Block outgoing network

Jamerson

Hi guys,
i've been thinking to block all the outgoing network, in case of infection to limite the infection to connect back to the server.
i want to allow the next ports :
HTTP - TCP:80
HTTPS- TCP:443
POP3 - TCP:110 (secure POP is typically TCP:995)
IMAP4- TCP:143 (secure IMAP is typically TCP:993)
SMTP - TCP:25
DNS - UDP:53 (external lookups)

in the mean while all the outgoing ports are open.

all my machines sent emails using one server ( exchange server ).
can somebody explain please how to configure this on a better way ?

thank you

Mr. Jingles

Praise The Lords, and look what they gave so generously to us ;D

https://forum.pfsense.org/index.php?topic=78062.0

Jamerson

@Hollander:

Praise The Lords, and look what they gave so generously to us ;D

https://forum.pfsense.org/index.php?topic=78062.0

we must be lucky :)
i've added those ports to the outgoing as pass,

please your thought !

also have one computer who is constantly downloading using Torrents,
how to allow just this computer to use the torrent ? with NAT ?
automatic NAT Is already on but the torrent can't connect.
the utorrents is using port 60645, so port 60645 is allowed from NAT to Any
also the WAN firewall allowing the port 60645 ( been created automaticaly after i created the Lan ).
port 60645 is allowed as UDP/TCP
what i am missing ?

thank you

![Firewall Rules.jpg](/public/imported_attachments/1/Firewall Rules.jpg)
![Firewall Rules.jpg_thumb](/public/imported_attachments/1/Firewall Rules.jpg_thumb)

NAT.jpg_thumb

WN.jpg_thumb

johnpoz

"in case of infection"

HTTP - TCP:80
HTTPS- TCP:443

You do understand your logic is completely utterly flawed.. Lets see if I was going to infect someone and then phone home – hmmm what port should I use, some random out of the blue port that pretty much 90% of work networks block, or should I use a standard port that is 99% of the time allowed.. ;)

Blocking ports because you want to control what ports leave your network is enough reason, thinking your going to stop an infection -- not so much..

Jamerson

@johnpoz:

"in case of infection"

HTTP - TCP:80
HTTPS- TCP:443

You do understand your logic is completely utterly flawed.. Lets see if I was going to infect someone and then phone home – hmmm what port should I use, some random out of the blue port that pretty much 90% of work networks block, or should I use a standard port that is 99% of the time allowed.. ;)

Blocking ports because you want to control what ports leave your network is enough reason, thinking your going to stop an infection -- not so much..

this the reason why i love you Johnpoz :)
i just wanna controlle the ports that are leaving my network.

about security.
all my WAN ports are blocked, is this enought to reduce number of attacks ? should i create some extra rules ?

johnpoz

What rules would you create since as you stated all unsolicited inbound traffic is already blocked.

You do understand blocking all but those standard ports you listed is going to break stuff ;) So be prepared for stuff not working out of the box and you having to open stuff up. Games, applications, etc..

Why do you have those email pots open if you send and recv mail using an exchange server? Only the exchange server would need outbound smtp and inbound, etc. Not sure what your using pop or imap for?

Jamerson

@johnpoz:

What rules would you create since as you stated all unsolicited inbound traffic is already blocked.

You do understand blocking all but those standard ports you listed is going to break stuff ;) So be prepared for stuff not working out of the box and you having to open stuff up. Games, applications, etc..

Why do you have those email pots open if you send and recv mail using an exchange server? Only the exchange server would need outbound smtp and inbound, etc. Not sure what your using pop or imap for?

i have other emails i am using ( private ones ) using pop and smtp
ive noticed things stops working after i blocked all outgoing ports and opend only those ones.

one of the issues is the utorrents and can't connect external using openvpn even already opend the ports that openvpn use on the outgoing

if i have a only one machine i use to connect from to outside on randome ports between 22000 and 33000
should i nat the outgoing ports to this machine ? after opening it on the outgoing ?

thank you.

johnpoz

You can allow only its IP out on whatever ports you want to allow traffic on - out of the box all local IPs would be natted to your public IP, there would be no reason to make special nat rules.

And to be honest, there is little reason to block these outgoing ports in a home setup. As I stated if you do infect one of your machine - its most likely going to go out a standard port you have open for internet 80, 443, etc.

While control of the outbound traffic makes sense in business location because you don't want every tom dick and harry user running whatever they want to run ,etc.. Quite often in a business setup the only thing that is allowed outbound traffic would be your proxy, and say your dns server and email server. Normal clients don't have direct outbound access in most company networks.

Jamerson

@johnpoz:

You can allow only its IP out on whatever ports you want to allow traffic on - out of the box all local IPs would be natted to your public IP, there would be no reason to make special nat rules.

And to be honest, there is little reason to block these outgoing ports in a home setup. As I stated if you do infect one of your machine - its most likely going to go out a standard port you have open for internet 80, 443, etc.

While control of the outbound traffic makes sense in business location because you don't want every tom dick and harry user running whatever they want to run ,etc.. Quite often in a business setup the only thing that is allowed outbound traffic would be your proxy, and say your dns server and email server. Normal clients don't have direct outbound access in most company networks.

Johnpoz thank you man for your answer.
i am willing to train on blocking and monitoring those ports to configure on a production soon .

i have a machine using utorrents on port 65777, so i allowed the port 65777 TCP+UDP from the LAN to Any. however the utorrents doesnt start seeding all is blocked.
i want to monitor all the ports this the purpose behind this.

any other configurations needed to have utorrents running ?

Harvy66

Just a minor point, 65,535 is the max port number. 65,777 seems to be a bit high for a 16bit value.

Jamerson

@Harvy66:

Just a minor point, 65,535 is the max port number. 65,777 seems to be a bit high for a 16bit value.

thank you for your answer
i've changed the port to 60645 which is ok for 16 bit value.
and allowed the port on the outgoing traffic
from Lan adress (Server Adress ) to any TCP+UDP

still the client can't connect !

thank you

Derelict

If you want outside torrent clients to be able to connect to your inside torrent on 60645 you need an inbound rule on WAN and a NAT port forward.

The outbound torrent sessions will be going out to whatever port the remote is listening on, which filtering outbound ports like this will, in all likelihood, break.

Jamerson

@Derelict:

If you want outside torrent clients to be able to connect to your inside torrent on 60645 you need an inbound rule on WAN and a NAT port forward.

The outbound torrent sessions will be going out to whatever port the remote is listening on, which filtering outbound ports like this will, in all likelihood, break.

Thank you sir !
it works !