Analysis of most common used outgoing ports from LAN to Internet

AMizil

Hello,

I would like to do an analysis  of  most commonly used outgoing ports from LAN to Internet  in a month period in order to restrict outbound access only to used ports for business needs.

Currently using Pfsense v2.3.4,  FW rule on LAN : LAN to  * .  All the corporate laptops/desktops are using LAN interface, for private mobile phone there is a Guest WIFI separate interface.

On Guest WIFI Interface I have restricted  outgoing access only to commonly used ports " 80,443, 587, 465, 110, 995, 25.

What solution do you recommend ?

Thnx,
Adrian

johnpoz

log the allow rule on lan, keep an eye on the log for what ports are used.. Prob best to send the logs to a syslog server to make it easier to parse, and maintain history for a whole month, etc.

Don't you know what applications your business uses?  Other option is to just allow the ports you know for sure will be needed, 80/443 for sure - then log your block and any complaints of specific applications not working.  And then open them if they fall into business need.

AMizil

@johnpoz:

log the allow rule on lan, keep an eye on the log for what ports are used.. Prob best to send the logs to a syslog server to make it easier to parse, and maintain history for a whole month, etc.

Thanks for reminding me about logs … I have recently changed  standard syslog to Splunk Light ( free ) but when you need it more :"Your Splunk Light license expired or you have exceeded your license limit too many times" . After expiring the trial period you have to somehow manually change to free otherwise ...

I will also check the logging of the packets on LAN rule.

@johnpoz:

Don't you know what applications your business uses?  Other option is to just allow the ports you know for sure will be needed, 80/443 for sure - then log your block and any complaints of specific applications not working.  And then open them if they fall into business need.

Yes, I do , but I would like to see what other non standard ports are being used. Too much effort for nothing. Going with the standard ports 80/443 and gmail smtp / imap secure and that's a good starting point using "aliases".

Best regards,
Adrian

Nullity

It's probably overkill but there are some good netflow analyzers like FlowViewer.

Derelict

80,443, 587, 465, 110, 995, 25.

I wouldn't allow 25.
I would add 143 and 993.
That would be email, web, and whatever else is configured to use those ports.

Why do you care what ports your guests connect to, with the possible exception of 25?

biggsy

@AMizil:

Your Splunk Light license expired or you have exceeded your license limit too many times" . After expiring the trial period you have to somehow manually change to free otherwise …

Go to Settings > Licensing > Change license group.  This does limit you to sending less than 500 MB/day of logs to Splunk though.