[ previous ] [ next ] [ threads ]
 
 From:  "Jason Collins" <jason at mammothcomputers dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Would like to filter outbound traffic for corporate security purposes but my rules don't seem to work
 Date:  Sat, 12 Nov 2005 05:48:44 -0600
Yes, I thought of that and I should have mentioned it.  One of the configs I
tried was to set the destination port on all to any.  I still couldn't get
any traffic to flow out.  Can't even surf the web much less send mail from
the server.  Thanks very much for the replies, though.  I am guessing that
there are people here who have been successful with outbound filtering then?
Here is the config with all destination ports set to any:

        <rule>
            <type>pass</type>
            <interface>lan</interface>
            <protocol>tcp</protocol>
            <source>
                <network>lan</network>
                <port>53</port>
            </source>
            <destination>
                <any/>
            </destination>
            <descr>DNS Out (Allowed)</descr>
        </rule>
        <rule>
            <type>pass</type>
            <interface>lan</interface>
            <protocol>tcp</protocol>
            <source>
                <network>lan</network>
                <port>443</port>
            </source>
            <destination>
                <any/>
                <port>443</port>
            </destination>
            <descr>HTTPS Out (Allowed)</descr>
        </rule>
        <rule>
            <type>pass</type>
            <interface>lan</interface>
            <protocol>tcp</protocol>
            <source>
                <network>lan</network>
                <port>21</port>
            </source>
            <destination>
                <any/>
                <port>21</port>
            </destination>
            <descr>FTP Out (Allowed)</descr>
        </rule>
        <rule>
            <type>pass</type>
            <interface>lan</interface>
            <protocol>tcp</protocol>
            <source>
                <network>lan</network>
                <port>123</port>
            </source>
            <destination>
                <any/>
                <port>123</port>
            </destination>
            <descr>NIST Time Out (Allowed)</descr>
        </rule>
        <rule>
            <type>pass</type>
            <interface>lan</interface>
            <protocol>tcp/udp</protocol>
            <source>
                <address>192.168.1.250</address>
                <port>25</port>
            </source>
            <destination>
                <any/>
            </destination>
            <descr>SMTP Server Only Out (allowed)</descr>
        </rule>
        <rule>
            <type>pass</type>
            <interface>lan</interface>
            <protocol>tcp/udp</protocol>
            <source>
                <address>192.168.1.250</address>
                <port>110</port>
            </source>
            <destination>
                <any/>
            </destination>
            <descr>POP3 Server Only Out (Allowed)</descr>
        </rule>
        <rule>
            <type>pass</type>
            <interface>lan</interface>
            <protocol>icmp</protocol>
            <source>
                <address>192.168.1.1</address>
            </source>
            <destination>
                <any/>
            </destination>
            <descr>ICMP Out from Gateway (allowed)</descr>
        </rule>
        <rule>
            <type>block</type>
            <interface>lan</interface>
            <source>
                <network>lan</network>
            </source>
            <destination>
                <any/>
            </destination>
            <disabled/>
            <descr>Default Out (Blocked) -- Must be last rule in
list</descr>
        </rule>

-----Original Message-----
From: James W. McKeand [mailto:james at mckeand dot biz] 
Sent: Saturday, November 12, 2005 5:36 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] Would like to filter outbound traffic for corporate
security purposes but my rules don't seem to work

Jason Collins wrote:
>   Glad to post the config -- I am assuming you want the rules and not 
> the whole thing (it' rather large)?  I figured out from the 
> documentation and having used other firewalls the top to bottom 
> filtering and in an effort to get it working, tried leaving out a deny 
> rule altogether and it still wouldn't let anything through.
> Anyway, here's the rules config: 
> 
>         <rule>
>             <type>pass</type>
>             <interface>lan</interface>
>             <protocol>tcp</protocol>
>             <source>
>                 <network>lan</network>
>                 <port>443</port>
>             </source>
>             <destination>
>                 <any/>
>                 <port>443</port>
>             </destination>
>             <descr>HTTPS Out (Allowed)</descr>
>         </rule>

I Snipped everything but this one to show your confusion. The source port
for traffic for most services is not the same as the destination port. The
web browser will choose a random port (I cant think w/o coffee
- don't remember the range) above 1024. The source port should be any.

         <rule>
             <type>pass</type>
             <interface>lan</interface>
             <protocol>tcp</protocol>
             <source>
                 <network>lan</network>
***note =>       <port>any</port>
             </source>
             <destination>
                 <any/>
                 <port>443</port>
             </destination>
             <descr>HTTPS Out (Allowed)</descr>
         </rule>

There are some services that the source port will be the same as the
destination port. I think DNS is one of these (note still no coffee...
Someone correct me please) my suggestion would be to make the source port be
"any" just to be safe.

_________________________________
James W. McKeand


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch