Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 24 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 1587 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sigh, okay I am trying XG again...

Amodin

I have it installed, and I *think* I have some things configured correctly.  I have been running this only a couple of days, and that is longer than any time before.  ;)  So, there is some hope still of me keeping this (long time UTM user - old dog, new tricks issues).

I do have some questions and concerns about XG:

- Why are we not allowed to edit the Exceptions lists that are built-in?  Microsoft Updates are disabled by default in exceptions, and Office Updates are being blocked by default.  That's a bit concerning to me.

- Rules and Policies are still an absolute mess to me, but the Assistant does help a little bit (a lot) with this.  Thank you for that tool built-in.

- I do a lot of gaming and I am used to having to open ports to make things work.  I have yet to open a gaming port after being on XG - how is that possible?  And, adding a custom port to open (HomeAssistant) was painful to get right.  Does XG 'just know' what to block here?  This is my big concern with this: A rogue PC/device/etc on the local LAN transmitting out to a site.  It seems pretty solid for anything incoming, but outgoing I question.  Perhaps I don't understand the behavior of XG in how it handles outbound traffic, but at first look it feels like everything is open and you have to close everything up, completely contradictory to what it's always been.

- I have an extremely large list of web ad URLs.  It appears that the only thing I can use to add this for filtering is creating categories and applying them to be blocked in my policy.  The issue I have with this is that I am only allowed 2,000 entries per category, so this isn't an effective method of blocking ads.  I had to create seven categories and add them to a policy to filter out some ads (aside from any other filtering going on).  I could have just set this up completely wrong, but was the only thing I saw where I could import text files.

- Is there going to be any kind of allowed modifications to change the display such as the connection list?  I have a 4k monitor with a 3840 resolution.  Everything I have to scroll through to be able to see everything even with this large of a resolution because these lists don't adapt to screen sizes.

I have more, but I can make another post or reply later on.  I'm sure   will hate me being here (ha!) as I am pretty critical of this software and keeping them on their toes.  I really do want to like it and use it but I have no time for boxing matches with software, and if it's not for me then so be it.  I'll give it a fair try this time (I've only been able to stomach this software in the past for only about four hours before I went back to UTM).



This thread was automatically locked due to age.
Parents
  • 0
    Amodin said:
    Perhaps I don't understand the behavior of XG in how it handles outbound traffic, but at first look it feels like everything is open and you have to close everything up, completely contradictory to what it's always been.

    The XG has a default allow firewall rule from Lan, any host, to WAN. I think that is pretty similar to the default UTM allow rule of

    Internal-->ANY service-->External. but you are right in that it will allow everything outbound and you should delete that rule and only allow the essential services to get you started like HTTPS/HTTP/NTP/DNS/Up2Date outgoing and then add rules for any other services outgoing you need. 

    It seems like a pain trying to add all those web ad URLs. I looked into AdGuard home DNS which links your devices to ad guard's cloud DNS service to let you choose adblocking lists just like the browser add-ons, but it's all done from their DNS servers. That way you'll not have to worry about importing all those lists.

  • 0 in reply to alan weir
    alan weir said:
    The XG has a default allow firewall rule from Lan, any host, to WAN.

    Yes I see that now as I was reading the replies - thanks for that.

    rfcat_vk said:
    The XG allows ports that you have enabled for your rules then opens other ports as requested by the connection, this is a function of stateful inspection design firewalls, these are closed at the end of the connection.

    Good to know, and as Alan pointed out I have an edit to make. ;) As for the office updates, I planned on just cloning and modifying my own to fit, I was really just curious why none of the ones built-in on the installation were not accessible to edit. 

    rfcat_vk said:
    Mo firewall will stop a rogue device from transmitting to the internet, but how much and where it connects to are dependent on how tight your firewall rules are.

    My big concern here is really about my cameras - most want to make that connection to the outside for whatever reason and do their thing.  I don't like that, and I shut them down with rules. That's about the only rogue device I anticipate on my network, as we are pretty aware what happens here.  You never know what will happen though and I again defer to Alan's (now obvious mention) rule modifications.

    Thanks all.  Slight smile

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • 0 in reply to Amodin

    I have country blocks at the top of my rule lists, only works for outgoing on most sites. My cameras are only allowed to talk to the camera companies cloud server using specific ports.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Does this look correct to block outbound traffic to certain countries?  I want to make sure I understand the Rule structure correctly:

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • 0 in reply to Amodin

    I wonder if you could create a null IP address outside of the DHCP range, and point your camera's settings to use this "blackhole" in a destination NAT rule.

    The other option is a firewall rule blocking the camera from connecting outbound which would work as usual.

  • 0 in reply to Amodin

    Your country blocking rule looks good, it need to be in position 1.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to alan weir

    Yeah I thought about that, and they oddly enough use a 169.x address when they transmit.  They don't use my assigned IP, which irks me, but the 9999 port they use gets them every time.

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • 0 in reply to rfcat_vk

    Yep, got it there now.  Thanks.

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • 0 in reply to Amodin

    Isn't that 169.x address assigned to a device when it can't find the default gateway?

    I meant... 169.254.X.X means a device cannot obtain an IP address from a DHCP server, and this address cannot reach the internet.

    This is an APIPA address www.lifewire.com/automatic-private-internet-protocol-addressing-816437

Reply Children
  • 0 in reply to alan weir

    Yeah, and yet they still would try when I had UTM running.  You could see the traffic going to some IP in China.  I think UTM was picking that IP up, while they were using their own IP to transmit.  I leave off the gateway in the cameras, and I access my camera system via VPN if I am not at home.

    Edit:  My guess would be a built in P2P.  I had an older set of cameras that had that so hidden, I had to contact the seller to get the firmware update to make the P2P visible to users to turn it off.  I have changed cameras since to Reolink, but they could be just as shady with that stuff.

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • 0 in reply to Amodin

    I see. Lucky your brand of camera does not automatically reboot and load Google's DNS servers (8.8.8.8)  if it can't find the default gateway. These have hard-coded DNS. For that reason, I use a NAT rule which might be of use.

    (Camera's IP address) using (any service), going to (Google DNS)......change destination to (Blackhole)

    That way the camera as it's normally configured can still connect to the internet do do NTP. PiHole blacklist the camera's cloud service, and if the camera reboots for any reason, all DNS queries to Google are sent to the blackhole. I could just as well create a NAT rule directing all DNS from the camera to the Pi-Hole which always blocks the cloud service but it requires a source NAT rule too which causes issues.

  • 0 in reply to alan weir

    Luckily, I can set all of that (that I know of, lol) when I set up the cameras, even NTP.  I've set up a rule to drop that traffic and log it, so I can see if that works.  If there's nothing in the log by tomorrow, I'll know I set it up wrong or need a better solution.  ;)

    At the moment, because I changed my IP schema, I have to hunt down those IPs...  I put them here somewhere.

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • 0 in reply to Amodin

    Reolink are a french company as far as I can tell and mine have not tried talking to Chine, Russia yes, but that is blocked as well.

    f use clientless users and static IP addresses. They pickup the address but do not provide their ID to the DHCP server.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML