Egress filtering, but what with all the Google and Microsoft connections?



  • I'd like to start egress filtering. In Firewall => Rules => LAN I already created a few allow rules for http, https, dns. My default [LAN to any] [allow] is still active and logged for the moment. I'd like to disable this rule at the end. But now that I check the logs, I see that I have a lot of connections to Google, Microsoft and Apple from all the devices in my LAN. They all have a lot of different public IP ranges. How do you handle this?? I make use of Google Drive, Microsoft Onedrive, Microsoft Agenda Sync, etc. Is egress filtering still an option or is it a waste of time? I know I can make use of aliases, but even then…
    I see much traffic using ports 993 (tcp), 443 (udp), 123 (udp). But there is a lot more. I know what the ports are used for. The question is what will happen once I disable the allow all to the outside rule....
    A few questions about the ports I mentioned:
    993 => I thought you had to open this when you had a mail server on your LAN. That's not the case for me.
    443 => I made a rule over TCP for https, not UDP. I read that closing port 80 and 443 over UDP could resolve the DDOS issues.
    123 => NTP, I'll probably have to add this in my allow list.


  • LAYER 8 Global Moderator

    resolve ddos issues???  What??

    if our seeing 80/443 traffic over UDP its QUIC traffic
    https://en.wikipedia.org/wiki/QUIC

    As to 993 that is imap over ssl, do you have a client that talks to a email server outside your network using imap then yeah that port will be open.



  • Thank you for your reply. Maybe I didn't understood well what was meant (English not being my mother tongue) but about the ddos thing I read it here: http://pfsensesetup.com/egress-filtering-with-pfsense/. I'll take a look at the wiki page. 
    But in my case, does egress filtering seems to be overkill? What is your opinion about that? Do I close the door and let only going out the traffic that I want? And if so, how do I manage all these Google, Microsoft and Apple connections that pass today because of my allow any rule to the outside?
    And yes I use imap so I'll have to take care of that too.


Log in to reply