Allowing all network addresses to communicate over any port outbound

[The Lurker]

I have been playing around with Sophos UTM for about 6 months now and I think I have pretty much nailed down how to administer it for our needs. But there are a few things I still have questions about, none affect network users day to day directly but I wonder about the imperceptible impacts.

One thing that pops out at me constantly is the shear volume of dropped packets originating from internal traffic. Currently I only allow devices on the network to communicate only over certain ports, as created upon initial install, and then I added a few more for things like steam, team viewer, NTP, facetime and etc. But the number of packet being dropped is still tremendous. Sometimes in the 20k range on a particularly busy day spread out over multiple hosts. As I said, it doesnt affect usability but I still wonder about the impact. For example, Google Home will not stop trying to hit the google DNS server.

This morning, as an experiment, I allowed all network addresses access to all ports to the internet to see what happens to the packet drops.

My question is. 1. Is this OK? 2. What do you do with your outbound traffic?

 

[Cmustang87]

Hey, The Lurker -

What you are trying to do is actually a good thing, but there can be some difficulties with this.

Generally speaking, blocking all outbound traffic is a secure method. However, you have to make sure you aren't creating your allow rules based on the <source port>. You will need to do it based on the destination port. The reason for this is that client machines use random ports as a source for new sessions, then by use of NAT/PAT, traffic can "find its way back".

The big question is - do you care about this much security on your home network? You could create deny rules for DNS traffic unless its destination IP is not whatever DNS server you prefer, or if you have a local DNS server - only permit outbound DNS from that IP address. There are lots of ways to do this, but it is very important that you aren't allowing/blocking traffic based on source port. I hope this makes sense.

 

[Dead Parrot]

Best firewall practices are that the default rule is block everything. Then create rules for needed traffic. Sounds like you were doing this to start with.

The sad thing is that most websites and software are still created like we were living in the early 1990s when the Internet was still fairly safe. Games are some of the worst offenders. The ports and IP addresses for game traffic often seems like a state secret. The IOT is going to be a security nightmare as most devices will assume a open unsecured home network.

Malicious scripts from websites account for some blocked traffic.

And yes, your default block everything rule will accumulate a lot of blocked traffic. Be sure to enable logging on the default rules. If everything you need to work is working, then don't worry about the blocked traffic. Probably something trying to return telemetry data to spy central.

 

[ComputerBox34]

Is it possible you're blocking broadcast traffic?

 

[The Lurker]

Hey, The Lurker -

What you are trying to do is actually a good thing, but there can be some difficulties with this.

Generally speaking, blocking all outbound traffic is a secure method. However, you have to make sure you aren't creating your allow rules based on the <source port>. You will need to do it based on the destination port. The reason for this is that client machines use random ports as a source for new sessions, then by use of NAT/PAT, traffic can "find its way back".

The big question is - do you care about this much security on your home network? You could create deny rules for DNS traffic unless its destination IP is not whatever DNS server you prefer, or if you have a local DNS server - only permit outbound DNS from that IP address. There are lots of ways to do this, but it is very important that you aren't allowing/blocking traffic based on source port. I hope this makes sense.

I think I need a bit more clarification on allowing/blocking traffic based on destination port. But this is what I have and had.

The firewall right now is simple. The source is "internal network", Service is "Any" and destination is "Any".

Before my experiment, I had individual rules with source "internal network" and destination "any". But the services would be unique. Steam, Web Surfing, Facetime, Teamviewer, NTP, Skype and DNS.

Looking into the config of the service, I always have a specific destination port and 1:65536 source port.

As far as security, I consider myself an advanced home user. I don't really have any reason to block outbound traffic aside from reducing the bandwidth foot print and the likelihood of spam and virusus getting through.

Is it possible you're blocking broadcast traffic?

I had to google that, but the answer is no because I can see the destination IP is the WAN.

 

[Track Drew]

Log blocked packets, dump log, do some sorting/statics, and start investigating.

Top blocked packets by dest port, dest ip, src ip, etc. Is it a few internal systems causing a lot of the this traffic, or maybe a few destinations to the same port (some service you haven't though of). Find individual systems and start looking at the corresponding traffic, which processes are building the connections, dump DNS queries, etc.

Need some metrics then you can start finding the cause.

 

[iroc409]

As I understand it, in Sophos other than the location/country blocking, the firewall is mostly a suggestion that's largely ignored. Most of the traffic blocking is done through the filters, and this is evidenced by Sophos routing between subnets within a network even though there are explicit rules denying this behavior in the firewall. There's a couple threads on the Sophos forum about it, and the answer is to use regex statements in the web filter (?) to deny the traffic. Sophos' behavior has to do with the order of operations on the system, and the firewall is processed last (other than country blocking). So, basically if the web filter allows the traffic, then even if the firewall has a deny rule it will still allow it to pass.

What I've done in the past with networks I am OK keeping fairly open but still want some semblance of security is to allow all outbound ports, except a list I've generated of ports I don't want leaving (email, DNS, file sharing, etc). Or, I've done fairly strict rules, then when I want to play an online game or something have a disabled rule that allows all and I enable it while playing and disable when I'm done.

Sophos can be a pain to troubleshoot sometimes, because there are so many places something can be blocked that it's hard finding which log to watch. I've had 8 log windows open testing traffic, having traffic not moving through the UTM, and nothing is showing up on the logs.

I haven't run Sophos UTM in almost a year now though, so some things could have changed.

 

[The Lurker]

OK. So allowing all ports outbound has definitely cut down on the dropped packets. 20k per day to 6k. That's huge. The largest number right now that makes up half the dropped packets is my Axon 7 over UDP/4886. I have been trying to figure out the cause of what on the phone is using that port, but have had no luck. Does anyone have any suggestions?

 

[Cmustang87]

Do you happen to use Firefox on your Android? https://bugzilla.mozilla.org/show_bug.cgi?id=888268

 

[The Lurker]

Do you happen to use Firefox on your Android? https://bugzilla.mozilla.org/show_bug.cgi?id=888268

YES!!!!

This is exactly what I have going on.

Specifically:

If you're on wifi and an IPv4 DHCP network we will send 0 length UDP packets at port 4886 of your gateway at the default rate of 60hz for 400ms from the start of the transaction in an attempt to improve RTT during the critical early phases. I call this "tickle time".

Guess its not really a problem. But I wonder why only Firefox has this.

Thank you for finding this, you have no idea how long I have been searching for "Android and port 4886" and getting absolutely nothing. I was beginning to suspect chinese backdoor spy software.

Obviously, now that I allowed all ports to communicate the packet drops stopped. But its good to know the culprit is benign.

 

[Cmustang87]

You are welcome. This is why a lot of people don't bother blocking all outbound traffic, and then end up playing the reactive game with security threats - which is not something I advocate.

Anything left outstanding on this?

 

[The Lurker]

You are welcome. This is why a lot of people don't bother blocking all outbound traffic, and then end up playing the reactive game with security threats - which is not something I advocate.

Anything left outstanding on this?

Nothing hugely offensive. I think most of the stuff is related to country blocking. Packets off the HTPC seem to be Torrent related, probably ports trying to reach countries im blocking. But more importantly the volume has gone down significantly.