Firewall Block Mode with Log - Page 2

sky-knight · 10-11-2009, 11:12 AM

And again, SMTP, POP3, HTTP, and HTTPS, are TCP protocols, UDP isn't used and is more holes than you need.

mencargo · 10-11-2009, 11:13 AM

I'm a little rusty with protocols, so I based my rules at:
http://en.wikipedia.org/wiki/List_of...P_port_numbers

Now I have (Thanks to sky-knight and mrunkel):

Pass:

0021 - FTP (TCP & UDP)
0022 - SSH (TCP & UDP)
0023 - Telnet (TCP)
0053 - DNS (UDP)
0080 - HTTP (TCP)
0025 - SMTP (TCP)
0110 - POP3 (TCP)
0143 - IMAP (TCP & UDP)
0443 - HTTPS (TCP)
1863 - MSNP (TCP)

Block:

ANY - ANY (Enabled when I need Logs)

And I guess IMAP is also TCP only?
So, following on the -only server-server communication needs TCP- idea for the DNS rule, that suggests that Untangle itself is no subject to Firewall rules... right?
So for example, for external administration with HTTPS, I could block port 443 and still have access?

And another doubt, I have logs for the 8080 port, Tomcat default HTTP port, is this needed? or is it some P2P frecuent port?

Note: I need 26 port for a hosted mail server solution that uses it. (whitch I wont include here because it might be confusing to others)
I also need a special rule from external to internal 1433 port, for a stockware server that other networks use.

sky-knight · 10-11-2009, 12:05 PM

TCP 8080 is commonly used for several web services, and proxy services.

IMAP is TCP only as you've said, as is SSH and FTP.

However, you may as well remove that FTP rule, FTP won't fly with just port 21, and unless you want to open all TCP ports >1024... pasv FTP won't be able to establish a data connection. Untangle has no FTP helper in the Firewall module, so the only secure way to enable FTP is with two rules. One to allow TCP 21, and another to allow TCP 1024-65535, and to "secure it" both rules are limited to the FTP server in question.

Need proof? Go try to download an HP printer driver.

P.S. That wiki article is so wrong on so many levels...

ICMP (Ping) operating on TCP/UDP port 8? WTF? ICMP is ANOTHER PROTOCOL, and technically it's port-less so it runs over port "0". But over the ICMP protocol, not TCP or UDP.

shaggydabbydo · 10-11-2009, 12:11 PM

Quote:

Originally Posted by sky-knight

And again, SMTP, POP3, HTTP, and HTTPS, are TCP protocols, UDP isn't used and is more holes than you need.

Thanks sky-night

mencargo · 10-11-2009, 12:30 PM

Quote:

Originally Posted by sky-knight

ICMP (Ping) operating on TCP/UDP port 8? WTF? ICMP is ANOTHER PROTOCOL, and technically it's port-less so it runs over port "0". But over the ICMP protocol, not TCP or UDP.

Hehe, I falled for that days ago, I enabled port 8 to be able to ping untangle...
But I saw netstat when pinging and couldn't figure it out, so disabled the rule and still works... I thought it worked with UDP in a mysterious way, ahaha, thanks for the info.

mencargo · 10-11-2009, 12:39 PM

I don't fully understand the DNS process.
If Untangle can communicate directly with the public DNS, in my case OpenDNS.com, do I need the DNS port available?

mencargo · 10-12-2009, 06:38 PM

@sky-knight, I just discovered that SFTP and SCP don't need random TCP ports, tested it with SFTP client (Bitvise Tunnelier) and it seems to act only with 443 and 22 ports, so that's a good solution for File Transfer at block mode. And port 21 can go away...
=)

sky-knight · 10-12-2009, 06:54 PM

Yes, SCP and SFTP are much more advanced protocols that solve the file transfer issue more directly. However, you can't always get around the loss of FTP.

There are two paths to take to allow FTP. Trust the IP of the FTP server, and create the rules for each FTP server you need to access. Or trust a single client with blanket access to those ports at all times. An FTP proxy would be KILLER in the second application if deployed correctly.

As for DNS....

If my memory is working correctly. Untangle will prevent all outgoing access to UDP or TCP port 53 when the internal DNS service is enabled. However, if you have the DNS service enabled on the UT server... you don't NEED to enable clients to access DNS on the web at all. Untangle has a working caching server that isn't controllable with the firewall module. I'm glad you asked, because the reality is... you don't need that rule to pass port 53 at all, just configure UT to do the DNS work for you, and push the clients the UT internal IP for dns resolution.

boyan.sharic · 10-12-2009, 07:06 PM

Quote:

Originally Posted by WebFooL

boyan,
in this thread i have some examples
http://forums.untangle.com/firewall/...html#post58050

Thank You very very much WebFooL

looking forward to seeing new videos

mencargo · 10-12-2009, 07:10 PM

@sky-knight, Glad you cleared that up!
I like to understand those details, that's the inner geek talking.

10-11-2009, 11:12 AM	#11 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 14,698	And again, SMTP, POP3, HTTP, and HTTPS, are TCP protocols, UDP isn't used and is more holes than you need. __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879

10-11-2009, 11:13 AM	#12 (permalink)
mencargo Master Untangler Join Date: May 2009 Location: Mexico City Posts: 121	I'm a little rusty with protocols, so I based my rules at: http://en.wikipedia.org/wiki/List_of...P_port_numbers Now I have (Thanks to sky-knight and mrunkel): Pass: 0021 - FTP (TCP & UDP) 0022 - SSH (TCP & UDP) 0023 - Telnet (TCP) 0053 - DNS (UDP) 0080 - HTTP (TCP) 0025 - SMTP (TCP) 0110 - POP3 (TCP) 0143 - IMAP (TCP & UDP) 0443 - HTTPS (TCP) 1863 - MSNP (TCP) Block: ANY - ANY (Enabled when I need Logs) And I guess IMAP is also TCP only? So, following on the -only server-server communication needs TCP- idea for the DNS rule, that suggests that Untangle itself is no subject to Firewall rules... right? So for example, for external administration with HTTPS, I could block port 443 and still have access? And another doubt, I have logs for the 8080 port, Tomcat default HTTP port, is this needed? or is it some P2P frecuent port? Note: I need 26 port for a hosted mail server solution that uses it. (whitch I wont include here because it might be confusing to others) I also need a special rule from external to internal 1433 port, for a stockware server that other networks use. Last edited by mencargo; 10-11-2009 at 11:43 AM..

10-11-2009, 12:05 PM	#13 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 14,698	TCP 8080 is commonly used for several web services, and proxy services. IMAP is TCP only as you've said, as is SSH and FTP. However, you may as well remove that FTP rule, FTP won't fly with just port 21, and unless you want to open all TCP ports >1024... pasv FTP won't be able to establish a data connection. Untangle has no FTP helper in the Firewall module, so the only secure way to enable FTP is with two rules. One to allow TCP 21, and another to allow TCP 1024-65535, and to "secure it" both rules are limited to the FTP server in question. Need proof? Go try to download an HP printer driver. P.S. That wiki article is so wrong on so many levels... ICMP (Ping) operating on TCP/UDP port 8? WTF? ICMP is ANOTHER PROTOCOL, and technically it's port-less so it runs over port "0". But over the ICMP protocol, not TCP or UDP. __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879 Last edited by sky-knight; 10-11-2009 at 12:10 PM..

10-11-2009, 12:39 PM	#16 (permalink)
mencargo Master Untangler Join Date: May 2009 Location: Mexico City Posts: 121	I don't fully understand the DNS process. If Untangle can communicate directly with the public DNS, in my case OpenDNS.com, do I need the DNS port available? Last edited by mencargo; 10-11-2009 at 02:25 PM..

10-12-2009, 06:54 PM	#18 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 14,698	Yes, SCP and SFTP are much more advanced protocols that solve the file transfer issue more directly. However, you can't always get around the loss of FTP. There are two paths to take to allow FTP. Trust the IP of the FTP server, and create the rules for each FTP server you need to access. Or trust a single client with blanket access to those ports at all times. An FTP proxy would be KILLER in the second application if deployed correctly. As for DNS.... If my memory is working correctly. Untangle will prevent all outgoing access to UDP or TCP port 53 when the internal DNS service is enabled. However, if you have the DNS service enabled on the UT server... you don't NEED to enable clients to access DNS on the web at all. Untangle has a working caching server that isn't controllable with the firewall module. I'm glad you asked, because the reality is... you don't need that rule to pass port 53 at all, just configure UT to do the DNS work for you, and push the clients the UT internal IP for dns resolution. __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879

10-12-2009, 06:38 PM	#17 (permalink)
mencargo Master Untangler Join Date: May 2009 Location: Mexico City Posts: 121	@sky-knight, I just discovered that SFTP and SCP don't need random TCP ports, tested it with SFTP client (Bitvise Tunnelier) and it seems to act only with 443 and 22 ports, so that's a good solution for File Transfer at block mode. And port 21 can go away... =)

10-12-2009, 07:10 PM	#20 (permalink)
mencargo Master Untangler Join Date: May 2009 Location: Mexico City Posts: 121	@sky-knight, Glad you cleared that up! I like to understand those details, that's the inner geek talking.