Yes, I thought of that and I should have mentioned it. One of the configs I
tried was to set the destination port on all to any. I still couldn't get
any traffic to flow out. Can't even surf the web much less send mail from
the server. Thanks very much for the replies, though. I am guessing that
there are people here who have been successful with outbound filtering then?
Here is the config with all destination ports set to any:
<rule>
<type>pass</type>
<interface>lan</interface>
<protocol>tcp</protocol>
<source>
<network>lan</network>
<port>53</port>
</source>
<destination>
<any/>
</destination>
<descr>DNS Out (Allowed)</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<protocol>tcp</protocol>
<source>
<network>lan</network>
<port>443</port>
</source>
<destination>
<any/>
<port>443</port>
</destination>
<descr>HTTPS Out (Allowed)</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<protocol>tcp</protocol>
<source>
<network>lan</network>
<port>21</port>
</source>
<destination>
<any/>
<port>21</port>
</destination>
<descr>FTP Out (Allowed)</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<protocol>tcp</protocol>
<source>
<network>lan</network>
<port>123</port>
</source>
<destination>
<any/>
<port>123</port>
</destination>
<descr>NIST Time Out (Allowed)</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<protocol>tcp/udp</protocol>
<source>
<address>192.168.1.250</address>
<port>25</port>
</source>
<destination>
<any/>
</destination>
<descr>SMTP Server Only Out (allowed)</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<protocol>tcp/udp</protocol>
<source>
<address>192.168.1.250</address>
<port>110</port>
</source>
<destination>
<any/>
</destination>
<descr>POP3 Server Only Out (Allowed)</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<protocol>icmp</protocol>
<source>
<address>192.168.1.1</address>
</source>
<destination>
<any/>
</destination>
<descr>ICMP Out from Gateway (allowed)</descr>
</rule>
<rule>
<type>block</type>
<interface>lan</interface>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
<disabled/>
<descr>Default Out (Blocked) -- Must be last rule in
list</descr>
</rule>
-----Original Message-----
From: James W. McKeand [mailto:james at mckeand dot biz]
Sent: Saturday, November 12, 2005 5:36 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] Would like to filter outbound traffic for corporate
security purposes but my rules don't seem to work
Jason Collins wrote:
> Glad to post the config -- I am assuming you want the rules and not
> the whole thing (it' rather large)? I figured out from the
> documentation and having used other firewalls the top to bottom
> filtering and in an effort to get it working, tried leaving out a deny
> rule altogether and it still wouldn't let anything through.
> Anyway, here's the rules config:
>
> <rule>
> <type>pass</type>
> <interface>lan</interface>
> <protocol>tcp</protocol>
> <source>
> <network>lan</network>
> <port>443</port>
> </source>
> <destination>
> <any/>
> <port>443</port>
> </destination>
> <descr>HTTPS Out (Allowed)</descr>
> </rule>
I Snipped everything but this one to show your confusion. The source port
for traffic for most services is not the same as the destination port. The
web browser will choose a random port (I cant think w/o coffee
- don't remember the range) above 1024. The source port should be any.
<rule>
<type>pass</type>
<interface>lan</interface>
<protocol>tcp</protocol>
<source>
<network>lan</network>
***note => <port>any</port>
</source>
<destination>
<any/>
<port>443</port>
</destination>
<descr>HTTPS Out (Allowed)</descr>
</rule>
There are some services that the source port will be the same as the
destination port. I think DNS is one of these (note still no coffee...
Someone correct me please) my suggestion would be to make the source port be
"any" just to be safe.
_________________________________
James W. McKeand
---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch | 