Can a port be hard blocked?
-
After reading about the release of the NSA hacking tools (Eternalromance) here:
https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/
I tried to find if pfSense would hard block a port. The ports used by Eternalromance are TCP ports 445 and 139. I
figured if that hack/spyware got into your Windows machine, that pfSense would possibly allow it through since it
is coming from your system. I can't see how to hard block specific ports anywhere in pfSense or pfBlockerNG. Anyone
know if and how this could be done?Thanks
-
Hard block? You mean reject? Hard block is not a infosec term.. Between what and what exactly?
Pfsense has zero to do with traffic between devices on the same layer 2 network.. Pfsense is a layer 3 firewall / router. If you don't want network A talking to network B on port X then yes pfsense can prevent that. Be it "blocked" or actually rejected..
If you don't want machine A on your network talking to machine B put them on different networks and let pfsense firewall between them.. Use a software firewall on your machines, or use a switch that allows for ACLs or private vlans where device A can not talk to device B, etc.
-
Hard block? You mean reject? Hard block is not a infosec term.. Between what and what exactly?
Pfsense has zero to do with traffic between devices on the same layer 2 network.. Pfsense is a layer 3 firewall / router. If you don't want network A talking to network B on port X then yes pfsense can prevent that. Be it "blocked" or actually rejected..
If you don't want machine A on your network talking to machine B put them on different networks and let pfsense firewall between them.. Use a software firewall on your machines, or use a switch that allows for ACLs or private vlans where device A can not talk to device B, etc.
As you can see, I'm not an infosec guy. Yes, reject anything coming through psSense to/from TCP ports 445 and 139. There is only one computer connect to my controller to WAN.
-
Put a reject rule on all interfaces such as:
Reject IPv4 TCP source LAN net dest any port 139
Reject IPv4 TCP source LAN net dest any port 445Change the source network to the network on the specific interface.
Put those rules above the rule that poasses traffic to the internet.
-
Note that rejecting connections is a less secure than silently ignoring them with a drop rule because answering to connection attempts when you're not going to accept them can make you a target for DDoS attacks. All this depends on the use case though, if you have a large website that you're hosting with lots of other services exposed the reject policy is not any more dangerous because everyone already knows that your IP address will answer to connection attempts anyway.
-
I disagree with that "more secure" assertion when you are dealing with connections from the inside.
-
So you have 1 computer behind pfsense?? Why would you think you need to "hard block" 445 and 139??
-
So you have 1 computer behind pfsense?? Why would you think you need to "hard block" 445 and 139??
-
So you have 1 computer behind pfsense?? Why would you think you need to "hard block" 445 and 139??
To block "The ports used by Eternalromance".
-
I think that Derelict has what I was looking for. Thanks
-
And like you said your not in infosec, and clearly have no understanding of what eternalromance is or how it infects is even used. Blocking it on pfsense outbound has ZERO to do with your machine getting infected or being compromised with said tool.
Even if your isp allowed 139 and 445 over the public internet.. Many of them block this port.. The default wan rules are deny all. Have you forwarded 445 or 139 to your machine? You clearly have no other hostile machines on your network that could be attacking your machine.. And if you did blocking it on pfsense has ZERO to do with another machine on your network from attacking your machine.
Blocking it outbound would prevent your machine from using that tool outbound to infect/hack other machines ;) That is all that rule is going to do.. be it you just block or reject.. So I look to see if these ports can get to my public IP across the internet.. As you can see they are reported closed. Because I don't forward them ;) And 2nd they don't even get to me.. Look in the firewall rules - sniff on the wan interface while testing. Those packets do not get to me, and more than likely they can not get to you either. Because many isp block these ports across the public internet… And or the isp blocks it from being used on the networks they connect their clients too - because if they have stupid clients that plug their boxes directly in they don't want client A seeing client B's machine, etc.
Blocking 445 and 139 on your lan interface or wan is doing ZERO about this hack tool your so worried about. If the traffic got through from the public internet because you forwarded it let say.. Your block or reject rule would do nothing on the lan interface because you would be answering a stateful connection not creating a new connection outbound.
-
OK, thanks. I didn't know some of the things you discussed. I am using a VPN, but I am sure that they operate the same as my ISP. The current government spying on everyone is anathema to me, having come out of the Nazi German era. If it were up to governments, they would have all of us embrace Joseph Goebbels' statement that 'If you have nothing to hide, you have nothing to fear'. I also have wondered if agents illegally (the norm for law enforcement today) were to gain access to my computer when I was out, if they then might be able to plant Eternalromance or something like it on my machine. Since I have authored several encryption programs that make communications completely transparent and undetectable, I need to be especially careful.
-
You are one paranoid dude.
If a first world government agency wants to hack you, they most certainly will and there is not a thing you can do about it no matter what programs/firewalls/OS/tin foil lead lined helmet you use.
There's good news though! The government does not care what you are doing ;).
Rest easy sweet man, there are no "illegal agents" sneaking into your house to see what kind of crazy things you've been up to lately.
Or maybe they are, but if they are and you are asking questions here then you already lost :).pfSense is an outstanding firewall as long as you have realistic expectations. Protecting you from government level zero days (or anything government level that's targeted) is not realistic.
-
The tinfoil hat stuff drives me crazy.. As TS_b mentions.. If someone like the NSA wanted to spy on you.. Do you think they would have any qualm about just entering your house and putting whatever they needed to on your system? Did you check your house for bugs and cameras? ;)
A remote exploit tool like Eternalromance is sure and the F not going to come into play ;)
If your going to be paranoid about the black helicopter ninja's - at least get the software they would being using correct… All of those tools listed in the article are not keyloggers or spyware.. They are remote escalation type tools.. Which even that article you posted states "With the exception of Esteemaudit, the exploits should be blocked by most firewalls." The tool Esteemaudit has to do with remote desktop.. You sure and the hell are not forwarding remote desktop 3389 to your machine are you? So there you go that to is out too..
-
It is unfortunate that some always resort to labeling a cautious person as paranoid. My knowledge into the history and current methods of spying is far greater than yours, I can assure you. I am yet to be as knowledgeable as you when it comes to firewalls and the web, but much more knowledgeable and advanced when it comes to computer spyware and stealth communications.
-
Sure ok - if you think that guess its true ;)
So you think a tool on your machine that was designed to send data elsewhere would you ports 445 or 139? Why would it not just use standard web ports, 80, 443 etc.. and just hide in your normal surfing traffic.. Most likely going to some CDN that your machine normally talks to all the time.. Like windows update, or some server in the amazon CDN or the huge akamai cdn..
Sure and the F not going to use some port that is not use for normal internet traffic.. If so the people writing the code are pretty freaking stupid - or want to be caught or blocked..
-
If you want to get as much control as possible try approaching this from the other direction; remove the default allow rule and add back only rules for traffic you want to pass.
It's relatively common to see that for public wifi for example. Allow DNS to the firewall only, where you can filter it, and http/s. Reject, everything else.
Of course like a lot of things you reach a security vs convenience trade-off.
Steve
-
If you want to get as much control as possible try approaching this from the other direction; remove the default allow rule and add back only rules for traffic you want to pass.
It's relatively common to see that for public wifi for example. Allow DNS to the firewall only, where you can filter it, and http/s. Reject, everything else.
Of course like a lot of things you reach a security vs convenience trade-off.
Steve
This x100. It's best practice to start with default deny then allow only necessary traffic through any interface.
-
After reading about the release of the NSA hacking tools (Eternalromance) here:
https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/
And now you are afraid of them? They have other methods to get your data without using any kind of tools if they must do this!
I personally think that the new IPTVs are all together more sniffing and talking to others then the NSA will ever do!I tried to find if pfSense would hard block a port. The ports used by Eternalromance are TCP ports 445 and 139. I
figured if that hack/spyware got into your Windows machine, that pfSense would possibly allow it through since it
is coming from your system.An Application based firewall such the a Next Generation Firewalls (NG-Firewalls) or string DPI
I can't see how to hard block specific ports anywhere in pfSense or pfBlockerNG.
- strong DPI (firewall)
- Switch ACLs (switch)
- Firewall rules (firewall)
- GeoIP Blocking (firewall)
- HostIDS such OSSec (sensors & server)
- NetIDS such Snort or Suricata (firewall, or sensors & server)
-
