Firewall rules for outgoing traffic
-
Restricting outbound traffic is a stupid technical answer to a management problem.
You will spend more time dealing with crap issues than you will ever gain as a benefit to doing something like this.
-
Wait, I lied, I do block outbound TCP port 25. I don't need my public IP blacklisted.
-
@pete-s said in Firewall rules for outgoing traffic:
What is best practice for SMB?
SMB the protocol? Or SMB meaning small business?
-
@scottalanmiller said in Firewall rules for outgoing traffic:
@pete-s said in Firewall rules for outgoing traffic:
What is best practice for SMB?
SMB the protocol? Or SMB meaning small business?
Small business. The enterprises I've seen have heavy restrictions on outbound traffic..
-
@pete-s said in Firewall rules for outgoing traffic:
@scottalanmiller said in Firewall rules for outgoing traffic:
@pete-s said in Firewall rules for outgoing traffic:
What is best practice for SMB?
SMB the protocol? Or SMB meaning small business?
Small business. The enterprises I've seen have heavy restrictions on outbound traffic..
I use to limit outbound traffic but like @JaredBusch said, it became hard to manage with all crap issues and small numerous changes constantly. The outbound rules started to add up and after much deliberation, we decided to scrap it.
-
@pete-s said in Firewall rules for outgoing traffic:
@scottalanmiller said in Firewall rules for outgoing traffic:
@pete-s said in Firewall rules for outgoing traffic:
What is best practice for SMB?
SMB the protocol? Or SMB meaning small business?
Small business. The enterprises I've seen have heavy restrictions on outbound traffic..
Ah ha, that's not what we had all thought. So that changes our answers a bit.
-
I'm with the others, then. Blocking port 25 can be good. Beyond that, basically nothing should normally be blocked.
-
Outside of port 25 it is a business decision, not a technical one. I worked at a company that was contractually required to whitelist outbound ports. Thankfully we didn't have requirements on which ones we had to whitelist (hooray for government contracting). So we did. We analyzed the outbound ports being used and opened them up (except for some really strange ones where we talked to originator first).
-
@pete-s said in Firewall rules for outgoing traffic:
Do you use a http proxy?
I have two http/https proxies set up for special systems and PCs that need LAN access and very specific white listed domains on the internet... but all else is blocked.
-
Outside of port 25, the only other time I have to do anything with outbound traffic is when I have load balancing across two ISPs enabled. Applications like voice and some secure sites that don't like the source address bouncing around require that.
-
Block all DNS servers except for the one you provide via DHCP?
-
Deny All by default.
If on-premises Exchange server then SMTP 25 TLS 587 only from there.
DNS UDP/TCP queries to the local DC(s) only.
HTTP/HTTPS global allow.- Edge should support subnet/IP/Country and other forms of blacklist blocking.
AD based Group permissions at the edge if required.
WiFi/WAPs all on separate subnet and VLAN with DHCP handled by the controller or edge.We find out really quick if there are any vendors asking for alternate port access to their "services". One example is the copier provider's reports that need to be "filed" once a month at a client site. Kludge system using old tech.
We had an absentminded owner click on a link with the baddie being blocked at the edge because it was trying to download via alternate port.
Those are the basics. One can tailor to the client's specific needs.
-
@black3dynamite said in Firewall rules for outgoing traffic:
Block all DNS servers except for the one you provide via DHCP?
Correct.
If a SPAMbot get's in and tries to run itself independent of the production network it can't.
-
@black3dynamite said in Firewall rules for outgoing traffic:
Block all DNS servers except for the one you provide via DHCP?
Not necessarily via DHCP, but whatever ones you have approved. 1.1.1.1, 8.8.8.8, for example.
