Re: Basic / Best Practice FW Configuration




I’m totally new to ZeroShell and have managed to get myself very confused with the basic firewall configuration.

I have a very simple setup, i.e. ETH0 is my LAN and ETH01/ppp0 is my PPPOE ASDL connection (with NAT enabled).

I was using pfsense prior to ZeroShell and with that system the basic/default firewall configuration is very simple with all defaalt rules available to see via the GUI. That system, by default, allows any traffic from the LAN to the Internet and disallows any unsolicited traffic from the Internet to the LAN.

Now with ZeroShell things don’t seem to be as simple (to me).

From the reading I have done, I see there are 3 default chains, this is my understanding of them:

– Input: Traffic ingressing to ZeroShell and terminating there
– Output: Traffic originating from ZeroShell
– Forward: Traffic traversing ZeroShell (in either direction)

The 1st thing that is confusing me is that when looking via the GUI these chains seem to be blank but when I click on view for each of the chains I see that they are not (as follows):

Chain INPUT (policy ACCEPT 79 packets, 6162 bytes)
pkts bytes target prot opt in out source destination
223 22665 SYS_INPUT all -- * *
0 0 SYS_HTTPS tcp -- * * tcp dpt:80
144 16503 SYS_HTTPS tcp -- * * tcp dpt:443
0 0 SYS_SSH tcp -- * * tcp dpt:22

Chain OUTPUT (policy ACCEPT 13323 packets, 3730K bytes)
pkts bytes target prot opt in out source destination
27629 4775K SYS_OUTPUT all -- * *

Chain FORWARD (policy ACCEPT 12090 packets, 6477K bytes)
pkts bytes target prot opt in out source destination

Also I want to understand the best-practice configuration to secure my simple setup to protect it from the Internet.

I can see from the Input chain that http/https/ssh seem to be allowed. I did try adding a rule to block https but it appears at the bottom of the list and has no effect.

With regard to protecting my equipment on my LAN (rather than ZeroShell itself) what’s the best practice? Do I need to do anything since I’m running NAT, i.e. does that itself protect my LAN from unsolicited attack?

Many thanks,