Solved People tell me that blocking outgoing ports in a home network is an overkill .... Do you agree ?

john_rambo

john_rambo

People in various forums tell me that for a home network blocking all incoming is more than enough and blocking outgoing ports doesn't serve any purpose. Blocking outgoing ports introduces unnecessary complications coz then the user need to know which app is using which port and then allow it in the firewall.

Do you agree ? If yes, why ? If not, why ?
 
john_rambo said:
Do you agree ? If yes, why ? If not, why ?
Click to expand...
Neither. It depends on your threat model.

One typical reason for filtering outgoing traffic is avoiding users in your internal network to build tunnels which would allow tunneled traffic to circumvent your firewall (e.g. simple SSH port forwarding, or some VPN). But then, just blocking ports won't be enough. It's quite common to use TCP/443 for anything like that because many firewalls just block ports. To really avoid that, you need DPI, you need a transparent proxy terminating TLS, and so on.

If you can trust the users in your local network, I don't see a reason for outbound filtering. But again, it depends on your threat model. E.g. if you expect some clueless user to get infected with spambot-malware, block outgoing 25, 465, 587 to avoid that your network becomes a source of spam...
 
Zirias
I am the only user in my home network so no trust issues here. I forgot to mention one point that I was told. Some suggested that blocking outgoing ports prevents malware calling home. Now even if that's true the question is there even a single malware that's capable of infecting FreeBSD desktop?
 
I agree with Zirias on this.
Part of blocking outgoing is simply information security. There are some protocols that broadcast stuff: Windows machines are particularly chatty and may leak information about your machines/network. If you look at a typical broadband connection like Cable Modem, it's a shared pipe and you can see your neighbors if you wanted.

Another part of blocking outgoing is simply "network hygine". Why send traffic out of your network that doesn't need to go out of it? Yes in theory upstream devices like routers should be blocking things but if you can do a little bit to lighten that load, why not? It also prevents your devices from being accused as part of a DDOS or other bad things.

It's convienent and easy to say "block in on WAN unless it matches an outgoing connection, allow everything in on LAN to go out WAN". That is the default stance of 99% of consumer devices, simply because it gives a good bit of security against unsolicited inbound and makes it easy for home users to "just work" out of the box.
The strongest security stance for a firewall device starts out with "block in/out on all interfaces", and then you start specifically adding rules to allow desired traffic. That leads to this:

john_rambo said:
Blocking outgoing ports introduces unnecessary complications coz then the user need to know which app is using which port and then allow it in the firewall.
Click to expand...
From a pure standpoint the statement is true, BUT it is your network and your devices so if you want to exercise that level of control, no one can tell you "You're wrong" with a straight face. All it means is that if some like say a spouse complains that "my application doesn't work" you need to stop what you are doing, investigate and add a few ports to the ruleset. Your call as to what is easier.

In the past I have done this on my home network which has my machines (FreeBSDs, Linux for work) and wife's/guest mostly Windows or iPhones. Surprisingly few outbound things are actually needed for normal operation. If it was a dozen TCP and a handful of UDP ports it was alot. That included normal things like DNS, NTP, HTTP/HTTPS etc.
 
mer said:
I agree with Zirias on this.
Part of blocking outgoing is simply information security. There are some protocols that broadcast stuff: Windows machines are particularly chatty and may leak information about your machines/network. If you look at a typical broadband connection like Cable Modem, it's a shared pipe and you can see your neighbors if you wanted.
Click to expand...
Since you mention Windows machines I must mention I am not using FreeBSD as a router/firewall. The perimeter firewall (router) that I am using is ISP provided. There is 1 desktop running FreeBSD and 1 Amdroid phone behind my router. No Windows or MAC client here. In my case my broadband connection is not shared. Its a VDSL connection. Not Cable Broadband.

So PF in my case is acting as a host firewall not perimeter firewall. I mean PF is protecting only my FreeBSD box & not my Android phone.
 
Understood, but same principles apply I think. Some people think running a host firewall is overkill, but if a simple setup helps keep your device and network a little cleaner, why not? It's all about knowing YOUR network and devices.

Security always boils down to a choice:
Ease of use vs tighter security.

The front door to your house: if you install the most secure door with the most secure locking system then it is hard/almost impossible for someone to break in through it. If you get annoyed by having to unlock 3 deadbolts, retina scan plus finger print to unlock it after walking the dog, you may start leaving it unlocked. Ease of use vs tighter security.

A lot of networking professionals (security side of things) say you should start out with default deny on everything. Nothing in, nothing out by default. Then you start to allow things based on actual use/needs. You typically wind up with a smaller ruleset and known traffic so it's easier to see anomalies.
The opposite is start out with default permit on everything, then you turn off things you don't need. But the turning off part is always overlooked.
 
shkhln said:
Are we going to block so called ephemeral ports as well?
Click to expand...
As source or destination? If you have stateful firewall, ephemeral port is typically the source, with the destination port being well-known. Think doing DNS resolution. The dst port is 53, the source ephemeral, so the rule would be block from any to dst_port 53.
 
john_rambo said:
I mean PF is protecting only my FreeBSD box & not my Android phone.
Click to expand...
The free Android Tablet T-Mobile gave me is what I lock down.

Even though Google and I are now Besties, all my sins have been forgiven and my life a book opened and presented on bended knee in return for their Big Brotherly Benevolence.. I don't want my new Boo phoning Hangzhou Alibaba Advertising Co. Ltd. behind my back

I use an application based firewall that can restrict app traffic in various tablet states, but can also restrict IPv4 and IPv6 traffic through rules made from the log.

A feature you do not get in the free version, so you have to let it protect you as it sees fit.

However, the paid version was a low low $7.50 one-time payment and makes all the difference.

How can you afford not to buy it?

NetGuard.png

You can't.

netguard.me

NetGuard

A simple way to block access to the internet per app
netguard.me netguard.me
 
You must log in or register to reply here.
Back
Top