Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to limit outbound network traffic but have internet on client side

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sysmak
      last edited by

      Hi There,

      I want to have clients reach the internet, but not use serviceports except for 53, 80 and 443

      What i've tested so far is:
      Allow ANY ANY TCP(/UDP) and the clients have access to internet.

      Now I want to limit the service ports. So my configuration was as follows, but no internet for the clients.

      This configuration can be set in Firewall > Floating > Select all needed VLANS or Per VLAN

      ALLOW TCP/UDP ANY DNS (53) ANY DNS (53)
      ALLOW TCP ANY HTTP (80) ANY HTTP (80)
      ALLOW TCP ANY HTTPS (443) ANY HTTPS (443)
      ALLOW TCP/UDP ANY (1024-65535) ANY (1024-65535)

      But clients can't access the internet anymore.

      I'm not fond of letting services reach the internet if there is not an explicit request and if so, then only for a certain service such as FTP to be configured when needed.

      Do you have any clue what i'm missing here?

      Kind regards,

      Martijn

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        The source ports are completely wrong.

        1 Reply Last reply Reply Quote 0
        • S
          sysmak
          last edited by

          Care to ellaborate?

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            Simply do NOT specify any source ports.

            1 Reply Last reply Reply Quote 0
            • S
              sysmak
              last edited by

              Hero!

              @doktornotor:

              Simply do NOT specify any source ports.

              You're absolutely correct.

              Do note: with my experience on Motorola RFS4000 this works as stated with my initial question.
              Therefor I assumed it should worked that way.

              Never the less, thank you very much.

              Firewall rules > Floating Select VLANS to access internet. Set:

              Select VLANS TCP * * * 80 * none
              Select VLANS TCP * * * 443 * none
              Select VLANS TCP/UDP * * * 53 * none
              Select VLANS TCP/UDP * * * 1024-65535 * none

              Thanks again!

              Kind regards
              Martijn

              1 Reply Last reply Reply Quote 0
              • P
                phil.davis
                last edited by

                Select VLANS TCP/UDP * * * 1024-65535 * none
                

                I don't think you need or want that last rule. It will allow anything on the inside to communicate with any service that happens to be listening out on the internet on ports 1024-65535
                There are known services in the 1024-a few thousand range, and of course anyone could have their OpenVPN server or whatever listening on whatever port they liked.

                As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.