Port Aliases

chris-1028

I have some port Aliases:

DefaultPorts
22 SSH
80 HTTP
443 HTTPS
465 SMTPS (Required)
587 SMTPS
993 IMAPS
995 POPS
8080 HTTP
49152:65535 IANA Ephemeral

FacetimePorts
80 TCP
443 TCP
3478:3497 UDP
5223 TCP
16384:16387 UDP
16393:16402 UDP

iMessagePorts
80 TCP
443 TCP
5223 TCP

WhatsappPorts
3478 UDP
4244 TCP
5222 TCP
5223 TCP
5228 TCP
5242 TCP
45395 UDP
50318 TCP/UDP
59230 TCP/UDP

QUESTION1:
As you can readily see, several ports are common to more than one Alias (80, 443, 5223, 50318, 59230 in this example).
Am I creating an issue for myself with an Alias-of Aliases as below ?

AllowedPorts
DefaultPorts …Alias
iMessagePorts …Alias
WhatsappPorts …Alias
FacetimePorts …Alias

QUESTION2:
Protocols are not part of the Alias.
Is it insanely obsessive to subset AllowedPorts into AllowedPortsTCP, AllowedPortsUDP, AllowedPortsTCPUDP so only the appropriate protocol is allowed in a Firewall Rule (— it would be only a few milliseconds to split this way in a database, and only needs three separate firewall rules) ?

Chris

akuma1x

What are we making all these port aliases for? If you've got a single allow any to any rule on the subnet/network you have these devices on, everything will just work.

Are you doing this for inside machines or mobile devices to get traffic in from, or out to, the internet? If so, it's not necessary. If you've got internal SERVERS that need these ports, then you do need to set all this up.

So... what are you wanting to do?

Jeff

chris-1028

@akuma1x
A fair question.

My current ageing firewall is more or less the any-any approach you speak of.

For my new pfSense box, I want to implement egress filtering: allowing out the smallest set possible of ports & protocols that enable users to do legitimate stuff.

Some background reading on the topic:
https://www.sans.org/reading-room/whitepapers/firewalls/egress-filtering-faq-1059
You will also find some discussion in the pfSense book p164 et seq.

Ideally I would like to use the obsessive approach suggested in my question2 — just needs a little database tool to generate the aliases as applications become allowed/disallowed.

Chris

johnpoz

@chris-1028 said in Port Aliases:

allowing out the smallest set possible of ports & protocols that enable users to do legitimate stuff.

What users? Is this a place of business or your home? What "users" are you wanting to limit? Are these strangers on your wifi? Or users with devices you control? Are they BYOD at your place of business/school/etc?

chris-1028

@johnpoz
Thanks for your response.

I will answer your question(s), but first an observation: a domestic network or a MegaCorp network are both exposed to essentially the same risks.

<asides>
*You might argue that MegaCorp has more to lose, but I would counter with: precisely because domestic users have less to lose, they don’t want to lose it. MegaCorp might shrug off a few lost millions …domestic users?

Does filtering egress solve all known problems? Certainly not! Once I allow even humble outgoing HTTP, the smart-UnGodly can attack. But since I CAN filter egress, it seems obvious to me that I should. My front-door will cede to a few dozen blows from a sledgehammer or (maybe) a very skilled lock pick — it still seems obvious to me that I should lock my front-door.

Is filtering egress possible without upsetting users: at MegaCorp yes — they probably have an acceptable use policy — users (by contract) must not get upset
when they drift outside the policy.
And in a domestic network? Also yes: log all blocks and adjust the FW rules to pass whatever seems legitimate after discussion. After a brief settling-in period, all is resolved.*
</asides>

The current discussion concerns a domestic (home) network with pfSense being a candidate to replace a UTM/USG “borrowed” from a corporate network: the (quite old) UTM/USG is simply too slow for my current domestic connection.

This pfSense box will handle 4 of my 7 domestic nets: IoT; Admin; Guest; and Private VLANs.
pfSense has no “LAN” & no any - any default pass rule (thank God).

any - any is beyond absurd for IoT !

any - any is equally absurd for Admin (FaceBook or WhatsApp on an Admin machine …haha). HTTPS, ICMP echo request, and SSH seems enough to start with, but this might expand a port or two, maybe for Christmas.

I want Guest brutally isolated: internet any (including external DNS); strictly nothing else. Guest machines are not my machines, and as long as they don’t hassle my machines they can do what they want to themselves (this might tighten a little over time if any bad stuff happens).

And that leaves Private: there are 9 computers (soon 10). I’m open to discussion with the users about opening access to anything that seems legitimate. I have a lot of historical FW logs in a db so I know the stuff my users have been doing in the past and will allow anything I deem reasonable to pass.

BL;DR: this is my network: users will live with my rules or seek my agreement to modifications of my rules …or use their phones as hotspots.

.Chris

johnpoz

@chris-1028 said in Port Aliases:

a domestic network or a MegaCorp network are both exposed to essentially the same risks.

No not even close sorry!!!

And are managed completely different.. Out of the gate.. And comes down to as well who controls the devices that connect to a corp network.

For starters in a corp - none of those ports you list would even be allowed out in the first place. And more than likely all or 99.9 of all access other than 1 one offs with tons of paper work to allow would be forced out a proxy anyway.

I would be more than happy to debate corp or domestic with you - but if you think it makes sense to spend time on such nonsense in a home setup.. Have fun! Your wasting your time! Your time should be directed at what exe the devices can execute before you worry about what ports they can talk outbound on.. And where they can get such exe in the first place.

Isolation of iot sure - agree, trying to limit it what it can do.. kind of pointless.. Pretty much anything it does is going to be over 80/443 that is a given anyway. Where it does that is the going to be more of concern as to what port it needs. Name some IOT devices that needs anything other than say icmp or 80/443? I have plenty of iot devices in my home - none of them talk on anything other than those ports. Well then need dns - but that is only required local.

I isolate all my iot devices, and log everything they do outbound - they never try and talk outbound on anything other than icmp/80/443..