Netgate 2100 and any any rules questions
-
@jonathanlee said in Netgate 2100 and any any rules questions:
(NIST Special Publication 800-41r1).
Dude that is funny.. I have been doing firewall, most likely before you were born ;) hehehe
Really before statefull firewalls, back in the day of just old packet filters... hehehehe But sure ok feel free to quote docs ;)
I was just pointing out that pretty much every firewall on the market is default deny, no need to put in the rule. And from your rules there all your doing is hiding blocked traffic from your log for tcp and udp.. Since your not logging that rule.. What about all the other protocols - that deny there at the end should be logging and any rule..
Also btw NTP, doesn't use TCP - so why have it allowed? ;)
And there are many sites that do can do QUIC, HTTP/3 which is over UDP.. Guess you want to block that traffic and not log it ;)
From a security point of view, allowing those tunnel protocols for your XBOX -- horrible horrible idea.. Once you allow such a tunnel or vpn out like that - all of your firewall rules and blocking go out the window.. Your allowing anything on the lan net to do that, not just some specific xbox..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
Realistically you cannot define the destination for a lot of those rules, it has to be 'any external IP'.
But you can set that by defining an alias with your own local subnets in it and then using the inverse of that. Like:
and
Steve
-
@johnpoz Thanks for the information on HTTPS/3 that is new to me. I was born years ago and have worked on IT equipment for over 15 combined years, all over the USA all the way up to the internet backbone level. Like you I have also worked on glorified packet filters back in the day, all Command Line Interface (CLI) based with no GUI.
I did have logging turned on for this rule, however if I am not looking at it I turned it off to have less resource use.
Over the years one can say we learned that all protocols and the rules that are in place for them need to follow some official government guidelines. Again we all can agree with that, or why have protocols at all? What is a protocols but a set of rules.
As for new HTTPS/3 "This is new to me thanks for sharing." Thank you for sharing. Why do you think this was made? Maybe because of new GDPR laws? Or something else?
Companies always have created new cutting protocols to make something work better or sometimes to just avoid detection. However, they should always train students on it before just using it or doing a blanket deployment of use.
That is why data center compliance systems can and will continue block them out when out of compliance. Rules that came out a couple years ago like GDPR and California Privacy Laws are never going away. They will continue to grow and expand for a safer internet. If protocols change to avoid detection or to avoid a system that can decrypt SSL over a enterprise network, one could say that it is no longer in "compliance" or following the official government guidelines. At that point more rules will be made and new fines put in place. "User Datagram Protocol" (UDP) does not have a three way handshake so it is harder to work with on for Nmap scans and things like that we know that and harder to detect. Thanks again for the information, I will research this more.
HTTPS/3 and use of it with UDP that is new to me. Thanks for sharing, this is why I went back to school. We have got to keep learning update our skill sets.
Years ago it was only HTTP port 80 with 56 k Modems in the 90s. I remember my 8088 Dos 3.11 PC6300 system built by AT&T all green monochrome text. Today I can download from my phone over a audio connection full files to my Apple IIc it is amazing how fast it changed.
-
@johnpoz, I had to set to the specific IP address for the XBOX last week, I did not like the double rules, I wanted to be able to add 2 IP addresses to one rule for them The Xbox 360, and the One private Ip addresses only. Tunnels are a issue Yes.
-
-
-
It looks like NIST is already planning a course of action of HTTPS /3 QUIC over UDP
-
Thank you this is what I needed I have my email running with specific USA only Ip addresses for Gmail now.
sbcglobal.net that was passed to yahoo.com and after to currently from att.net through yahoo.com is another quest.
-
Thank you so much I generated a Aliases with the correct Ip addresses found with nslookup and it is now working. With all the FBI email issues in the news recently, I wanted to research a way to make a device only use a approved IP address for email on SMTP and IMAP. Your solution worked thank you again.
-
You can also just enter the FQFNs in the alias and pfSense will resolve them periodically for you.
Where that will fall down is for something that can resolve to a large number of IPs like mail.google.com. The alias will only ever contain the IP it resolved to at the time pfSense generated the ruleset. Anything that doesn't use pfSense for DNS, like something hardcoded for 8.8.8.8 for example, might get a different IP and then be blocked.
https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html#using-hostnames-in-aliases
Steve
-
Thanks for everyone that helped me on this.
I have updated the ACLs and it is working perfectly all day. I had to add the main and backups for each email type and it worked. I just did not want tunnels on my network and to make the rules more specific. Each day I am trying to make it more secure.Thank you. This is solved.
-
@jonathanlee said in Netgate 2100 and any any rules questions:
Each day I am trying to make it more secure.
But not aware of anything going on that shouldn't - your still not logging your deny you put in. So your not going to log anything trying to be done on tcp/udp..
And your xbox(s) are still being allowed to tunnel out, and therefore bypass any firewall rules you might put in place - how is that secure?
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
Mmm, moving consoles to a different interface would be more secure. Assuming traffic between the subnets is blocked.
Physically wiring that could be a problem.Steve
-
@stephenw10 if it's Bridged to a wifi connection can I do that with a VLAN still? I could make a different subnet however the Wifi system handles the connections before the firewall. The way it is set up now only the 2 consoles IP address can use those ports, and nothing else. I need the Xboxes to run and they require those ports open. I want to do a VLAN I should look into creating one and only adding the XBOXs.
-
@stephenw10 I use to have a Ethernet over AC devices but they made way to much noise for my shortwave radios that I get global news with so I had to disconnect them.
-
-
@jonathanlee it logs default deny out of the box ;)
Your default deny there on the bottom is pretty pointless.. Unless you wanted it on purpose not to log traffic that the default deny already does..
But sure if you want a rule in the gui to "see" for your default deny, that is a better way to do it - any rule with logging.
-
Do you have other things on WIFI?
I would look at creating a separate SSID for the xboxes and connecting that with a VLAN if your access points support it.
Steve
-
^ exactly I would for sure segment such devices from the rest of my network. Especially if I was going to allow it to create a tunnel that bypasses all the firewall rules anyway to the public internet.
-
@johnpoz
Created a VLAN
But no traffic I have static assigned ip addresses for them.
