Simple Firewall Rule, can't seem to do it.
I'm using the current version of Symantec Endpoint protection with a custom firewall policy. For the most part the firewall definitions are striaght forward and work as expected. I am running into a problem, however. We have a number of notebook computer users who's IP might change from 10.x.x.x to 192.168.x.x to anything in the public internet range depending on what hotel they stay at. I'd like to build a simple rule that allows the clients to send packets out from whatever IP they have to any other IP address, but NOT allow traffic to come back to the PC unless it is a reply or it comes from a specific range of IP addresses or domain. Is there a variable (such as "Client PC IP Address") or something i can use to accomplish this? I could key in every single notebook's MAC address, but considering this is a pretty standard function of a firewall, I'd go back to using windows firewall before doing that. The Windows Firewall supports reply-only return traffic...
Any ideas?
Thanks,
-Scott
Comments
Hi
I think this would be hard because of the changing IP's what if you connect the remote clients via vpn? or if you are concern with their liveupdate, create a separate policy for them to manage/automatically download updates on symantec's liveupdate server.
TCP/UDP outgoing
Hi.
To allow outgoing traffic and replies only you need to do the following:
Create 2 new services:
TCP, Remote Ports 0-65535, Direction outgoing
UDP, Remote Ports 0-65535, Direction outgoing, Statefull UDP
In your firewall rule you can then allow all hosts, all applications etc. In the services field, use your newly created services.
Remember, if you want to allow ICMP traffic and such, you'll need specific rules for that since it's not tcp or udp based traffic.
BR,
Tuomas
Hi Tuomas,
What if the IP of the client is always changing?
Client IP
Hi Paul.
If the firewall rule is created to allow any host the IP of the client doesn't matter. The host field applies for both local and remote addresses.
BR,
Tuomas
Hi,
Are you sure it will meet? For example SEPM on a corporate server and the client is on a hotel outside?
Not sure I understand your
Not sure I understand your question correctly.
This firewall rule is for allowing outgoing traffic, it has nothing to do with communication to SEPM.
Edited
Edited my first post.
Forgot to specify remote ports.
Tuomas, You are correct
Just FYI, after playing with this last night for about 45 more minutes I tried almost exactly what Tuomas suggested. I added a service that allowed all IP outgoing and that seemed to work. I like the idea of tightening it down a bit more though, so I might take your suggestion of stateful UDP and TCP.
Thanks,
-Scott
Hi,
I see, this is outgoing only. thanks for the info.
Would you like to reply?
Login or Register to post your comment.