Most Know This But Me

[Mike McCall]

I got to playing with my firewall (Untangle) in an attempt to tighten the network down and learn more about Untangle & firewalls in general. Right away I learned that properly tweaking one's firewall takes time and research. Fortunately I've learned enough that I only broke a couple of things which were easily fixed.

Once I got PIA setup under Tunnel VPN Netflix and Amazon Prime Video immediately broke. They don't allow VPN connections since they can't track everything you watch. Since I use a Roku for streaming I just needed to set up a rule to allow traffic to/from that internal ip address to bypass the VPN and the problem was solved, leaving all other traffic on the VPN.

I had previously blocked foreign countries such as China, Russia, etc., and started going through the Web Filter categories. Lots of thing I could block in there, many having to do with advertising, but that causes problems. It took me a few days to learn why I shouldn't block domains with no content. During that time I learned a bit about how domains aren't always used for http traffic. Apparently they are used extensively for both legitimate and illegitimate purposes and just blocking them all isn't a good idea.

What I'm having a hard time wrapping my head around is why I see so many sessions and why. I get that at least some domestic sessions might make sense, but sessions with foreign countries leaves me scratching my head.



The information I've been able to find simply doesn't explain (in terms my thick head can understand) why these connections are necessary or why they seem to be consistent. If I were to remove the Geoblocking the map would look much worse. So, my question is:

Why, when one connects to the Internet are so many sessions started, and why are they with foreign countries?

 

[Markverhyden]

Exactly what sessions? Inbound? Outbound?

These days web pages are full of links buried in the HTML, which you don't see, to all kinds of places. One way to help sort this would be to disconnect all devices. Capture a baseline log via console. Then start turning on one device at a time to see what's it's connecting to.

If you have no services being served out of your location incoming connections should be relatively small. But it'll never be zero. Remember your IP is being logged everywhere so some third party could be skimming it, legally or illegally. If you are providing services out of you location then you see quite a bit of volume. I'll periodically look at incoming connections as I have email and www. I do see a lot of SSH attempts at the router.

 

[Mike McCall]

I don't run services.

Untangle allows me to see some information regarding sessions, but not everything. Above, it seems to show outgoing sessions as it lists internal ip's as clients and external as servers. The Firewall shows lots of blocked sessions:



I get that some communications are necessary, but some don't seem to be at all. The ip address 2nd from the bottom (198.16.70.58:443) is in the Netherlands.


Again, it appears to be outgoing since internally its a client and externally a server. I know what the device is and have specifically blocked it with a rule. Some of the other ip addresses I've traced to advertising servers even when there's no...wait...there was a browser open. Even when I look at a device (Untangle) on my network via a browser it would trigger communication, right? Nosy bastards!

 

[Markverhyden]

I don't run services.

Untangle allows me to see some information regarding sessions, but not everything. Above, it seems to show outgoing sessions as it lists internal ip's as clients and external as servers. The Firewall shows lots of blocked sessions:

View attachment 10660

I get that some communications are necessary, but some don't seem to be at all. The ip address 2nd from the bottom (198.16.70.58:443) is in the Netherlands.
View attachment 10661

Again, it appears to be outgoing since internally its a client and externally a server. I know what the device is and have specifically blocked it with a rule. Some of the other ip addresses I've traced to advertising servers even when there's no...wait...there was a browser open. Even when I look at a device (Untangle) on my network via a browser it would trigger communication, right? Nosy bastards!

Exactly. In fact it'll try sending traffic even if it's not connected to the Internet. If you really want to dig into this you'll need to start with Windoze in safe mode with networking. Get a baseline. Then boot normally and use msconfig to turn off all you can. Then start turning stuff on. You'd be amazed at how much stuff get's farmed out to other companies. Back in the day there was akamai and not a whole lot else.

 

[Mike McCall]

Well, I may not be able to completely stop these sessions (and I may not actually want to) but I can make things more difficult for them by encrypting the data they're looking at. My main concern is the security of my network. BTW, I really do like Untangle.