Firewall Block Mode with Log

mencargo · 10-07-2009, 10:39 AM

Hi there, I just made a simple Firewall Rules set for Block Mode, Untangle 7.0

Pass:

0020 - FTP
0021 - FTP
0022 - SSH
0023 - Telnet
0053 - DNS
0080 - HTTP
0025 - SMTP
0026 - SMTP
0143 - IMAP
0443 - HTTPS
0110 - POP3
1863 - MSNP

From any source, any port, Internal Interface to External Interface.

Block Mode.

It seems to be working great, but it would be helpful if blocked connections were logged.

Is this possible?

WebFooL · 10-07-2009, 10:57 AM

Create a block rule in the bottom.
That say Block and log
Then any source, any port.
From internal to external.

As FW rules are read in order it all traffic that dose not match your other rules will use this. (and then be logged)

mencargo · 10-07-2009, 12:29 PM

Thanks, and thanks also to remind me that the order in firewall rules are important, I almost forgot.

Now I have tons of log, and seems like CPU usage bumped, use with care. =P

boyan.sharic · 10-10-2009, 09:06 PM

could you post screen shoot of that pass rule?

sky-knight · 10-10-2009, 11:39 PM

I hope your DNS rule is UDP only? And drop that bloody TCP 20 rule for "FTP" it isn't needed... ever.

Sorry, that's a pet peeve of mine... TCP 20 is only used in very rare cases by an FTP SERVER establishing an Active mode data transfer.

WebFooL · 10-11-2009, 12:30 AM

boyan,
in this thread i have some examples
http://forums.untangle.com/firewall/...html#post58050

shaggydabbydo · 10-11-2009, 04:12 AM

Quote:

Originally Posted by sky-knight

I hope your DNS rule is UDP only?

UDP only? I have it set similar to WebFool's example, ie:

Enable Rule: Yes
Description: Allow DNS 53
Action: Pass
Log: Up to you
Rule
Traffic Type: TCP AND UDP
Source Interface: Internal
Destination Interface: External
Source Address: any
Destination Address: any
Source Port: any
Destination Port: 53

Why do you say UDP only? (I'm in mega learning mode so sorry it it's a silly question).

mrunkel · 10-11-2009, 08:44 AM

Standard dns queries are UDP (ie from host to server). It's only server to server zone transfers that use TCP.

I don't think it's that big a deal though.

sky-knight · 10-11-2009, 09:54 AM

I've seen several trojans over the last year take advantage of destination TCP 53 because most people miss that little detail in their firewalls.

I don't believe in block all approaches anyway, but if you're going to walk down that path you may as well to the research to make perfect rules.

Most of those protocols listed are TCP only, excepting DNS, and SMTP doesn't do jack with port 26... so I don't know where that came from.

shaggydabbydo · 10-11-2009, 10:09 AM

Well I have:

Allow SMTP 995 TCP & UDP
Allow POP 465 TCP & UDP
Allow HTTPS 443 TCP & UDP
Allow DNS 53 UDP Only
Allow HTTP 80 TCP & UDP
Block everything else

All are:

Source Interface: Internal
Destination Interface: External
Source Address: any
Destination Address: any
Source Port: any
Destination Port: <whatever port number mentioned above>

10-07-2009, 10:39 AM	#1 (permalink)
mencargo Untangler Join Date: May 2009 Location: Mexico City Posts: 84	Firewall Block Mode with Log Hi there, I just made a simple Firewall Rules set for Block Mode, Untangle 7.0 Pass: 0020 - FTP 0021 - FTP 0022 - SSH 0023 - Telnet 0053 - DNS 0080 - HTTP 0025 - SMTP 0026 - SMTP 0143 - IMAP 0443 - HTTPS 0110 - POP3 1863 - MSNP From any source, any port, Internal Interface to External Interface. Block Mode. It seems to be working great, but it would be helpful if blocked connections were logged. Is this possible?

10-07-2009, 10:57 AM	#2 (permalink)
WebFooL Join Date: Jan 2009 Location: Sweden (Eskilstuna) URLs submitted: 57 Posts: 2,933	Create a block rule in the bottom. That say Block and log Then any source, any port. From internal to external. As FW rules are read in order it all traffic that dose not match your other rules will use this. (and then be logged) __________________ "Of all the things I've lost, I miss my mind the most" Untangle Reseller (Sweden) WebFooL@fakenews.se http://fakenews.se/ Need space to Upload content for you forum post?

10-10-2009, 11:39 PM	#5 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 7 Posts: 9,951	I hope your DNS rule is UDP only? And drop that bloody TCP 20 rule for "FTP" it isn't needed... ever. Sorry, that's a pet peeve of mine... TCP 20 is only used in very rare cases by an FTP SERVER establishing an Active mode data transfer. __________________ Intouch Technology Rob Sandling, BS:SWE, MCP Office: 480-272-9889 rob@intouchtechllc.com

10-11-2009, 12:30 AM	#6 (permalink)
WebFooL Join Date: Jan 2009 Location: Sweden (Eskilstuna) URLs submitted: 57 Posts: 2,933	boyan, in this thread i have some examples http://forums.untangle.com/firewall/...html#post58050 __________________ "Of all the things I've lost, I miss my mind the most" Untangle Reseller (Sweden) WebFooL@fakenews.se http://fakenews.se/ Need space to Upload content for you forum post?

10-11-2009, 08:44 AM	#8 (permalink)
mrunkel Join Date: Jul 2008 Posts: 1,468	Standard dns queries are UDP (ie from host to server). It's only server to server zone transfers that use TCP. I don't think it's that big a deal though. __________________ m. Big Frickin Disclaimer: While I'm pretty sure, I can't guarantee that I know what I'm doing. There might be a better way to do this, and this way might actually suck. Make sure you understand the implications of what you're doing before trying to follow these directions. It often helps troubleshooting if you have a good network map. Look here if you want my advice on how to draw one.

10-07-2009, 12:29 PM	#3 (permalink)
mencargo Untangler Join Date: May 2009 Location: Mexico City Posts: 84	Thanks, and thanks also to remind me that the order in firewall rules are important, I almost forgot. Now I have tons of log, and seems like CPU usage bumped, use with care. =P

10-10-2009, 09:06 PM	#4 (permalink)
boyan.sharic Master Untangler Join Date: May 2009 Location: Banja Luka, Bosnia and Herzegovina URLs submitted: 3 Posts: 102	could you post screen shoot of that pass rule?

10-11-2009, 09:54 AM	#9 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 7 Posts: 9,951	I've seen several trojans over the last year take advantage of destination TCP 53 because most people miss that little detail in their firewalls. I don't believe in block all approaches anyway, but if you're going to walk down that path you may as well to the research to make perfect rules. Most of those protocols listed are TCP only, excepting DNS, and SMTP doesn't do jack with port 26... so I don't know where that came from. __________________ Intouch Technology Rob Sandling, BS:SWE, MCP Office: 480-272-9889 rob@intouchtechllc.com

10-11-2009, 10:09 AM	#10 (permalink)
shaggydabbydo Untangler Join Date: Oct 2009 Location: UK Posts: 37	Well I have: Allow SMTP 995 TCP & UDP Allow POP 465 TCP & UDP Allow HTTPS 443 TCP & UDP Allow DNS 53 UDP Only Allow HTTP 80 TCP & UDP Block everything else All are: Source Interface: Internal Destination Interface: External Source Address: any Destination Address: any Source Port: any Destination Port: <whatever port number mentioned above>