Solved

firewall rules

Posted on 2014-12-24
6
158 Views
Last Modified: 2014-12-26
I have a question that is more of the operation of a firewall, not necessarily a problem with its operation.
I recently setup pfsense on an old pc and just got it working with the help of an Experts Exchange expert. Since then I've added more firewall rules and they are working fine, so I want to make sure I have the concept of what is happening correct.
When I make a rule, for the source interface, for port I use any. At first I thought the best security would be to specify a source port, but the source is a computer on my LAN, and, if I have this correct, a pc on my LAN would be using any random port it generates.
For example, on a computer on my LAN, when I click on a link on a webpage, http traffic is port 80, but the computer needs to keep track of several separate data sockets for port 80 because let’s say, on the website I'm on, there is a flash player video running, and I have a few tabs opened. So each of those tabs, and that flash video all have a separate data socket to whichever web server that serves those links. I picture it as, port 80 is a highway, and all the separate sockets are the lanes. These lanes would be assigned a random port number. Unlike a real highway, the data in the lane that it is assigned  can not change lanes. If you are a bit of data, and you have been assigned port 2356 on highway 80, you must stay in that lane, and that way the computer knows which link you belong to on a webpage.  So because there is all these separate “lanes” on highway 80, and the port assignment for these lanes is random, on the firewall, you can’t specify a port on the outgoing traffic.
So does that sound like I have this concept correct? Anything I left out? Or even better, is there some trick on a firewall in which you can specify outgoing ports, which would be better security than allowing any port?
0
Comment
Question by:JeffBeall
  • 3
  • 3
6 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 40517264
There is no magic trick, for outbound initiated connections you can't specify source ports because they are random.

Why would you want to restrict which port numbers are used for outbound connections?
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 40518464
because if a computer is infected with malware or a virus, it could try to send out information. So I want to block everything going out. However, since what is going out is random, you need to set outbound ports to any.
So I was hoping that maybe firewalls take this into account, and there would be a way to allow only traffic on port 80 for instance.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 40518557
O.K., you can.  All you need to do is restrict the destination port to 80.  The source port still needs to be ANY, because the source port is a random port.   On a typicall firewall rule there are 5 parameters required

Protocol (TCP or UDP)
Source IP address
Source Port
Destination IP address
Destination Port

For traffic initiated from inside the firewall, such as when you are surfing the web, your IP address and port are the source and the website you are going to is the destination.

So for that type of traffic typically you would specify protocol TCP, source address of any, source port any, destination address any, and destination port 80.  You would also typically have another rule with the destination port being 443.

As for malware/virus infection sending information out, well if you allow outbound traffic to port 80/443 they are going to send information out anyway.  This is why it is very important to have anti-virus software installed on all computers within your network.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Closing Comment

by:JeffBeall
ID: 40518730
there you go! that's what I was looking for.
Sorry, I have asked LOTS of questions, and from asking all those questions, I noticed that I have a knack for not explaining myself clearly. You would think I would have gotten better over time, but I still don't do a very good job of it.
Thank you for your help.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40518792
Trying to put what is in your mind down in writing is very difficult at best and it is darn near impossible when you are trying to ask a question about something your not 100% sure you understand.

Although you description about how TCP connections work was not 100% accurate it was close enough that I assumed you knew you could restrict the destination/target port to 80 and that in addition to that you wanted to restrict the source/originating port and could not for the life if me figure out why you wanted to restrict both.

Typically you either restrict the destination port or the source port, but very, very seldom do you restrict both.
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 40518908
I haven't setup a firewall before, although I have been working with computers for a LONG time, I have picked up a lot of things, but I have fragmented knowledge. So even though I have done this for a long time, I got by without a full understanding of a lot of things like firewalls. So I set one up to learn, and I learned a few things like

"Typically you either restrict the destination port or the source port, but very, very seldom do you restrict both. "

That's a great one to know.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question