How to allow only outbound connections
Updated: 22 May 2010 | 11 comments
This issue has been solved. See solution.
How can I configure a new Firewall Policy to allow all kind of outbound connections, but block any inbound one?
I mean, only my computer can start and estabilish a connection with another host, and the other hosts can't start a connection with my computer.
Discussion Filed Under:
Comments
Refer to this KB for Best
Refer to this KB for Best Practice White Paper.
Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper
http://service1.symantec.com/SUPPORT/ent-security....
Thomas
Thanks Thomas, I've read it
Thanks Thomas, I've read it but still don't know how to configure the rules =/
Is something like this?
(Remote connections to any host allowed. All other traffic, including inbound connections, blocked)
Do you want to block it for
Do you want to block it for specific application like IE , RDP, VNC etc..so for all.
If you want to block for all then
the rule that you have made move it up to no.1 ( now its on 12)
then create a new blank rule then the action change it from allow to block and then move it to rule no.2
Note: Test the behaviour of the rules in a test group ina test environment before applying the rules in production environment.
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
Only two rules are sufficent for this
Create a new rule and only configure "service". Click "add" and use for example "ethernet" to allow all protocols. Select "outgoing" as a direction and allow the traffic.
Create another rule to block everything and with two rules you are all set for a nice offline firewall policy.
If you enable logging for the "block all rule" you can troubleshoot blocked connection and adjust the rule for your office as well ;)
You can download a rule allowing ping, pong, tracert and RDP here: http://www.niwis.com/forums/downloads.php?do=file&...
Symantec AntiVirus User Group Deutschland
Man, it was exactly what I
Man, it was exactly what I wanted!
Worked perfectly, only established connections are allowed, no one can send anything to the computer if it was not requested.
Thanks a lot ;)
After some weeks of tests,
After some weeks of tests, I've found a strange behavior: the new policy is effectively blocking all type of non-solicited incoming connections. But when I try to remotely telnet ports 25 and 110, the telnet console seems to stay connected for a couple of seconds before it is automatically dropped. And if I try to do a port scan (like nmap), it shows me that these two ports are open. Although this behavior, if I check the opened ports using netstat, none of these ports are listening. I'm pretty sure that there isn't any kind of software listening to these ports, like IIS.
Is this behavior (of ports 25 and 110) normal?
Will this block unnecessary
Will this block unnecessary packets if not requested for it.
Those are related to
Those are related to email.... SMTP and POP I believe.
There is an online portal, save yourself the long hold times. Create ticket online, then call in with ticket # in hand :-) http://mysupport.symantec.com "We backup data to restore, we don't backup data just to back it up."
Yes, you are right I've just
Yes, you are right
I've just read in this article:
Norton Antivirus will cause 110 and 25 to appear to be open because of the way it proxies those connections so it can scan Internet Email
Is this true? Any Symantec Exmployee could confirm this?
Grab a test machine and
Grab a test machine and disable the SEP internet email protection.
See if those ports are still open remotely.
SEP does use a sort of proxy to get email but I am assuming if you turn off the functionality it should stop listening on those ports.
I am also guessing the port 25 and 110 stuff is built into the default (hidden rules) which you can never turn off.
Z
Just to let you know: after
Just to let you know: after uninstalling the POP/SMTP protection feature, the machine can't see ports 25 and 110 as Open anymore.
Thanks for all help!
Would you like to reply?
Login or Register to post your comment.