Understanding the egress traffic on my network



  • Hi,

    I'm trying to understand the traffic leaving my network. I don't much care about 80 and 443. However I want to find out what else is leaving and whether any of it I should be blocking.

    Many many years ago I would just turn on logging for outbound connections and then filter to exclude the destination ports 80 and 443. But back then I was using ISA/TMG.

    How do I achieve insight into my traffic using pfsense?

    Examples of things I might be interested in: Telnet, SSH, DNS to odd places. Specific hosts doing things unusual compared to all the others.

    Thanks in advance,

    Nick



  • Diagnostics->Packet Capture

    That's a great place to start.  Otherwise, if you have a switch that can do port mirroring, you can use Wireshark to capture packets on your internal network or that interface.



  • @NICKB:

    Hi,

    I'm trying to understand the traffic leaving my network. I don't much care about 80 and 443. However I want to find out what else is leaving and whether any of it I should be blocking.

    Many many years ago I would just turn on logging for outbound connections and then filter to exclude the destination ports 80 and 443. But back then I was using ISA/TMG.

    How do I achieve insight into my traffic using pfsense?

    Examples of things I might be interested in: Telnet, SSH, DNS to odd places. Specific hosts doing things unusual compared to all the others.

    Thanks in advance,

    Nick

    Well if you are looking for an option to be alerted when users use Telnet, SSH, DNS or other unusual ports/protocol, you might want to look at an IDS; Snort or Suricata. W/o having to manualy dissect pcap yourself, a few rules could alert you when unusual traffic goes out.

    F.



  • Thanks, that is something of a firehose. I was hoping to 'pre-filter' it  by source/ip/port  and destination/ip/port and maybe the time/date.

    Capturing the raw feed would measure in 100's of Gigs per work day. I'm not particularly proficient at Wireshark, can it be configured to only write out a minimal data set? And what sort of grunt is required to do the necessary realtime analysis on a saturated 100MBit/sec pipe?

    Regards
    Nick



  • @fsansfil:

    Well if you are looking for an option to be alerted when users use Telnet, SSH, DNS or other unusual ports/protocol, you might want to look at an IDS; Snort or Suricata. W/o having to manualy dissect pcap yourself, a few rules could alert you when unusual traffic goes out.

    Its more I'm interested in parsing all non-HTTP/s traffic from non-servers and then taking a view on how to tighten things up. I'm not looking for  something, I'm basically looking for everything!


  • LAYER 8 Global Moderator

    If you want a breakdown of protocols in use and from where to where something like ntop or flows sent to a flow collector sounds more what your after.



  • "Examples of things I might be interested in: Telnet, SSH, DNS to odd places. Specific hosts doing things unusual compared to all the others."

    Compared to all the others start to imply you need to capture everything, else how do you know it's unusual?  What about a rule that logs the first packet with proto !what you don't care about?  If the LAN side is supposed to be configured to known DNS servers, you could log DNS to !my desired servers, couldn't you?  That would be the equivalent of what you say in your second paragraph.

    Or write deny rules for things you don't want and then when folks complain you can ask them.



  • Like @mer says, you should be able to achieve this with rules on your LAN(s).
    To keep it simple and avoid having to think hard about !this and !that I would put some pass rules first for the traffic you already say you want to let through unchecked:

    Pass no logging source * destination * port 80 and 443
    Pass no logging source "internal DNS servers" destination * port 53

    Then:
    Pass with logging source * destination *

    and of course include block rules for anything you know you actually want to block from day 1.

    Then see what comes in the firewall log.
    Then add "pass no logging" rules for stuff you understand and want to let out. Add block rules for stuff you now understand and want to stop.


Log in to reply