Is it possible to get some kind of hardware firewall which only allows outbound connections on a whitelist?

[noob8472]

As topic really. (Is it possible to get some kind of hardware firewall which only allows outbound connections on a whitelist?)

I currently use Malwarebytes Windows Firewall, which notifies me if anything attemps to connect out, whereupon I can create a rule to allow/block. Is there a hardware firewall which can o the same? And if there is, how easy is it to configure?

Thanks.

 

[L&LD]

Welcome to the forums @noob8472.

An RMerlin-supported Asus router with Skynet (script) installed may be able to do what you need.

Home | Asuswrt-Merlin

asuswrt-merlin.net

Skynet - New Skynet 7.5.8 Release

Edit New Release 7.5.8, see post #93 Edit New Release 7.5.7, see post #92 Edit: Minor Update 7.5.6, see post #36 and #38 Edit: New Release 7.5.6, see post #16 and #18 Edit: New Release 7.5.5, see post #14 EDIT: New Release 7.5.4, see post #13 EDIT: New Release 7.5.3, see post #12 EDIT...

www.snbforums.com

 

[RMerlin]

As topic really. (Is it possible to get some kind of hardware firewall which only allows outbound connections on a whitelist?)

I currently use Malwarebytes Windows Firewall, which notifies me if anything attemps to connect out, whereupon I can create a rule to allow/block. Is there a hardware firewall which can o the same? And if there is, how easy is it to configure?

Thanks.

Not really. The router will not be able to notify you of outbound connections, and you will be facing an uphill battle trying to manually allow new connections every time they happen. Just think for example of the multiple rules that would be required just to allow Windows Update to work.

 

[ColinTaylor]

@noob8472 You can buy hardware firewalls but they tend to be expensive as they are aimed at enterprise users. Home routers have their own built-in firewalls, some of which allow for custom rules.

However, I suspect that neither of these are really what you're after. You say you get an alert from Malwarebytes when there's an outgoing connection attempt. This type of firewall is an application firewall that allows you to block/allow specific applications (e.g. a game). A separate firewall running on another piece of equipment can't do this because it has no knowledge of the application running on the client.

So for example, a hardware firewall may see traffic from your PC trying to connect to a server on port 443. Based on just that information it has no idea whether that should be allowed or not. It could be legitimate browser traffic or it could be from another application (e.g. a game) that you don't want to allow access for.

 

[L&LD]

Hmmm. I was 'assuming' that that whitelist was for client devices, not for specific servers on the www.

 

[noob8472]

CoilnTaylor: Are you saying that there is no hardware firewall for which you can add specific ports to a whitelist? And notify on outbound traffic for anything not on the whitelist?

 

[ColinTaylor]

CoilnTaylor: Are you saying that there is no hardware firewall for which you can add specific ports to a whitelist? And notify on outbound traffic for anything not on the whitelist?

No, I was saying I didn't know whether you wanted a firewall that blocks by application, or a firewall that blocks by source/destination address and/or source/destination port.

Perhaps you could give an example scenario and what you want to happen.

 

[RMinNJ]

I was thinking of dns blocking like diversion or nextdns... but I suppose malware can have a hard-coded IP in it and not do a dns lookup that is in a block list? But those lists are updated.

 

[noob8472]

ColinTaylor: Ah ok. So obviously Applications, thats the main one tbh, but also services, like

'BranchCache Hosted Cache Client (HTTP-Out)' which doesn't have an 'exe' listed, it just says 'system'.

Also
'
Core Networking - Router Advertisement (ICMPv6-Out)'

There are lots! I blovk everything except Firefox, Thunderbird, and Core Networking, and Host Process for Windows Networking.

The original firewall was from this site :-https://www.binisoft.org/wfc

Which is still live, but the free version there doesn't provide popup on unknown outgoing connection.

 

[ColinTaylor]

ColinTaylor: Ah ok. So obviously Applications, thats the main one tbh, but also services, like

'BranchCache Hosted Cache Client (HTTP-Out)' which doesn't have an 'exe' listed, it just says 'system'.

Also
'
Core Networking - Router Advertisement (ICMPv6-Out)'

There are lots! I blovk everything except Firefox, Thunderbird, and Core Networking, and Host Process for Windows Networking.

The original firewall was from this site :-https://www.binisoft.org/wfc

Which is still live, but the free version there doesn't provide popup on unknown outgoing connection.

Yes, you're talking about something that can only be achieved by a firewall program running on the computer. A separate firewall device won't help you.

 

[sfx2000]

https://www.sonicwall.com/

Can do the ask...

 

[Tech9]

I've done application filtering on pfSense with SSL proxy and Suricata. Setting it up is not very user friendly though and creates some issues in use after. Needs good CPU and RAM for Gigabit speeds. Possible, but I don't think is needed on a home setup. Unnecessary complication and higher costs. I remember Untangle can do something similar, but haven't checked lately what's going on there after it become Arista. It also has $50-150/year license for home use, not free.

 

[glens]

Is it possible to get some kind of hardware firewall which only allows outbound connections on a whitelist?​

White, or black, a list is only as good as its most-recent iteration. For home use I'd think it a daunting task to keep such updated, and most likely a real resource hog for a typical router/AP. I don't believe I'd feel confident in my security relying on such a scheme.

 

[Tech9]

I don't believe I'd feel confident in my security relying on such a scheme.

How do you think Snort/Suricata rules are updated?

 

[sfx2000]

As topic really. (Is it possible to get some kind of hardware firewall which only allows outbound connections on a whitelist?)

I currently use Malwarebytes Windows Firewall, which notifies me if anything attemps to connect out, whereupon I can create a rule to allow/block. Is there a hardware firewall which can o the same? And if there is, how easy is it to configure?

I suppose the better question - what is the problem you are trying to solve, as this really matters on what any particular solution would be.

I mentioned sonicwall, as they can definitely set up rules there, but that is a service relationship with the associated costs.

 

[tgl]

How do you think Snort/Suricata rules are updated?

I think @glens ' point is that somebody is putting significant effort into updating those lists. Do you really want to buy into doing the equivalent by yourself?

 

[Tech9]

Do you really want to buy into doing the equivalent by yourself?

No, my business firewalls run with subscription service rules and they update faster than free community rules. No one is doing it manually, but it depends who is doing it for you. Free community rules and blocklists - delays and false positives. Skynet users have experience. It was blocking GitHub, Google, Microsoft, Cloudflare, Facebook, etc. popular servers. If someone is really launching an attack from specific IPs Skynet won't know about it even days later. This is my point.

 

[Riko]

In pfSense you can create a alias with a list of hosts/IPs that you can use in firewall rule(s).