Lock Down Your Network Traffic - Block all outbound traffic except DNS and HTTP/S
ฝัง
- เผยแพร่เมื่อ 5 ต.ค. 2024
- In this quick tutorial we will block all outbound ports from your network except DNS, HTTP and HTTPS!
Want to join us in learning how to deploy network services like this? Put your name on the training list now: williehowe.com...
Hire us! williehowe.com
Amazon Afflilate Links for Ubiquiti Gear:
UDM Pro Link: amzn.to/3LKaqBR
Standard UDM Link: amzn.to/3AKChvr
Affiliate Links (I earn a small percentage of the sale if you use these links):
My AmazonLink: www.amazon.com...
Netool: netool.io use code WHT to save at least 10%!
Digital Ocean Affiliate Link: m.do.co/c/39aa...
Patreon Link: / williehowe
Contact us for network consulting and best practices deployment today! We support all Grandstream, Synology, DrayTek, Obihai, Poly, Ubiquiti, MikroTik, Extreme, Palo Alto, and more!
Come back for the next video!
Twitter - @WillieHowe
TikTok - @whowe82
SUBSCRIBE! THUMBS-UP! Comment and Share!
I also always allow NTP, because things get confused/stop working when time is not within margins.
Also STUN is more often needed for things like Teams, Webex and Zoom. STUN server is 3478 for UDP and TCP, and 5349 for TLS.
Block outbound UDP 443, which is Google's QUIC protocol. UDP is faster for streaming media, but less secure. TCP is the standard protocol for port 443 and uses the three-way handshake for data integrity and security.
@@WillieHowe @@WillieHowe If you knew more about how quic works instead of calling people trolls... you will know that browsers fallback to using TCP on 443 when UDP on port 80 and 443 is blocked.
@@canadianwildlifeservice8883I had to reread your message and yes I agree that outright blocking quic on 443 UDP is a good idea. Would take one more firewall rule but totally doable. Thanks for hanging in there.
Willie think he slick lol he knows we wanna see the next video 😂❤
Rule of thumb for me( on my setups on business environment) ..I only allow outgoing connections tcp/udp to 80/443/53/123/8080/5938 for teamviewer.. icmp echo req blocked of course..incoming connection (allow only established/accepted packets and drop invalid).. by the way congratulations for the video .keep going
Who uses Google for news 😅 that's like using a sieve for water - you'll only get a filtered version of what's really there.
A very helpful video Willie 🙂
Hi Willie, I'm wondering how to block DNS exept for example a pihole. So 2 ip adresses on the network can go out. Maybe redirect DNS?
Create an outbound rule that blocks port 53 for all IPs except those of your piehole(s).
QUIC used UDP/443
You are only blocking ports, not with protocol, correct?
Yes, please on DNS control.
Good for cryptominers and torrenting but be aware that most malware also uses 80/443 since it's a commonly open port.
How to automatically block internet traffic to newly connected devices as i want to allow them internet access myself with their mac addresses
Awesome content! Thank you! 😊
And polecjes like this just make evry possible protocol tunnel over port 08 or 443 to "bypass thst pesky firewall" meaning you have to implement dpi etc: Note: I shuld hsve said makes evry application developer tunel...
I locked down my network and allowed some ports but port forwarding is not working. Is there anything I'm not doing right ?
Why would you filter outbound traffic? You are only overloading USG or UDM.
There are actually security frameworks that have you block a lot of outbound traffic.
Nice informative video!
This did not work for me. All of my Echo devices will accept commands but won't turn on and off devices. I added port 8080 and 3478 to the list but no joy.
Thank you very much. Also had to add Xbox ports for my kids. Ports 88, 3074, 500, 3544, 4500
500 and 4500 are a bit curious. those are IPSEC VPN ports.
Xbox is one of the "friendlier" game systems to allow access for like this because Ms tunnels back to the live servers for everything. On some AAA titles, they skip the live servers (I'm looking at you fortnite!) When they do its a nightmare trying to limit their access.
Thank you
keep it up nice video's learning alot thx :) can you make a tutorial how to control the dns also thx :)
Thank you for this tutorial, I'm new to networking. Question: I've applied these firewall rules, and I am running mullvad vpn configured on my router through open vpn, so everything going through my router is being routed through my vpn. When i test ports, it was open, allowing a connection using the test site you provided. I then paused my vpn and ports are closed, it will not load page using the test site provided. My primary concern is my internet traffic being monitored, or remote access and outbound routing. Should I not be running a vpn through my router ? I thought this was the most safe route, but it's still allowing outgoing connections so i will keep my current configuration if the vpn isn't necessary. thanks again. subscribed.
You can run VPN just make sure the ports allowed.
For me I allowed only these ports 80, 443, 123, 53, 25, 465, 587, 110, 995 in my network. Does this kind of setup blocked bittorrents ?
Bittorrent traffic is usually in the 50k range.
Good video.. does blocking these ports still allow incoming streaming services? Eg Disney+ etc thanks
If they use 80 or 443. My kid lost discord while I was doing this. 😂
Thanks...will just have to try then...by the way, it's handy that you are using a UDR... I'm learning the Unifi system on a UDR at the moment and tossing up if it's worth moving the next level...so, good to be able to know that it can handle fairly advanced setup...
@@donvecchio6048 it can
Just bricked my connection….
Yes how to control dns video pls
It's not hard, setup your pi hole or whatever devise you'll use for dns, change your dhcp to hand out that address for dns, lock port 53 (udp and tcp) to all devices except the pihole, and profit from local caching of dns, and filtering in the case of a pihole or manual intervention.
If you're doing this on a home network and game, or have kids that game, have fun discovering how many game devs insist on wide open traffic in and outbound 😉👍
Oh, and Nintendo is by far the worst. I had to assign a public ip nat to my son's switch and open traffic both ways for it.
Noooo your breaking the internet, my school does this and it's a pain
DNS lookups shouldn't be going out. They should be answered by internal server or relay. Also Google "Should I block ICMP" ... It should be allowed for PMTUD etc
Listen a little further in and we talk about DNS.
@@WillieHowe I did, but it should have been brought up initially...way too many DNS abuses for it to have free reign externally
Nice video thanks for sharing, but why would you lock down your network if you're gonna be using TikTok? Thats a massive security and privacy breach in and of itself. Doesn't make any sense
And yet here you are using a Google service 😂
Dns crontrol
Listen a little further in and we talk about DNS.
How about no :))
No thanks
You need to stop smoking hubcap shavings mate.
Not sure what that means but I don't smoke anything.