Page 1 of 2 12 LastLast
Results 1 to 10 of 16
  1. #1
    Newbie
    Join Date
    May 2020
    Posts
    4

    Default Firewall rule to allow specific ports to an FQDN

    I am trying a rule to allow traffic on specific ports to a specific FQDN. I've defined the ports but which allows the traffic to work but when I tried to add the FQDN using the Host Hostname conditon to make the rule as tight as possible, it does not work.

    I am able to create that kind of rule on my test Watchguard firewall and it works as expected.

    Pretty sure I'm doing it wrong in Untangle so any help to accomplish this would be appreciated.

    Capture.PNG

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,660

    Default

    Untangle's firewall doesn't support this, and no firewall that does can call itself "secure".

    Also, the pass rule you have isn't required unless you've configured a block, Untnagle's firewall doesn't block squat by default.

    So, did you make a block rule? I suspect you might be trying to solve a different problem, and you're grabbing the wrong tools here.

    Host Hostname should read "client hostname", what you'd need here is "server hostname" which would require a DNS lookup to process a firewall rule, and that takes too darned long and opens some very ugly doors.

    So again what are you trying to do?

    And welcome to the forums!
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,177

    Wink

    Yes, I second the welcome!

    I would like to request that in general, when you post a screenshot, please include the entire browser screen so we can tell where you are. (No problem w/ squeezing the window down a little from full screen to reduce the file size.)

    I am wondering if you are looking to do a 'port forward'?
    Last edited by Jim.Alles; 05-08-2020 at 06:54 PM.

  4. #4
    Newbie
    Join Date
    May 2020
    Posts
    4

    Default

    Thanks for the responses.

    It was interesting to see that Untangle blocked nothing by default. Big change from other firewalls I've worked with. The issue I am having is that I am unable to login using EA's Origin client nor could I access the Battlefield 4 servers. If I disable the Untangle's Firewall app, it works just fine. After googling this issue and searching the firewall logs, I found it was blocking a number of ports when my clients try to connect to EA's servers.

    After opening those ports, Origin was able to connect and BF4 multi-player worked as expected. I'm trying to tighten up the policies by only allowing traffic on those specific ports to *ea.com* and *origin.com* domains. Probably being a little anal with the rules but just want to know if it's possible.

    If this is a better way to do it, I'd appreciate being pointed in the right direction
    Last edited by SirStiggie; 05-08-2020 at 07:40 PM.

  5. #5
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,177

    Default

    show us a screenshot of all of your [Firewall Rules], please

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,660

    Default

    The better way to do it, is to stop blocking things with the firewall app. It's a useful troubleshooting and logging tool, but the idea that you should block all egress ports and pass only the "OK" stuff went out the door with the dodo.

    That's why we have Web Filter, Intrusion Prevention, and all the rest, they're vastly more intelligent than the Firewall.

    Besides, all the malware is on TCP 443 these days anyway, and if you try to control that thing you're going to be adding white lists until the end of time.
    Last edited by sky-knight; 05-08-2020 at 11:33 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Newbie
    Join Date
    May 2020
    Posts
    4

    Default

    Capture.PNG

    Thanks for the replies. I've attached a screenshot of the firewall rules.

    @sky-knight I think I get what you're saying. I'm from the old school where we only allowed what we specifically wanted in and out and blocked everything else. Still have a lot to learn and it doesn't help that firewall venders all do things a little or a lot differently

  8. #8
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,177

    Default

    Without picking that apart, (no promises) I would tend to suggest that most of the traffic in the top half of those rules be entirely bypassed from processing by NGFW (and that includes the Firewall App), for best user experience.

    I acknowledge that your goals may be different than mine, and that is valid.
    Last edited by Jim.Alles; 05-09-2020 at 04:46 AM.

  9. #9
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,177

    Default

    Quote Originally Posted by SirStiggie View Post
    I am trying a rule to allow traffic on specific ports to a specific FQDN. I've defined the ports but which allows the traffic to work but when I tried to add the FQDN using the Host Hostname conditon to make the rule as tight as possible, it does not work.
    Hostname is on an internal network client. This does not apply to URLs or external domains.
    https://wiki.untangle.com/index.php/Hosts

    hostname.png
    Last edited by Jim.Alles; 05-09-2020 at 06:09 AM.

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,660

    Default

    Quote Originally Posted by SirStiggie View Post
    Capture.PNG

    Thanks for the replies. I've attached a screenshot of the firewall rules.

    @sky-knight I think I get what you're saying. I'm from the old school where we only allowed what we specifically wanted in and out and blocked everything else. Still have a lot to learn and it doesn't help that firewall venders all do things a little or a lot differently
    Yeah, and Untangle is a UTM not a firewall. There are many things that claim to be a UTM, but aren't. If you're from that old school, then you'll know your OSI model? Watchguard is a layer 2/3 device, that has some layer 7 features. Untangle is a layer 7 device, that has some layer 2/3 features.

    The way it works is utterly different. And today, on Untangle, the total lockdown module is Web Filter. With SSL Inspector installed and active... And backed up with Application Control, and Bandwidth Control.

    The free Untangle isn't bad, you can see the visibility it provides in Web Monitor's logs. And in there, you'll find your primary shield, the malware Sites category. Now Monitor can't block these, but Web Filter will. And that engine updates dynamically on the fly. So your systems once protected by Web Filter simply can't get to places where viruses propagate. Because again, most of this traffic goes over TCP 443, and since you have blanket TCP 443 and TCP 80 egress rules defined...

    Well you've already opened the flood gates, so all you're doing with this general block methodology is making more work for yourself. It's not providing you additional security. This is no gain, all loss. If you want to keep beating yourself up over it, you can keep at it... but know that you've just ran face first into a massive fault. You have to use IP addresses in the rules, you cannot use DNS names, and the service you're trying to pass is delivered via CDN. Which means you'll never get a complete IP list, and in frustration you'll wind up using an IP range so wide you again may as well disable the block rule at the bottom.

    *Note* This post written by an IT Engineer that used to do exactly what you're doing... I get it, trust me I do. But, I've got years of beating my head against the wall... with the bald spots to prove it! Change course, before you meet the same fate!
    mikeyscott likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2