More control on egress

Qinn

I would like to have more "grip" on what goes out my private networks to the internet.

I can think of 2 approaches;

1. As everything is blocked by default, I could start with a few protocols/ports like http, https, POP, SMTP and IMAP and gradually add more. Major drawback, users will start complaining and I still don't really know what's using these ports.

2. Start with Snort of Suricata as an IDS not IPS.

Can anyone point me in the right direction?

Cheers Qinn

KOM

Is this for a household or business? How many users? What is your goal for traffic control, ie why do you want to control what goes out?

Qinn

Household, well not many users, but 55 nodes (tablets, desktops, labtop, IoT's, printers, etc.). Goal controlling and maybe blocking what goes out.

johnpoz

IDS not going to give you idea of all traffic - only going to tell you traffic it thinks is bad.. Ie what triggers via a signature, etc. Much of which will be false positives..

If you want to get an idea on what ports are used.. Just log your outbound default any any rule.. Send this to syslog for easy parsing, etc.

Just curious with so many different nodes - do you have these devices broken out into different vlans... For example you mention iot - do you have that isolated and locked down in any way?

What your going to find is pretty much all traffic going to be http/https.. Unless you have a lot of console game play or something? Are you actually using pop/smtp? You use fat clients for emails? Ie like outlook or thunderbird or something?

Most of the traffic is prob going to be https traffic - so unless you plan on doing mitm on your own devices.. Other than say seeing that iot device phoned home via https to some amazon IP your not going to get much info, etc.

You prob get better idea of what your devices are doing by just logging your dns queries they do.. And how often they do the queries, etc. I would just just logging unbound, etc. But while it can log every query - not a real easy to see and understand interface to this log. Running say pi-hole as your networks dns, and then just having that forward to pfsense unbound will be an eye opener on where your clients are going.. And you can block ads and nonsense sites with it as a bonus ;) Tie that with your logging of outbound traffic for the different ports and yeah you will have a lot of info to work with on what you can stop, be it dns based or port based at the firewall, etc.

Qinn

@johnpoz Hi John first congrats with the Moderator status

@johnpoz said in More control on egress:

Just curious with so many different nodes - do you have these devices broken out into different vlans... For example you mention iot - do you have that isolated and locked down in any way?

Yes, these nodes are across 10 VLAN's (to name but a few IoT, Printers, Guests etc.). The reason is just as you mentioned, IoT's are locked down. Printers for instance are accessible from LAN, WLAN and Guest and to let them be accessible for IOS I have Avahi Enabled (Bonjour/Zeroconf proxy).

@johnpoz said in More control on egress:

What your going to find is pretty much all traffic going to be http/https.. Unless you have a lot of console game play or something? Are you actually using pop/smtp? You use fat clients for emails? Ie like outlook or thunderbird or something?

Yes, pop/smtp is used, maybe soon IMAP .

@johnpoz said in More control on egress:

Most of the traffic is prob going to be https traffic - so unless you plan on doing mitm on your own devices.. Other than say seeing that iot device phoned home via https to some amazon IP your not going to get much info, etc.

You are right https will not be readable and MiTM (man-in-the-middle) is not what I am planning on my own devices ;)