Question for the admins about port restrictions...

[InlineFive]

I am considering having our firewall block all outgoing traffic except for a few designated ports. I don't have an IPS so this is my best bet at preventing people and programs from calling out. This network is about seven computers which are used for office productivity and email communication. The DSL connection is protected by a Sonicwall TZ-170.

So, is it a good idea? We have McAfee Virusscan Enterprise but in the interest of malware prevention I think it's not a terrible thing to do.

Second, what ports would you allow outbound access on? On the top of my mind is 20-21 (to our server only), 25 (to two SMTP servers only), 80, 110 (to two POP servers only) and 443.

Thanks!

 

[reicherb]

We block traffic in and out both. It's more secure but it's also more to mange if you install new applications that need new ports opened.
Here are the access lists we use.

access-list outin permit icmp any any
access-list outin permit tcp any host X.X.X.2 eq 25
access-list outin permit tcp any host X.X.X.2 eq 80
access-list outin permit tcp any host X.X.X.2 eq 443
access-list outin permit tcp any host X.X.X.2 eq 110
access-list outin permit tcp any host X.X.X.2 eq 873
access-list outin permit tcp any host X.X.X.3 eq 1677
access-list outin permit tcp any host X.X.X.5 eq 80
access-list outin permit tcp any host X.X.X.5 eq 443
access-list outin permit tcp any host X.X.X.21 eq 80
access-list outin permit tcp any host X.X.X.21 eq 443
access-list outin permit tcp any host X.X.X.22 eq 80
access-list outin permit tcp any host X.X.X.22 eq 443
access-list outin permit tcp any host X.X.X.7 eq 5631
access-list outin permit udp any host X.X.X.7 eq 5632
access-list outin permit tcp any host X.X.X.7 eq 110
access-list outin permit tcp any host X.X.X.7 eq 6800
access-list outin permit tcp any host X.X.X.7 eq 6900
access-list outin permit tcp host X.X.X.10 any
access-list outin permit udp host X.X.X.10 any
access-list outin permit tcp host X.X.X.11 any
access-list outin permit udp host X.X.X.11 any
access-list outin permit tcp host X.X.X.30 any
access-list outin permit udp host X.X.X.30 any
access-list outin permit udp any any eq 4444
access-list outin permit tcp any any range 9874 9875
access-list outin permit tcp any any eq 9878
access-list outin permit tcp any any eq 4421
access-list outin permit tcp any any range 4429 4430
access-list outin permit udp any any eq 17071
access-list outin permit tcp any any eq 123
access-list outin permit tcp any any eq 3389
access-list outin deny ip any any

access-list inout permit icmp any any
access-list inout permit tcp any any eq 53
access-list inout permit tcp any any eq 554
access-list inout permit tcp any any eq 873
access-list inout permit tcp any any eq 7070
access-list inout permit ip any X.X.X.30 255.255.255.255
access-list inout permit ip host X.X.X.6 any
access-list inout permit ip host X.X.X.1 any
access-list inout permit ip X.X.X.0 255.255.255.0 any
access-list inout permit tcp any any eq 21
access-list inout permit ip host X.X.X.30 any
access-list inout permit udp any any eq 4444
access-list inout permit tcp any any range 9874 9875
access-list inout permit tcp any any eq 9878
access-list inout permit tcp any any eq 4421
access-list inout permit tcp any any range 4429 4430
access-list inout permit udp any any eq 17071
access-list inout permit tcp any any eq 123
access-list outin permit tcp any any eq 3389
access-list inout deny ip any any

 

[InlineFive]

Danke! 🙂

 

[Brazen]

Yes, it is a good idea, and from what I understand, it's very common nowadays. We do it here. I have about 100 rules on our SonicWall for allowing various services out and various services in. It gets really complicated with the ssl tunnels we have setup with other organizations.