Jump to content

Recommended Posts

Posted

When I enable learning mode in the firewall, it primarily adds a rule with the application selected and often sets other parameters to "any". Occasionally, it will select a specific destination port if it's a single port rather than multiple ports. This raises the question: why doesn't the firewall also select the source IP to minimize the attack surface?

For instance, if only one IP address is meant to connect to RDP on a server, why doesn't the firewall restrict the rule to only allow that specific IP? This approach would significantly enhance security by limiting access to only known and trusted IP addresses.

  • Administrators
Posted

I reckon that holds true only for outbound communication. Otherwise the firewall would have to create as many rules as the IP addresses of domains that the user connects to when browsing the Internet which would be a mess with a negative effect on performance too.

Posted
1 hour ago, Marcos said:

I reckon that holds true only for outbound communication. Otherwise the firewall would have to create as many rules as the IP addresses of domains that the user connects to when browsing the Internet which would be a mess with a negative effect on performance too.

For inbound connections, specifying source IPs can significantly reduce the attack surface without the same performance concerns. For example, if only one IP address needs to connect to RDP on a server, the firewall should ideally restrict the rule to only allow that IP. This practice enhances security by ensuring only authorized sources can initiate connections to critical services.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...