Solved

firewall rules

Posted on 2014-12-24
6
155 Views
Last Modified: 2014-12-26
I have a question that is more of the operation of a firewall, not necessarily a problem with its operation.
I recently setup pfsense on an old pc and just got it working with the help of an Experts Exchange expert. Since then I've added more firewall rules and they are working fine, so I want to make sure I have the concept of what is happening correct.
When I make a rule, for the source interface, for port I use any. At first I thought the best security would be to specify a source port, but the source is a computer on my LAN, and, if I have this correct, a pc on my LAN would be using any random port it generates.
For example, on a computer on my LAN, when I click on a link on a webpage, http traffic is port 80, but the computer needs to keep track of several separate data sockets for port 80 because let’s say, on the website I'm on, there is a flash player video running, and I have a few tabs opened. So each of those tabs, and that flash video all have a separate data socket to whichever web server that serves those links. I picture it as, port 80 is a highway, and all the separate sockets are the lanes. These lanes would be assigned a random port number. Unlike a real highway, the data in the lane that it is assigned  can not change lanes. If you are a bit of data, and you have been assigned port 2356 on highway 80, you must stay in that lane, and that way the computer knows which link you belong to on a webpage.  So because there is all these separate “lanes” on highway 80, and the port assignment for these lanes is random, on the firewall, you can’t specify a port on the outgoing traffic.
So does that sound like I have this concept correct? Anything I left out? Or even better, is there some trick on a firewall in which you can specify outgoing ports, which would be better security than allowing any port?
0
Comment
Question by:JeffBeall
  • 3
  • 3
6 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 40517264
There is no magic trick, for outbound initiated connections you can't specify source ports because they are random.

Why would you want to restrict which port numbers are used for outbound connections?
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 40518464
because if a computer is infected with malware or a virus, it could try to send out information. So I want to block everything going out. However, since what is going out is random, you need to set outbound ports to any.
So I was hoping that maybe firewalls take this into account, and there would be a way to allow only traffic on port 80 for instance.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 40518557
O.K., you can.  All you need to do is restrict the destination port to 80.  The source port still needs to be ANY, because the source port is a random port.   On a typicall firewall rule there are 5 parameters required

Protocol (TCP or UDP)
Source IP address
Source Port
Destination IP address
Destination Port

For traffic initiated from inside the firewall, such as when you are surfing the web, your IP address and port are the source and the website you are going to is the destination.

So for that type of traffic typically you would specify protocol TCP, source address of any, source port any, destination address any, and destination port 80.  You would also typically have another rule with the destination port being 443.

As for malware/virus infection sending information out, well if you allow outbound traffic to port 80/443 they are going to send information out anyway.  This is why it is very important to have anti-virus software installed on all computers within your network.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 1

Author Closing Comment

by:JeffBeall
ID: 40518730
there you go! that's what I was looking for.
Sorry, I have asked LOTS of questions, and from asking all those questions, I noticed that I have a knack for not explaining myself clearly. You would think I would have gotten better over time, but I still don't do a very good job of it.
Thank you for your help.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40518792
Trying to put what is in your mind down in writing is very difficult at best and it is darn near impossible when you are trying to ask a question about something your not 100% sure you understand.

Although you description about how TCP connections work was not 100% accurate it was close enough that I assumed you knew you could restrict the destination/target port to 80 and that in addition to that you wanted to restrict the source/originating port and could not for the life if me figure out why you wanted to restrict both.

Typically you either restrict the destination port or the source port, but very, very seldom do you restrict both.
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 40518908
I haven't setup a firewall before, although I have been working with computers for a LONG time, I have picked up a lot of things, but I have fragmented knowledge. So even though I have done this for a long time, I got by without a full understanding of a lot of things like firewalls. So I set one up to learn, and I learned a few things like

"Typically you either restrict the destination port or the source port, but very, very seldom do you restrict both. "

That's a great one to know.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now