Welcome, Guest. Please login or register.
Did you miss your activation email?
Sunday 29 December 2024, 11:21:41 pm

Login with username, password and session length

CLICK HERE for the The official Endian Roadmap and Issue tracker
14262 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  Outbound Firewall Confusion
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Outbound Firewall Confusion  (Read 16444 times)
vodka_mann
Jr. Member
*
Offline Offline

Posts: 4


« on: Wednesday 26 February 2014, 08:10:51 pm »

Hello,

I'm having a really hard time understanding how the outbound firewall works - it seems like it should be very simple but it's not turning out that way.  I'm using version 3.0

Here's a simple example of my situation - I've setup a rule in the oubound firewall to block everything on all ports on a group of computers as a starting point and set it to position 6 (see attached image).  These computers are very sensitive compared to others on the network so I want them more locked down.


Then I've added a rule above that (position 1) to allow dropbox.com through - I've checked and dropbox just requires a wildcard to .dropbox.com and should only need access to ports 80 and 443 BUT for the sake of making sure I've captured every possibility I've allowed all ports.  Outside of dropbox.com, I've also tried *.dropbox.com, *.dropbox.com*, and a million other URL/wildcard combinations to make sure I'm doing a wildcard the way Endian would want.  I've also used fiddler and confirmed that the dropbox website is telling the truth about the URL's / ports it attempting to connect with

Here are the pictures of the rules I created:
docs.google.com/document/d/1SU-w-GRi6jv90JnD9wO4dKaZ4W_C8uzf2PBdk4ugPts/edit?usp=sharing

No joy....  dropbox will not sync and I cannot get to the dropbox website....  Won't work on this group of computers or ANY on the network.

What's funny is that I have working with screenconnect (port 8040 and 8041) to our own URL (did not use the IP, used our networks URL and didn't using any wildcards) and it seems to be fine.  I've also been playing around with the proxy server which I've disabled during this testing.

Any thoughts?  Thanks in advance

I've tried a number of other experiments and it seems like unless I can specify an IP address (versus a URL) it doesn't work.  Makes me think I'm inputting the URL incorrectly.  Any help would be appreciated.  Thanks!
Logged
kieronrob
Full Member
***
Offline Offline

Gender: Male
Posts: 57


« Reply #1 on: Wednesday 05 March 2014, 12:17:59 am »

I think you are confusing the firewall and the proxy functions in the EFW.

The firewall will not work with a url only port numbers or services.

If you want to block dropbox.com then use the proxy to deny access to that URL. You will need to enable the HTTPS proxy in the proxy settings and that will require that you load the EFW certificate on each machine to prevent SSL warnings.

The other alternative is to find out what IP addresses dropbox.com points to and create rules preventing access to these addresses.

Put the allow rules above the deny rules as it processes from the top down till a rule matches.
Logged
vodka_mann
Jr. Member
*
Offline Offline

Posts: 4


« Reply #2 on: Thursday 13 March 2014, 02:11:28 am »

Thanks for the feedback.  I actually want to block all traffic EXCEPT dropbox - I want to allow dropbox to function (amongst  a few other things) only.

Long story short if I setup an outbound rule that blocks all traffic on a few of the nodes on my network

AND then above it I create a rule that's allows all services / all ports to allow these through:

NOTE - I had to add an underscore to all URLs so the forum would allow them but please ignore***
dropbox._com
*dropbox._com
*.dropbox._com
.dropbox._com

Nothing works - I cannot browse to the site, dropbox won't sync.

If I specifically allow www_.dropbox._com - then I can get their website but I would have assumed one of the wildcard type functions I used above would have allowed the traffic through without the need to specifically add www_.dropbox._com

My real issue is this: the servers that dropbox uses to sync change all the time via their web URL prefix - it might be 123_.dropbox._com right now and later it will be 321_.dropbox._com - I can't control or predict those.

Thoughts?  Thanks for any help!
Logged
Ricard
Full Member
***
Offline Offline

Posts: 11


« Reply #3 on: Saturday 29 March 2014, 04:34:41 am »

In the past I had issues with dropbox becuase snort rules.  Try to download from a shared dropbox and then check your logs:

Code:
/cgi-bin/logs_live.cgi?show=single&showfields=snort

if you see some dropbox alerts then you should locate that rule and change from "forbidden" mode to just "alert"

Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.094 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com