4. Egress filtering, but what with all the Google and Microsoft connections?

Egress filtering, but what with all the Google and Microsoft connections?


  • I'd like to start egress filtering. In Firewall => Rules => LAN I already created a few allow rules for http, https, dns. My default [LAN to any] [allow] is still active and logged for the moment. I'd like to disable this rule at the end. But now that I check the logs, I see that I have a lot of connections to Google, Microsoft and Apple from all the devices in my LAN. They all have a lot of different public IP ranges. How do you handle this?? I make use of Google Drive, Microsoft Onedrive, Microsoft Agenda Sync, etc. Is egress filtering still an option or is it a waste of time? I know I can make use of aliases, but even then…
    I see much traffic using ports 993 (tcp), 443 (udp), 123 (udp). But there is a lot more. I know what the ports are used for. The question is what will happen once I disable the allow all to the outside rule....
    A few questions about the ports I mentioned:
    993 => I thought you had to open this when you had a mail server on your LAN. That's not the case for me.
    443 => I made a rule over TCP for https, not UDP. I read that closing port 80 and 443 over UDP could resolve the DDOS issues.
    123 => NTP, I'll probably have to add this in my allow list.

    0
  • LAYER 8 Global Moderator

    resolve ddos issues???  What??

    if our seeing 80/443 traffic over UDP its QUIC traffic
    https://en.wikipedia.org/wiki/QUIC

    As to 993 that is imap over ssl, do you have a client that talks to a email server outside your network using imap then yeah that port will be open.

    0

  • Thank you for your reply. Maybe I didn't understood well what was meant (English not being my mother tongue) but about the ddos thing I read it here: http://pfsensesetup.com/egress-filtering-with-pfsense/. I'll take a look at the wiki page. 
    But in my case, does egress filtering seems to be overkill? What is your opinion about that? Do I close the door and let only going out the traffic that I want? And if so, how do I manage all these Google, Microsoft and Apple connections that pass today because of my allow any rule to the outside?
    And yes I use imap so I'll have to take care of that too.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy