[ previous ] [ next ] [ threads ]
 From:  "Charles Goldsmith" <wokka at justfamily dot org>
 To:  Gazza <gazzazdaman at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Block all outgoing traffic, only allow certain
 Date:  Wed, 20 Jun 2007 11:48:31 -0500
I haven't done this on a M0n0 install, but use it on Cisco Pix's at work.
The best way is to watch your logs, especially if you don't know what ports
an application needs.

Setup the deny all outbound, open up your web and mail, lock down
destination addresses if possible on the mail, allowing as little as needed
is always a good rule of thumb.

While watching the logs, try a Windows update, see what destination ports
are being denied and open them up.  You may be able to restrict the
destination address to some networks, but I wouldn't personally, never know
when M$ will change things.

This applies to any application that doesn't work when trying, watch the
logs and open up destination ports as needed.  Educate yourself on each
port, don't just blindly open them up, learn, google, check your services
file.  Keep in mind, almost every application that needs internet access
could potentially use different ports.  Almost every game uses a different
port, and things like Bit Torrent, AOL, AntiVirus will all be different.


On 6/20/07, Gazza <gazzazdaman at gmail dot com> wrote:
> Hi there
> I have reinstalled M0n0 after stuffing it up by messing around. I now have
> a
> default installation. I would like to block all outgoing traffic (on the
> card I assume), and only allow certain things.
> Would I change the default LAN rule that passes everything to block/reject
> and then create LAN rules for each port that I would like my LAN to allow
> out. I have tried doing this, but getting pretty confused with the various
> options.
> Lets say for example I want ALL my pc's on my LAN to access ONLY the
> internet I would create the rule as above and place it at the bottom of
> the
> list. Then, (and this is where I get confused) what must I do to allow
> what
> I want to achieve? Please, be very specific.
> I assume that I would apply the same rule for allowing email (port 25 and
> 110), https (port 443) for secure transfers like online banking, etc.
> Sorry, another question, how would this effect Windows automatic updates
> as
> I don't now what port it uses?
> Appreciate the help
> Gareth