Page 1 of 2 12 LastLast
Results 1 to 10 of 16
  1. #1
    Newbie
    Join Date
    Sep 2016
    Posts
    10

    Question block outbound traffic on most ports, pass only needed ones, asking for opinions

    Hi,
    What rules should i create so that i block all ports and pass only needed ones (can you recommend me which ports should i allow? Network is for business use only).
    I was thinking of allowing these ports:
    e-mail: SSL/TLS (993,995,465) Non-SSL (143,110,25)
    web surf: 80,443
    dns:53
    Let me know of your opinion please.
    Thank you in advance!

  2. #2
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,426

    Default

    outbound or inbound?

    I block TCP/UDP 53 and use dnsmasq.

  3. #3
    Newbie
    Join Date
    Sep 2016
    Posts
    10

    Default

    outbound

  4. #4
    Newbie
    Join Date
    Sep 2016
    Posts
    10

    Default

    Any advice?

  5. #5
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,426

    Default

    The deadly silence IS the advice.

    What you want to do is unsupportable, in our opinion.
    You are asking for headaches, and if you don't already understand that for your self...

    I can give you a list of IP addresses which I think are wise to block outbound, but maybe for a different reason than yours.

    What is your goal?

    .ja.

    Last edited by Jim.Alles; 03-13-2017 at 11:07 AM. Reason: popcorn!
    If you think I got Grumpy

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    21,637

    Default

    Just make a firewall rule that says block, destination interface any-wan.

    Then start making the appropriate pass rules to make everything work. But Sky... where are your suggestions here?

    Nope, not going to get any, I'm going to get some popcorn and watch you learn the hard way why what you just asked is completely, utterly, and totally insane.
    abailey likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Master Untangler
    Join Date
    May 2010
    Posts
    415

    Default

    I wouldn't call it insane, but I definitely don't think he appreciates the implications of what he thinks he wants to do.

    But if you were going to do it, blocking all then allowing traffic type by type would be the right approach.

    Sent from my Pixel XL using Tapatalk

  8. #8
    Newbie
    Join Date
    Sep 2016
    Posts
    10

    Default

    Quote Originally Posted by Jim.Alles View Post
    The deadly silence IS the advice.

    What you want to do is unsupportable, in our opinion.
    You are asking for headaches, and if you don't already understand that for your self...

    I can give you a list of IP addresses which I think are wise to block outbound, but maybe for a different reason than yours.

    What is your goal?

    .ja.

    Hi,
    basically i am trying to control the network traffic and minimize insecurities. Some computer users download sometimes crap apps that can cause insecurities. (I tried to restrict usage by giving them limited accounts no admin rights on their pc but that meant having an IT person to assist them for many reasons). You have no idea what people do while they are at work... Its ridiculous, i had people that asked me to unblock facebook because they use it to inspire for they're work...
    I know friends that work at multi-national companies and in they're business network, they don't have CD-ROM, USB ports are inactive, besides many network restrictions with block of ports outbound.
    I've asked if maybe you guys have done it before if you would suggest me.
    Now as i read i see i clearly made an "insane" thread. LMAO
    If you have a blacklist of IPs you would recommend me i really would appreciate it.
    Has nobody tried this before?

    Thank you all for your replies. Even if it isn't the response i was expecting I am glad to receive your honest opinions.

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    21,637

    Default

    I have tried this before, what you're asking completely misses the point of a UTM.

    You have a web filter, you have an application control module, you use those things to dynamically block significant threats. Most of the internet lives on HTTP 443, so even if you decided to do all those port blocks you're not doing anything.

    None of this has anything to do with NAC, which is what you use to control what switch ports are active and when. Nor does it have anything to do with locking down USB usage.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Master Untangler
    Join Date
    Oct 2014
    Location
    Norway
    Posts
    121

    Default

    I got to agree with sky-knight here. Webfilter and application control is the way of controlling traffic. I only block certain ports on my untangle that I know never need any internet access at all.
    I also blocked the dns port and made a dns pass rule on google dns servers only. The other dns requests will be from my gateway.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2