|
Post by cmutwiwa on Aug 3, 2015 16:01:59 GMT
Hi guys, I need to allow only the ports listed below plus others that my clients might need. I got this list from my ISP's residential router under firewall, if I enable the firewall only these ports are allowed through and I've found out that its helping me alot with torrents, since when I enable the firewall no torrent client is able to download. However, I cannot customize these ports and now clients are calling me complaining that they can't make whatsapp calls and some cannot receive / send emails on outlook. So I was thinking of disabling the firewall on the ISP's router and create my custom firewall rules on SmallWall since I will have much control of that. My question is, when creating these rules, when do I choose "Destination" and when do I choose "Source"?, is this controlled by the protocol example TPC for "Source" and UDP for "Destination".
AIM/ICQ 5190 5190 TCP DHCPv6 546 547 UDP DNS TCP 53 53 TCP DNS UDP 53 53 UDP FTP-S 989 990 TCP HTTP 80 80 TCP HTTP ALT 8080 8080 TCP HTTP-S 443 443 TCP IMAP 143 143 TCP IMAP-S 993 993 TCP IPSec NAT-T 4500 4500 UDP NTP 123 123 UDP POP3 110 110 TCP POP3-S 995 995 TCP RADIUS 1812 1812 TCP RADIUS 1812 1812 UDP SMTP 25 25 TCP SSH 22 22 TCP SMTP-S 465 465 TCP Steam 1725 1725 UDP Steam Friends 1200 1200 UDP Telnet-S 992 992 TCP XBOX Live 3074 3074 TCP XBOX Live 3074 3074 UDP World of Warcraft 3724 3724 TCP World of Warcraft 3724 3724 UDP Yahoo Messenger 5050 5050 TCP
Regards.
|
|
|
Post by Lee Sharp on Aug 3, 2015 23:40:35 GMT
Good (and frequently misunderstood) question! Lets take a web page as an example... We all know that is port 80 or 443. but if you do a "netstat -a" while working you get stuff like this.
tcp 0 0 dev01.no-ip.org:51755 sjd-rd12-3b.sjc.d:https ESTABLISHED tcp 0 0 dev01.no-ip.org:34243 dfw06s47-in-f202.1:http TIME_WAIT tcp 1 0 dev01.no-ip.org:34904 mistletoe.canonica:http CLOSE_WAIT tcp 1 0 dev01.no-ip.org:54819 barbadine.canonica:http CLOSE_WAIT tcp 0 0 dev01.no-ip.org:47483 ec2-54-88-80-143.c:http ESTABLISHED tcp 1 0 dev01.no-ip.org:49568 backoo.canonical.c:http CLOSE_WAIT
All of those 5 digit port numbers are the source ports, and the destination ports are 80 and 443.
Source ports are randomly chosen by the client, as a way for the server to communicate back. So on line 3 and 4 up there I am checking Ubuntu updates on port 80, and they are sending the response back to me on ports 34904 and 54819.
Since source ports are randomly chosen by the client, you can not easily filter on those. (That said, there are ways, and it can be some fun additional security.)
You you would have a lot of lines allowing outbound on TCP/UDP source port ANY, destination port 53. At the end of all those "allows, you would have a "Deny ALL" to block everything else.
And you will miss stuff. For example, you are blocking SIP.
|
|
|
Post by cmutwiwa on Aug 4, 2015 6:02:48 GMT
So I should only customize "Destination port" and leave "Source port" to "ANY"?. Would the attached example allow SIP? Attachments:
|
|
|
Post by Lee Sharp on Aug 4, 2015 7:10:30 GMT
You got it. You can play a bit with the source IPs, but not source port unless you have some unusual control over your clients.
|
|
|
Post by cmutwiwa on Aug 4, 2015 7:21:57 GMT
Thanks Lee, will work on this and report results here.
|
|
|
Post by cmutwiwa on Aug 4, 2015 9:48:32 GMT
I'm I on the right track here? (see attached) To block everything else will it be wise to edit the first default rule to block then move it to the bottom of the other rules? I'm also concerned abt been locked out of the firewall... Attachments:
|
|
|
Post by Lee Sharp on Aug 4, 2015 18:42:54 GMT
Several points... About locking out... On System -> Advanced in the Miscellaneous section there is a check-box for "Disable webGUI anti-lockout rule." As long as you do not check that, you can not be locked out. Now as to the rules and rule order, the firewall goes to the first match, and uses it. So if you have block everything first, it will block everything and not see the rest. Since you have the default "allow everything" rule, it sees that and goes no further. Disable that rule (keeping in mind the antilockout above) and see what you have. Also, under source you have * but you can make it LAN Net or a subnet if you wish. Keep your servers from using port 80 and 443 and you do not have to worry about Microsoft Stealth upgrades. The large block rule is last, or actually not needed since if something is not allowed, it is blocked.
|
|
|
Post by cmutwiwa on Aug 5, 2015 5:30:01 GMT
I moved the "Deny All" rule to the bottom and created another rule before that to "Allow All" on a specific IP address as shown in the attachment, I have control over that particular host so I dont have to worry. Thanks Lee, I've tested my configuration and its working as desired, but since I did this last evening when most of my clients were not online (99% of my clients are office pple), I guess today they are going to put it to test, Will report back. Attachments:
|
|
|
Post by Lee Sharp on Aug 5, 2015 7:20:25 GMT
You should be good, but you should also be in to the office early.
|
|
|
Post by cmutwiwa on Aug 5, 2015 10:20:34 GMT
Its 13:18pm, all my clients have been online since 9am, no complains, infact those who had outlook express and whatsapp calls not working have confirmed that they are working now. I'm going to watch it for another couple of days tho'.
Thanks for the guide Lee.
|
|
|
Post by Lee Sharp on Aug 6, 2015 15:28:12 GMT
Glad we could get it working! And I like your list of ports!
|
|
|
Post by cmutwiwa on Aug 12, 2015 7:33:12 GMT
Yeah, almost a week now and everything is smooth, the link has really improved, happy I've managed to deal with torrents (atleast for now) before someone finds a way around it, I'm aware of one client who is already using IDM on port 80 to download torrents but so far its not a problem...
|
|
|
Post by Lee Sharp on Aug 13, 2015 4:23:59 GMT
Look at the firewall state table. Anyone doing torrents will have a lot of connections on odd ports. Just go walk over to them and ask what they are doing. That should scare them straight.
|
|