MHRSFI 1 Posted June 24 Posted June 24 When I enable learning mode in the firewall, it primarily adds a rule with the application selected and often sets other parameters to "any". Occasionally, it will select a specific destination port if it's a single port rather than multiple ports. This raises the question: why doesn't the firewall also select the source IP to minimize the attack surface? For instance, if only one IP address is meant to connect to RDP on a server, why doesn't the firewall restrict the rule to only allow that specific IP? This approach would significantly enhance security by limiting access to only known and trusted IP addresses.
Administrators Marcos 5,468 Posted June 24 Administrators Posted June 24 I reckon that holds true only for outbound communication. Otherwise the firewall would have to create as many rules as the IP addresses of domains that the user connects to when browsing the Internet which would be a mess with a negative effect on performance too.
MHRSFI 1 Posted June 24 Author Posted June 24 1 hour ago, Marcos said: I reckon that holds true only for outbound communication. Otherwise the firewall would have to create as many rules as the IP addresses of domains that the user connects to when browsing the Internet which would be a mess with a negative effect on performance too. For inbound connections, specifying source IPs can significantly reduce the attack surface without the same performance concerns. For example, if only one IP address needs to connect to RDP on a server, the firewall should ideally restrict the rule to only allow that IP. This practice enhances security by ensuring only authorized sources can initiate connections to critical services.
Recommended Posts