Previously I talked about, well how awesome the firewall and intrusion countermeasures in Sophos are. And I didn’t get to how to actually configure them because of the shear amount of content I covered.
This time, we’re going to walk through how to add services to the firewall, and how to lock down or allow traffic through Sophos (your firewall). This includes how to enable Sophos to do the normal “Consumer Router firewall” stuff, as some people are “too lazy*” to set this up properly.
First thing first: As I mentioned previously, Sophos is draconian. Mostly because it only allows explicitely allowed traffic. By default, the firewall allows outgoing traffic for DNS, web (HTTP/HTTPS), email (SMTP/IMAP/POP), Instant messaging (XMPP/Jabber/MSN/etc), Terminal Services (RDP, VNC, Telnet, SSH, etc), and VoIP (SIP and H323). For most “average usage”, this is more the sufficient. However, since you’re installing Sophos, congrats, you’re anything but average!
The first thing I noticed when setting up Sophos was that it blocked all of my gaming traffic, as well as torrent and usenet and skype. Obviously this is less than idea. And this isn’t exactly obvious to a new user. It took me an hour to figure this out, actually. So let me make sure you don’t suffer the same fate (and piss off your wife, kids or significant others while they’re unable to access certain services).
First, figure out all the services you’re going to need enabled. Make a checklist of them. Preferably on a notepad with a lot of space between each. For this example, I’m going to use “Ooma” (you’re welcome Jason, and schoondoggy). The reason is that there is a LIST of ports in use here, and I can show you how to create a group, as well.
Before you get started, head over to Ooma’s website and grab the list of ports in use. It’s a long list. But here is the link. Additionally, you will notice that I don’t include all the ports. This is because port 53, 110, 123, and 443 are already defined as DNS, POP3, NTP and HTTPS respectively. We’re not going to mess with these because they’re already allowed.
Now, open the Web Admin page to “Definitions & Users”, and open the “Service Definitions”. You’ll see a huge list of stuff here. Click on “+New service definition…”. This will create a section where you can input here. For the name, set it to “Ooma#1” or something otherwise meaningful. Set the Type of destination to “UDP”, the destination port as 514. Leave the source port as “1:65535” (meaning that it can originate from any port, and since we don’t know for certian it’s coming from the same port, leave it). And set the comment to “Ooma Service Port”. Repeat this for each of the ports in the list. There should be five entries (also 10000-30000 should be entered as “10000:30000”, if you didn’t pick up on that yet).
Once that is done, add one more definition. Name it “Ooma VoIP” but set the type to “Group”. This way, you can group the entire set of ports together, so you only have to add the one entry to the firewall (or define it once elsewhere, as well. Click on the folder icon to add each of the Ooma service ports that you’ve created. Also add DNS, POP3, NTP and HTTPS to this group (to ensure everything works 100%)
Now, once you’ve done this (and repeated this for each and every single service you absolutely need accessing the outside world, it’s time to head to the “Network Protection” section and this baby to the firewall.
Hit the “+New rule…” button. It will create a similar box here. For this one, there is no need to set a group. But if you have mulitple rules that are similar, it may be easier for organization to do so. The next setting is “position”. If you want the rule to be higher, then that’s how you set it. For the most part, “Bottom” is the best place to be (insert lewd joke here). For the “sources,” in most cases, you will want to set “Internal (Network)” as this allows any traffic from inside the network. However, since Ooma is a single device, and we should only be allowing just that device for Ooma’s group, click on the “+” in the Sources box. Set the name to “Ooma VoIP Device”, set the type to “Host”, and input it’s IP Address. Hit “Save” and it will add it to the source list.
Notice how we set a static IP address here? Yeah, you may want to set up a reservation for the device, so that it never changes. Or set it up with a static IP address. Or alternatively, if it gets registered in the DNS server, you could set up the “DNS Host”, and point to that. This way, you don’t have to worry about the IP Address. However, you do have to worry about it properly registering.
Now, under Services, hit the folder icon, and add the Ooma VoIP group that you created. (see, all that work boiled into 2 seconds of work here).
And now for the Destinations, set this to “Any”. The reason you set it to “Any”, is that if you set the DNS host, or host or anything else, it may change with time. This ensures that it will always work with minimal effort. And in general, a good idea. At least for traffic you’re not absolutely certain about.
The last options here is “Action”, which you could set to Allow, Drop or Reject. Drop lets it know the connection was actively refused, while reject just lets it time out. You want to leave this on “Allow” for this. And the comment section, you can set to whatever you want, but I recommend seomthing like “Ooma VoIP rule” so you can easily see it.
Once you hit save, it will create the rule add it to the list. However, we’re not quite done yet. In fact, I almost forgot about this step when writing this up. Make sure you ENABLE the rule. by default, it’s created disabled. Just click on the “switch”, and it will be up and running. Notice the little box next to the number 13? Yeah, that’s the switch you need to “flip”.
Now, a smart and enterprising person may realize that you could do a lot here. In fact, if you have smart teenagers in the house, one edit I recommend here: edit the DNS rule. Even if you have OpenDNS configure, all your teen has to do is set their DNS server to 18.104.22.168 to bypass a lot of your work. And that’s no good.
If you have Server 2012 (R2) essentials, then to properly edit the DNS rule, I recommend removing the “Internal (Network)” option, and replace it with both “Internal (Address)” (which is the router/Sophos’ internal IP address) and add a host entry for your local DNS server (if you have one, such as Server 2012 Essentials). This means that that only the router itself, and your server can do external DNS lookups. Every other device on the network can only, and must look to these devices for DNS lookups. (I believe)
And then regardless if you’re using Server 2012 (R2) Essentials or not, set the destination to be only valid hosts that you want used. Such as OpenDNS (22.214.171.124, and 126.96.36.199), by manually adding these Hosts.
This will block any DNS lookups to any other DNS servers. Be careful though, you may break things. And make sure your server and Sophos is using the allowed DNS servers (check DNS Forwarders on both systems).
Also, don’t think that you can use this as a good web filter. You can, but that’s not what it’s meant for. In fact, there is a whole section dedicated to that, and I’ll cover that later. (note: add link here).
However, as I said above, if you’re lazy or just don’t have time to open the Live Logs (which by the way, will log all the dropped packages and such in real time, so you can narrow down what’s being killed/blocked). Do the above rule, but set the Source as “Internal (Network)”, set the service as “Any”, and set the destination as “Any”. Then name the rule “Consumer Router” (or whatever you want, but this is basically what it is doing).
Now, the rest of the settings in the firewall section is pretty self explanatory. Namely, country blocking. You can block a continent, or you can block a single country. Additionally, you can block connections TO those locations (maybe not a great idea), or connections FROM those locations (great for filtering out those Pakistani or Chinese hackers/botnets). Or both. And the control isn’t for just the regions, it’s for each country as well, and allows for fine grained control.
Just remember, if you block traffic from these regions, it means that they will not be able to access any services or sites that you are hosting on your network. This could mean that your blog is not accessible from these regions. But then again, this may be exactly what you want.
The rest of the settings are probably not needed, or at least, you may not need to mess with. Except maybe that “Log Unique DNS Requests” on the “Advanced” tab.
Stay tuned for my next post, where I talk about adding NAT (port forwarding) for services like web servers.