• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Outbound TCP and UDP suggestion for block list.

Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
8 Posts 4 Posters 625 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mcury
    last edited by Apr 3, 2025, 4:00 PM

    I'm creating an alias of ports, TCP and UDP, with all ports that should never go to the Internet.

    I'm doing this because I found one laptop trying to reach an IP, that was in a blacklist, on UDP port 137.

    Some could say, allow just what you need, this would be a good approach but not for this network that has a lot of apps that uses high ports and they are so random..

    TCP ports:
    20 FTP command control
    21 FTP transfer data
    22 TELNET
    23 SSH
    25 SMTP
    110 POP3
    135 MS RPC
    137 Name service
    138 Datagram distribution service
    139 Session service
    389 LDAP
    445 SMB
    8080 Alternative port for HTTP traffic
    3389 RDP

    UDP ports:
    69 Trivial File Transfer Protocol (TFTP) UDP
    135 MS RPC
    137 Name service
    138 Datagram distribution service
    514 SYSLOG
    389 LDAP
    3389 RDP

    Any thoughts about the list above, or any other suggestions ?
    Thanks.

    dead on arrival, nowhere to be found.

    B T J 3 Replies Last reply Apr 3, 2025, 7:55 PM Reply Quote 1
    • B
      Bob.Dig LAYER 8 @mcury
      last edited by Apr 3, 2025, 7:55 PM

      @mcury said in Outbound TCP and UDP suggestion for block list.:

      8080 Alternative port for HTTP traffic

      If you allow the webports, you could allow this one too. I think speedtest.net will not run without this port if I remember correct.

      1 Reply Last reply Reply Quote 1
      • T
        tinfoilmatt @mcury
        last edited by Apr 3, 2025, 7:58 PM

        @mcury Helpful documentation on the subject of egress/outbound filtering.

        1 Reply Last reply Reply Quote 1
        • J
          johnpoz LAYER 8 Global Moderator @mcury
          last edited by johnpoz Apr 3, 2025, 9:42 PM Apr 3, 2025, 9:41 PM

          @mcury said in Outbound TCP and UDP suggestion for block list.:

          Any thoughts about the list above

          you have your telnet and ssh reversed ;)

          many of those ports don't work across the public internet anyway - 135-139 are block by many an isp, and 445 almost everywhere. My isp doesn't allow 25 outbound as another example.

          I ssh to stuff on the internet all the time, sure not going to block that.. And yeah ftp now and then..

          You might be better off just logging the traffic for a bit to see if your using any of it, but nothing wrong with blocking unwanted ports - I personally don't do it.. But hey more power too ya.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          M 1 Reply Last reply Apr 3, 2025, 10:09 PM Reply Quote 1
          • M
            mcury @johnpoz
            last edited by mcury Apr 3, 2025, 10:20 PM Apr 3, 2025, 10:09 PM

            Nice, lots of good stuff here, thanks !!

            @johnpoz the laptop I mentioned got some malware and I found some kind of DNS poisoning.. I'm positively sure it isn't miss configuration or something else.
            ipconfig /displaydns and wireshark pointed that out.
            Weird thing is that hosts.txt was empty, still don't know where this thing came from.

            It was a Windows machine, so ran the Windows Defender full scan and also offline scan, database updated, nothing found.

            I'm now formatting and will perform a clean Windows installation.

            If it wasn't for my pfBlockerNG blocklist, it would probably reach some server on UDP 137 and consequently on TCP 445 (SMB).
            Also, it is not just outbound connections from that same IP I can see, I see unbound on port 80, surely being blocked by the firewall.

            After installation, I'll nuke Netbios from everything, it is not in use and I'll tune this outbound filter.. Here, we don't use FTP or SSH to the Internet, so that won't be a problem for us..

            Edit: I'm logging everything 😀

            @Bob-Dig said in Outbound TCP and UDP suggestion for block list.:

            If you allow the webports, you could allow this one too. I think speedtest.net will not run without this port if I remember correct.

            Oh, speed test I'll probably allow for one computer only, mine. 👍

            @tinfoilmatt said in Outbound TCP and UDP suggestion for block list.:

            Helpful documentation on the subject of egress/outbound filtering.

            Nice read!! So, what I'm doing is indeed a good practice.

            dead on arrival, nowhere to be found.

            J 1 Reply Last reply Apr 4, 2025, 12:38 AM Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator @mcury
              last edited by Apr 4, 2025, 12:38 AM

              @mcury said in Outbound TCP and UDP suggestion for block list.:

              what I'm doing is indeed a good practice.

              For an enterprise or work place it is done all the time.. In my home on my secure network its a hassle for really zero benefit.

              The only rule I have blocking outbound is rfc1918.. because I am a good netizen, and zero point for throwing noise out on the net.. My laptop loves to look for work IPs when its disconnected from the vpn, and those rfc1918 are not on my home network - so they would get routed out to the internet and go nowhere ;)

              Oh and I block going to dot and doh IPs - I hate apps that or devices that think its ok for them to bypass my local filtering dns.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              T 1 Reply Last reply Apr 4, 2025, 1:44 PM Reply Quote 1
              • T
                tinfoilmatt @johnpoz
                last edited by Apr 4, 2025, 1:44 PM

                @johnpoz said in Outbound TCP and UDP suggestion for block list.:

                Oh and I block going to dot and doh IPs - I hate apps that or devices that think its ok for them to bypass my local filtering dns.

                Hopefully you're forwarding to your stub resolver and otherwise filtering all outbound UDP/53 and TCP/853 to account for any external resolvers not on your blocklists. One can never know what apps/devices are hardcoded to do these days...

                M 1 Reply Last reply Apr 5, 2025, 2:14 PM Reply Quote 0
                • M
                  mcury @tinfoilmatt
                  last edited by Apr 5, 2025, 2:14 PM

                  now blocking DOH also.

                  6499b3e2-5591-4b9f-a72e-55b00b31479c-image.png

                  dead on arrival, nowhere to be found.

                  1 Reply Last reply Reply Quote 0
                  8 out of 8
                  • First post
                    8/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received