I have a few VLANs, and in each one I basically have it organized like this:
- Determine whether or not that device will need internet access, and add to an alias if so that will give it port 80, 443 and 123 and whatever else may be needed for wan on that VLAN (for example, ports to connect to blizzard, steam, etc).
- Some devices (like my home assistant server) will get access to specific ports for MQTT, to talk to my LG TV, etc)
Is that best practices, or is it better to basically have each device listed with the specific ports they will need? The only problem I can see with they way I have it now is that some devices that get glommed into the wan alias will also get access to ports they do not need. Eg. A phone that is in the wan alias may also get access to blizzard, steam ports, etc.
Create service groups and host groups, then assign the appropriate host groups the proper service(s).
So if you have a web server only, it gets the webserver host group containing http and https tcp ports.
But if you have an application that uses web ports plus another port, just add the appropriate service group.
Essentially, think additive permissions: start restrictive, then add ports/service groups as necessary.
I hope that makes sense.
That does make sense, thank you. I kind of have that started in a way, for example I have port aliases for games grouped in one alias, I have ports for crypto mining into an alias, etc. Now I guess I just need to break up the hosts more and give them the necessary (and minimum amount of) permissions
Edit: @[email protected] made some changes to my Smart VLAN. Does this look a bit like what you mean?
My man, that ruleset looks beautiful.
Thank you!