Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 28 subscribers
  • Views 18277 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Required 'Services' (outbound protocol/ports)

shred

Up until now, I’ve been running my firewall rules with the services (ports) set to ‘Any’ but I’d like to configure it such that only the services that I define are allowed. I know this will likely break a lot of things and require troubleshooting from time to time but it’s also a learning experience for me while creating a more secure home network. Based on some research, these are the ports I think I would need for basic web browsing and email:

Basic Web Browsing (i.e. Safari, Chrome, Firefox)

  • HTTP – TCP:80
  • HTTPS – TCP:443
  • DNS – TCP/UDP: 53 

Basic Email Client (i.e. Apple Mail w/ iCloud & Gmail)

  • IMAP – TCP:143
  • IMAP(S) – TCP: 993*
  • SMTP – TCP:25
  • SMTP(S) – TCP:587 (TLS)
  • SMTP(S) – TCP:465 (SSL) 

* These services are not created by default in Sophos XG.

Note: Not all of these are required depending on your setup. For example, I don’t use any of the unsecured ports or SSL for SMTP so I only needed TCP: 993 and TCP:587.

Is there anything else I’m missing for web browsing and email? One thing I’m not sure about is if ICMP is required for these two tasks. I was having some issues accessing Gmail via my Apple Mail application and after adding the ICMP service to my firewall rule, it appeared to be working again but that might have just been coincidence. 

As for the rest of the devices on my network, I’ve had pretty good luck finding the ports they require outbound but there’s some devices like Ring that appear to use ports beyond what’s listed on their website, which is frustrating. There’s also one device that the manufacturer claims they can’t provide that information for security reasons. 

Is there any way to drop all active connections (similar to what you can do in pfSense or OPNsense)? The reason being is after I make a change to a firewall rule, my understanding is that the firewall changes won’t apply to an already established connection so I have no way to really assess if my changes are working as intended or not.

Is there a way to log only ports that are being blocked?

Any additional information or inputs would be much appreciated. One thing I did notice is the ‘Policy Test’ tool in Sophos XG appears to show the wrong firewall rule. For example, I enter ‘www.google.com’ for the URL and set the ‘Source IP’ address to my Macbook Air. When I click ‘Test’, the results show up as expected except for the ‘Firewall Rule’ which is showing my last firewall rule which is not what my Macbook Air is using. Every device I test using this ‘Policy Test’ shows the same firewall rule.



This thread was automatically locked due to age.
  • 0 in reply to shred

    Hi shred,

    I took a different approach, the default XG rule works without a problem. I wait until an application doesn't work then investigate it, but there are little gotchas eg youtube videos in facebook from time to time they just stop playing. I added some extra site at one stage, also as someone else pointed out, ADs blocking fantastic until companies start using ADs sites for valid web services. At the moment XG has some safe search stuff locked, but will be shortly (in XG terms sometimes in the next year or two) breaking the link so that youtube videos work correctly.

    I have been adding and removing rules as I learn more about the applications, based on more simple rules are easier to follow logically.

    I would recommend you put your block MS insecure ports as the rule immediately above your access any rule. Remember rule ordering can affect your XG performance eg the more rules that need to traversed before the correct rule slows access down, which in my case is not an issue, the internet links are sooo slow.

    Ian