How to limit outbound network traffic but have internet on client side



  • Hi There,

    I want to have clients reach the internet, but not use serviceports except for 53, 80 and 443

    What i've tested so far is:
    Allow ANY ANY TCP(/UDP) and the clients have access to internet.

    Now I want to limit the service ports. So my configuration was as follows, but no internet for the clients.

    This configuration can be set in Firewall > Floating > Select all needed VLANS or Per VLAN

    ALLOW TCP/UDP ANY DNS (53) ANY DNS (53)
    ALLOW TCP ANY HTTP (80) ANY HTTP (80)
    ALLOW TCP ANY HTTPS (443) ANY HTTPS (443)
    ALLOW TCP/UDP ANY (1024-65535) ANY (1024-65535)

    But clients can't access the internet anymore.

    I'm not fond of letting services reach the internet if there is not an explicit request and if so, then only for a certain service such as FTP to be configured when needed.

    Do you have any clue what i'm missing here?

    Kind regards,

    Martijn


  • Banned

    The source ports are completely wrong.



  • Care to ellaborate?


  • Banned

    Simply do NOT specify any source ports.



  • Hero!

    @doktornotor:

    Simply do NOT specify any source ports.

    You're absolutely correct.

    Do note: with my experience on Motorola RFS4000 this works as stated with my initial question.
    Therefor I assumed it should worked that way.

    Never the less, thank you very much.

    Firewall rules > Floating Select VLANS to access internet. Set:

    Select VLANS TCP * * * 80 * none
    Select VLANS TCP * * * 443 * none
    Select VLANS TCP/UDP * * * 53 * none
    Select VLANS TCP/UDP * * * 1024-65535 * none

    Thanks again!

    Kind regards
    Martijn



  • Select VLANS TCP/UDP * * * 1024-65535 * none
    

    I don't think you need or want that last rule. It will allow anything on the inside to communicate with any service that happens to be listening out on the internet on ports 1024-65535
    There are known services in the 1024-a few thousand range, and of course anyone could have their OpenVPN server or whatever listening on whatever port they liked.


Log in to reply