mean I know the reverse isn't true (i.e. you can browse the web just fine with only outgoing ports opening incoming ports only for server hosting and the like). I don't know very much about firewalls though.

I think I agree with you though, so this is what I do now.

But why would this not work?

NVM I figured it out, it was what you said about input ports needing to be destination ports not source ports (also the edit system doesn't work, says I don't have permission...?) thanks!

Ah, makes sense now thanks subzero79! this was actually all stuff I'd known in the past but forgot because I wasn't very actively configuring firewalls all the time heh, great reminder.

Zitat von tekkb

You might find these helpful...

<a href="http://forums.openmediavault.org/index.php/Thread/6507-Firewall/">Firewall</a>

Yes, thanks, although I wonder why you don't update the image links in your original post now that you've uploaded them. Edit system broken for you too? You're a mod right you can work around it... right?

Hehe, basic.

Anyhow I'm still stuck I guess, while I have sort of figured out the basics of how to use the firewall, I can not figure out how to close off all non-local traffic for all ports except that which is required for updating. Although when it comes down to it, why should I update to begin with?I probably won't need security patches since this is a local server anyways. I'll need security for my VPN though but seems like router has that all covered (damn ASUS routers are nice; never had such a smooth experience with any router, I got it the other day because I need to have a gigabit router for a satisfying smb experience).

But it would still be nice to know how, I thought I'd just need to allow port 80 (tcp) and 53 (udp) in/out for it but it apt-get update doesn't work unless I open all ports on TCP and UDP and I can't pinpoint which ports that are needed are locked.