New Home User - Couple of Questions

Good Morning. I recently purchased the HomePro license and installed it on a dedicated server. As expected, I have a few questions about a few of the features in Untangle. For context, my previous firewall was PfSense, so I have a lot of unlearning to do. I am running the default configuration at the moment with no firewall rules. On to the questions:

1. I used a web service to scan my WAN interface and noticed that ports 21,23, and 80 are open. Are these necessary for Command Center access? I was very surprised to see those particular ports open. With PfSense, no ports are open on the WAN by default. Are they a false positive? If so, what would be the best report to verify?

2. I know outbound traffic is open by default. Are there any best practices documents for locking this down a bit more? It feels risky to allow non-Web ports access to the world, particularly SMB ports such as 139 and 445. I am sure this is my "old school" firewall thinking at work here, but it still bothers me. :) How do others approach this "issue"? I fully realize the vast majority of threats ride https and create "reverse tunnels" to provide access and C&C. It just seems like leaving all these other ports open outbound is not a best practice, even for a UTM. Maybe I am missing something with regard to the way Untangle works.

3. Does the Application Control module provide any tangible value for home users? I do not have any kids, so controlling common apps like TikTok, Facebook, Instagram, etc., is not much of a concern. I would mainly be interested in Application Control if it provides value for malware protection. If so, what are some of the more common malware "apps" that I should be blocking?

4. Is there a way to get visibility into traffic that is Filtered using the Network Filtering Rules, if I decide to create some? With no logging, it seems layer 2/3 filtering is going to be a challenge to troubleshoot. I have several internal networks and will likely need to implement some Network Filtering to properly isolate them.

My main reason for moving over to Untangle from PfSense is the visibility into web and data usage that it provides. I can say that even with my limited time using the platform, it has exceeded my expectations in that regard. My main challenge will be adjusting my thinking to align with UTM capabilities vs traditional firewalls. Right now, I have a very uneasy feeling with regard to my network security. :)

Thanks very much for reading my wall of text. I look forward to learning more about this powerful platform as I continue my journey.

Thanks,

David

Welcome to the forums.

1. Default, no WAN ports are open on Untangle NGFW. That sounds like you have some port forwards configured.
2. For a home network, leaving outbound open is fine. Web Filter and IPS will catch any rogue usage.
3. Best practices are a layered approach, Application Control can show unexpected apps running which can alert you to other issues.
4. Session Viewer has all the live sessions. In Reports, Network events will should historical traffic.

...to Untangle, and the forums!

Quote:

---

Originally Posted by delonm

3. Does the Application Control module provide any tangible value for home users?

---

My most common use is additional detail in reporting - what does the App think the traffic is?

One layer of rules it adds value is to HTTP: traffic
Attachment 10540

Note that the highlighted equation operator is "NOT equal". That one is hard to see.
in that rule 100005 I am making certain that the domain is resolved to that IP address, and blocking & reporting if not. I don't want that one being spoofed, since DoH resolution relies on it.

Quote:

---

Originally Posted by jcoffin

Welcome to the forums.

1. Default, no WAN ports are open on Untangle NGFW. That sounds like you have some port forwards configured.
2. For a home network, leaving outbound open is fine. Web Filter and IPS will catch any rogue usage.
3. Best practices are a layered approach, Application Control can show unexpected apps running which can alert you to other issues.
4. Session Viewer has all the live sessions. In Reports, Network events will should historical traffic.

---

Thanks for the timely response Jcoffin. I definitely do not have any port forwards enabled, unless there are some enabled as part of the default install. In fact, I would have to spend some time on the Wiki to figure out how to setup a port forward. I do wonder if my ISP is doing something strange with NAT as the address assigned to my WAN interface is not the same as is reported on the port scanning web site.

With regard to Web Filter and IPS, does Web Filter actually monitor non-HTTP/S traffic, or is that traffic entirely monitored by IPS? I assume that I should tune the IPS to block services such as SMB outbound, or does it do that by default? Still seems strange to not have defined Firewall block rules for those ports. :)

I will play around with Application Control and configure some alerting to see if the extra visibility is worth the effort. I will also take a look at the defined applications that are rated as higher risk and do some selective blocking.

Thanks for the info on Session Viewer. I will do some testing with Filter Rules and Session view to get a feel for how they are reported before I go crazy implementing layer 2/3 rules.

One additional question: I know that existing sessions are not blocked when new rules are added to the Firewall Application. Is there a setting that will terminate all existing sessions when a new rule is added?

Thanks again,

David

Quote:

---

4. Is there a way to get visibility into traffic that is Filtered using the Network Filtering Rules, if I decide to create some?

---

yes, but it is advanced, read the warning. And a rule for use of "Log Blocked Sessions" is: don't get freaked out by everything that is blocked on the wild and woolly web. These will also require the use of more resources, which you have hinted are in abundance.

Attachment 10541

Quote:

---

Originally Posted by jcoffin

2. For a home network, leaving outbound open is fine. Web Filter and IPS will catch any rogue usage.

---

In this list, don't forget Shield!

And also, don't let any of my comments overshadow John's. :cool:
Mr. Coffin is authoritative!

Quote:

---

2. I know outbound traffic is open by default. Are there any best practices documents for locking this down a bit more?

---

As far as I know there are no NGFW best practices published, other than factory defaults and what is on the Wiki, and the videos. Do search around for videos, they are not obvious.

I have a pet peeve for home 'routers', and that is Internet noise pollution from random RFC-1918 IP addresses. The scenario is:

Code:

---

I am the network administrator at my mother-in-laws home.
I configure windows on my laptop to print on her printer at 192.168.1.11
Windows reaches out to that printer for status.
I take that laptop home to my 192.168.2.0/24 network.
Windows reaches out to that printer for status.

---

Where does that traffic then go? right out the default gateway to the Internet until it is caught somewhere as non-routable.

I strongly believe that as a good netizen, I am responsible for identifying it as non-routable in the first place, and not letting it leak out of my network.

*===*

Clearly, your concerns have even more gravity.
So, I have some rules for you. A few may be useful for your stated goals.
Disclaimers:
These are not sanctioned or approved by Untangle, and might-could really screw up some enterprise networks.
These rules are meant for a home network, but in my domain and with my experience.
I would not provide or suggest them as examples to a "New home user".
You will need to understand each rule before implementing it.
Some of them are ideas that are abandoned in place.
I documented them to the extent that it will jog my memory. Feel free to ask questions for the underlying reasoning.

Attachment 10542

Attachment 10544

Additional tips: Firewall App rules can only affect TCP & UDP traffic, despite all of the check box options.
Filter Rule blocks can be logged, but reporting will not show the applicable filter rule number, so troubleshooting those rules can still be fuzzy.
I push anything I can to the Firewall app, unless I don't want to see it in the reports (Like the RFC-1918 stuff).

my :twocents:

Does your Untangle have a public IP address on the WAN or is it NAT by the ISP modem. If there is no public IP on Untangle, then the scan results are of your ISP modem.

Quote:

---

Originally Posted by delonm

One additional question: I know that existing sessions are not blocked when new rules are added to the Firewall Application. Is there a setting that will terminate all existing sessions when a new rule is added?

---

No.
Unfortunately, you are going to have to get more physical. like unplug a patch cord, or reboot the box.

An SMB rule, as a freebie example:

Attachment 10545