Jump to content


Photo

Firewall help


  • Please log in to reply
9 replies to this topic

#1 Soulessdeath

Soulessdeath

    Learner

  • Quark
  • 51 posts
  • Location:Northern Territory

Posted 07 September 2017 - 02:03 PM

I am currently trying to setup some permissions for a firewall on a TP-LINK TL-R480T modem, I am trying to only allow Outlook through the firewall, but i want to block office 365 from pinging the microsoft servers. Would anyone know what ports i would need to allow through the firewall to only allow outlook strictly?

Setup is for on boats where on one of the wan connections on the modem, the computers can connect to the satellite internet but have very limited access to keep bills down. 


PC's, Cars, Marine communications  a Bit of everything in life.  Especially Gaming.


#2 Rybags

Rybags

    Immortal

  • Super Hero
  • 35,232 posts

Posted 07 September 2017 - 02:31 PM

Pretty sure you can't block by program ID at the router level - TCP/IP doesn't include such information and it'd be useless anyway since it could easily be spoofed, you need to do so at the host, ie either the Windows firewall or 3rd party product.  With some routers there will be predefined settings that refer to programs but that's just in a generic sense.

 

You can use the HOSTS file to block comms to specific sites or IP but that's a global setting.

For Outlook, assuming it's not doing back to base licence verfification, you'd probably only need to allow the ports involved for ingoing and outgoing email.

By default they're usually 110 (in) and 25 (out) for POP3 but fairly sure there's other ports that are sometimes used.  In any case you define such things in the email client so you could refer to the settings there.

 

Most email clients have the option for periodic refresh/reload so you could set that to 0/off to save data.

In some cases you can download headers only, another way to save.

And if you have ISP level filtering, use that to help stop pointless downloading of spam.


Edited by Rybags, 07 September 2017 - 02:33 PM.


#3 Master_Scythe

Master_Scythe

    Titan

  • Hero
  • 20,282 posts
  • Location:QLD

Posted 07 September 2017 - 02:37 PM

I am currently trying to setup some permissions for a firewall on a TP-LINK TL-R480T modem, I am trying to only allow Outlook through the firewall, but i want to block office 365 from pinging the microsoft servers. Would anyone know what ports i would need to allow through the firewall to only allow outlook strictly?

Setup is for on boats where on one of the wan connections on the modem, the computers can connect to the satellite internet but have very limited access to keep bills down. 

 

Ah, trick here won't be ports, it'll be IP.

You'll need to block the microsoft IP's specifically, and allow the IP's for whoever is hosting your Email (eg. Optusnet, or whoever).

Does it need to be at router level? You can do this EASILY with any software firewall.

 

Your other option of course, is to remove Office entirely, and use Libre Office, and Mozilla Thunderbird as the email app.

Sometimes using the 'right tool' is easier than hacking a tool you already have to work.

 

But yes, look into custom block list programs (there's a lot of freeware) you can run on the local PC.

This is actually ideal in your scenario I'd imagine, since you can distribute it to all the users, and they can apply it to all their PC's.


Wherever you go in life, watch out for Scythe, the tackling IT support guy.

"I don't care what race you are, not one f*cking bit, if you want to be seen as a good people, you go in there and you f*ck up the people who (unofficially) represent you in a negative light!"


#4 Soulessdeath

Soulessdeath

    Learner

  • Quark
  • 51 posts
  • Location:Northern Territory

Posted 07 September 2017 - 02:43 PM

Pretty sure you can't block by program ID at the router level - TCP/IP doesn't include such information and it'd be useless anyway since it could easily be spoofed, you need to do so at the host, ie either the Windows firewall or 3rd party product.  With some routers there will be predefined settings that refer to programs but that's just in a generic sense.

 

You can use the HOSTS file to block comms to specific sites or IP but that's a global setting.

For Outlook, assuming it's not doing back to base licence verfification, you'd probably only need to allow the ports involved for ingoing and outgoing email.

By default they're usually 110 (in) and 25 (out) for POP3 but fairly sure there's other ports that are sometimes used.  In any case you define such things in the email client so you could refer to the settings there.

 

Most email clients have the option for periodic refresh/reload so you could set that to 0/off to save data.

In some cases you can download headers only, another way to save.

And if you have ISP level filtering, use that to help stop pointless downloading of spam.

So on the TP link modem i have i can block specific applications, Facebook, Youtube, Twitter, Etc. I need to be able to try and setup the firewalls on the modem to block programs pinging the satellite as this costs data even if it is blocked at the satellite firewall. 

I am trying to prevent Office 365 from sending their server pings out on the specific connection. I cannot firewall the PC as i will have 2 wan ports in use on the modem and one will have strict firewalls and the other will have open firewalls, So that when the vessels come into port and can connect via 3g internet connection they can do what ever they need via the internet. 

 

Also i cannot have the Satellite and the 3G modem connected to the computer at the same time as this causes ip conflicts and the 2 units both try and act as modems. 

 

I will try just allowing those ports through the firewall and nothing else to see how well it works, i will also try and setup URL blocking to prevent any other methods of pinging the satellite. 

 

It is quite a complicated system that i am trying to work out here. 

The modem will be attached to the 3G modem and the Satellite phone through a change over switch where only one connection will be active at a time, And when the satellite internet is activated a timer will start for five minutes then it will switch the connection back to the 3G modem. 


PC's, Cars, Marine communications  a Bit of everything in life.  Especially Gaming.


#5 Rybags

Rybags

    Immortal

  • Super Hero
  • 35,232 posts

Posted 07 September 2017 - 02:49 PM

I suspect Office 365 won't work properly or will echo annoying messages if it can't do it's back-to-base bollocks.

I also suspect that it's probably not much extra overhead anyway.  Imagine millions of connected computers bombarding the servers every couple of minutes, I don't think they'd want that.

 

I tend to agree - try an alernative email client that doesn't do any licence verification.



#6 Master_Scythe

Master_Scythe

    Titan

  • Hero
  • 20,282 posts
  • Location:QLD

Posted 07 September 2017 - 02:49 PM

 

 

I cannot firewall the PC as i will have 2 wan ports in use on the modem and one will have strict firewalls and the other will have open firewalls, So that when the vessels come into port and can connect via 3g internet connection they can do what ever they need via the internet.

 

This is exactly why you SHOULD firewall the PC, it's a simple software switch.

 

You could even get someone who can do some basic coding to make a nice "SAVE DATA!" button in a simple app, and you maintain the block lists for them.

 

You could use Peerblock and host your own blocklist?!

 

 

EDIT: in addition, Peerblock can ALLOW HTTP, and block all other protocols.

So the end user, wouldn't see any loss in "Web Browsing" ability, you'd just block the background apps.

I block "Microsoft" in my blocklist, but allow HTTP and never hit problems.


Edited by Master_Scythe, 07 September 2017 - 02:52 PM.

Wherever you go in life, watch out for Scythe, the tackling IT support guy.

"I don't care what race you are, not one f*cking bit, if you want to be seen as a good people, you go in there and you f*ck up the people who (unofficially) represent you in a negative light!"


#7 Soulessdeath

Soulessdeath

    Learner

  • Quark
  • 51 posts
  • Location:Northern Territory

Posted 07 September 2017 - 03:14 PM

 

 

 

I cannot firewall the PC as i will have 2 wan ports in use on the modem and one will have strict firewalls and the other will have open firewalls, So that when the vessels come into port and can connect via 3g internet connection they can do what ever they need via the internet.

 

This is exactly why you SHOULD firewall the PC, it's a simple software switch.

 

You could even get someone who can do some basic coding to make a nice "SAVE DATA!" button in a simple app, and you maintain the block lists for them.

 

You could use Peerblock and host your own blocklist?!

 

 

EDIT: in addition, Peerblock can ALLOW HTTP, and block all other protocols.

So the end user, wouldn't see any loss in "Web Browsing" ability, you'd just block the background apps.

I block "Microsoft" in my blocklist, but allow HTTP and never hit problems.

 

We have tried to use software in the past but the users have managed to fuck it no matter what, Also if someone gets on the wifi on the boat a software block on the computer will not prevent them from accessing the internet pages. The system also needs to be easily changed over if a new pc is put onboard if its a hardware based firewall it is plug and play but if its software it could be a little more in depth. A few companies have been using software switching but it has not been working out for them and they are also looking into similar setups to us. 

 

I suspect Office 365 won't work properly or will echo annoying messages if it can't do it's back-to-base bollocks.

I also suspect that it's probably not much extra overhead anyway.  Imagine millions of connected computers bombarding the servers every couple of minutes, I don't think they'd want that.

 

I tend to agree - try an alernative email client that doesn't do any licence verification.

By overhead do you mean data usage? If so i have done some testing with data usage and have found that over the course of a month office 365 used around 30 Mb of data for its back to base pings, Which on the satellite data costs around $2100 ($700 per 10Mb).


PC's, Cars, Marine communications  a Bit of everything in life.  Especially Gaming.


#8 Master_Scythe

Master_Scythe

    Titan

  • Hero
  • 20,282 posts
  • Location:QLD

Posted 07 September 2017 - 04:01 PM

 

 

 

 

I cannot firewall the PC as i will have 2 wan ports in use on the modem and one will have strict firewalls and the other will have open firewalls, So that when the vessels come into port and can connect via 3g internet connection they can do what ever they need via the internet.

 

This is exactly why you SHOULD firewall the PC, it's a simple software switch.

 

You could even get someone who can do some basic coding to make a nice "SAVE DATA!" button in a simple app, and you maintain the block lists for them.

 

You could use Peerblock and host your own blocklist?!

 

 

EDIT: in addition, Peerblock can ALLOW HTTP, and block all other protocols.

So the end user, wouldn't see any loss in "Web Browsing" ability, you'd just block the background apps.

I block "Microsoft" in my blocklist, but allow HTTP and never hit problems.

 

We have tried to use software in the past but the users have managed to fuck it no matter what, Also if someone gets on the wifi on the boat a software block on the computer will not prevent them from accessing the internet pages. The system also needs to be easily changed over if a new pc is put onboard if its a hardware based firewall it is plug and play but if its software it could be a little more in depth. A few companies have been using software switching but it has not been working out for them and they are also looking into similar setups to us. 

 

 

OK, this is still doable, but you'll need a second device.

In addition, forget the ability to "allow it all when docked" for 90% of use cases, this will complicate the solution, and the end user wont notice.

 

You'll need a device that can run OpenWRT.

As it's a small linux router, You'll Install the IPTABLES tool.

You'll (temporarily) sign up for an i-blocklist account, and pilfer their IP lists (start with "Microsoft", if that's your key concern).

If they're only in qualified domain names, you'll need to ping each one, and get to noting them. (yuck!)

 

You'll then want to block all the IP's on all ports, EXCEPT port 80.

Port 80 is your web browser (actually, and 443, that's HTTPS).

 

Voila.

 

You now have all access to Microsoft blocked, with the exception of from a Web Browser explicitly (so they could still use Office365 Web Access, if they so choose).

No web pages will be blocked.

Nothing the user will notice, will have happened.

Even things like SKYPE will work, because they have a tick box to "use port 80 and 443 as an alternative".

 

 

If that's not a 'simple' enough solution for them, I'm sorry, but I've mentioned before, my dads a boat builder, I grew up around people who will probably never find their land legs again, and you simply CAN'T "Tech-away" all their problems.

 

I'd still vote a software solution, Honestly, because they can click out of it, if they NEED to.

If they need to learn How to enable and disable ONE piece of software and be reminded NOT to let others on their WiFi, and they don't?

You can't protect them.

 

I mean sure, if you expected them to set up their own Firewall, that's a little unreasonable.

 

But if you're providing a custom blocklist, with a one-click enable\disable?

and it's not easy enough?

They're beyond help.

 

 

 

 

 

Radical idea; have you considered renting a cheap server, and running an OpenVPN server?

Set your server to accept any IP's from the Satelite range, and Reject any from the 3\4G range.

Then do the filtering on your VPN server, and let them all dial in.


Wherever you go in life, watch out for Scythe, the tackling IT support guy.

"I don't care what race you are, not one f*cking bit, if you want to be seen as a good people, you go in there and you f*ck up the people who (unofficially) represent you in a negative light!"


#9 @~thehung

@~thehung

    Guru

  • Hero
  • 8,681 posts

Posted 07 September 2017 - 06:47 PM

in case you cant/won't install alternate router firmware, how about using a RasPi 3 as an access point?

 

ie.

 

- install something like Pi-Point on the Raspberry Pi, and mess with iptables on that

- run cable from Pi's LAN to the router

- all WiFi connections go through the Pi

- connect PC to Pi via USB-to-LAN adapter on the Pi


no pung intended

#10 Nich...

Nich...

    Professional Tart

  • Mod
  • 43,326 posts
  • Location:Mexico

Posted 07 September 2017 - 07:12 PM

Is outlook being used just for mail?

Are you able to enforce only grabbing headers, so you don't get stuck downloading rogue spam attachments?  Is it set to only download mail as plaintext? 

 

Are you polling for mail, or is it pushed out?


"I think it is a sad reflection on our civilization that while we can and do measure the temperature in the atmosphere of Venus we do not know what goes on inside our soufflés" -- Nicholas Kurti




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users