Locking down traffic out

(V)
I am trying to lock down traffic out as much as possible
I am not to worried about disclosing My IP Ranges as the are both priivate and non routable I don’t think they are any use tao anyone without my public IP
Here is my Config and the reason I have allowed them.
1)Is there any way to limit Boot P and DHCP to an Interface rather than a IP as the IP has not been asigned when I need them? Here is the rule I am using now
2) Any suggestions as to what ports should be opened or closed that I might of missed
3) What Problems might I have made for myself with a Config this tight?

in/out Proto LAN/WAN DesPort Purpose
OUT UDP LAN/WAN 67 BOOT-P(request)
IN UDP LAN/WAN 68 DHCP(ack)
OUT UDP LAN/WAN 53 DNS
OUT TCP LAN/WAN 80 HTTP
OUT TCP LAN/WAN 123 NTS(Network Time server)
OUT TCP LAN/WAN 443 https
OUT TCP LAN/WAN 465 SMTP-SSL
OUT TCP LAN/WAN 995 Pop3-SSL
The nex 2 are (Covered in rules 3.0 and 3.1)
OUT TCP LAN 2967 Symantec Client Communication
OUT TCP LAN 38293 Symantec Client

  1. Locked down WAN Out for CFP.reg
    3.0. ALLOW IP OUT FROM IP [Any] TO IP IP Zone : [Lan] – XXX.XXX.XXX.0/XXX.XXX.XXX.255 WHERE IPPROTO IS [Any]
    3.1. ALLOW IP IN FROM IP IP Zone : [Lan] – XXX.XXX.XXX.0/XXX.XXX.XXX.255 TO IP [Any] WHERE IPPROTO IS [Any]
    3.2. ALLOW UDP OUT FROM IP [Any] TO IP [Any] WHERE SOURCE PORT IS [Any] AND DESTINATION PORT IS IN[67,68,]
    3.3. ALLOW TCP or UDP OUT FROM IP [Any] TO IP [Any] WHERE SOURCE PORT IS [Any] AND DESTINATION PORT IS IN[53,80,123,443,465,995,]
    3.4. ALLOW ICMP OUT FROM IP [Any] TO IP [Any] WHERE ICMP MESSAGE IS ECHO REQUEST
    3.5. ALLOW ICMP IN FROM IP [Any] TO IP [Any] WHERE ICMP MESSAGE IS FRAGMENTATION NEEDED
    3.6. ALLOW ICMP IN FROM IP [Any] TO IP [Any] WHERE ICMP MESSAGE IS TIME EXCEEDED
    3.7. ALLOW IP OUT FROM IP [Any] TO IP [Any] WHERE IPPROTO GRE
    3.8. BLOCK and LOG IP IN or OUT FROM IP [ANY] TO IP [ANY] WHERE IP PROTO IS [ANY]

Hi Opus Dei and welcome at the forums (:WAV)

  1. No, for the current version of CFP it can not be done. You will have to wait for the version 3 and see if it will have such an option.

  2. It seems that you covered most of the ports. Probably you will not need other ports.

3.2 I don’t think that you need this. It is covered by the paired zone rules

3.3 You can restrict this one like:
ALLOW TCP or UDP OUT FROM IP [Your Zone] TO IP [Any] WHERE SOURCE PORT IS [Any] AND DESTINATION PORT IS IN[53,80,123,443,465,995,]

3.7 If you want to lock down your traffic only for the ports you mentioned above, you must delete this rule since it overrides the settings of the above rules :wink:

Hope it helps :smiley:
Panagiotis

p.s. if you have more questions feel free to ask :■■■■

O.D.

3 suggestions for you based on my own restricted rules:

3.2 should be Source Port 68, Destination Port 67 assuming your PC is only a DHCP client (requesting an IP assignment from a DHCP server)

3.3 You could break out port 53 into one or 2 separate UDP rule(s) and constrain the destination IP’s to your DNS servers. The rest of this rule could then be a TCP only rule.

3.3 If you want to support Macromedia Flash server requests add port 1935 to the list

AJB (a.k.a Birdman)

Thanks for the input youa have beenabig help.

Ony question exactly 3.0 & 3.1

No I put that in because I get A dhcp address fro the wan an washaving problems with loosing my address however Birdman gave a good sugestion on tightening that up

-------Offtopic------
Any othe good websites or info on LAN/WAN security would be appreciated always lokkin to learn more