Hope if someone could point me to a list of commonly used outgoing ports for internet access. I intend to block everything else.

What I mean is allow normal traffic, but block everything outside of it to reduce possible attack surface from inside.

Thanks!

Depends on what you and other users require. No way to know.
Port for communication with ISP to get IP address 67/68 udp
Port 80 for browsing tcp
Port 443 for secure browsing tcp
Port 53 for resolving internet addresses udp/tcp
- email programs
- other programs

If by "outgoing ports" you mean ports used by local client when accessing internet service ... then most often used ports are anything between 1024 and 65535 ... ports between 1 and 1023 are IANA reserved for standard services (not that there aren't commonly used ports higher than 1023) and OSes usually don't allow processes by "ordinary" users to use them. But even the "low" ports can be used for outgoing connection sometimes (e.g. NTP servers usually use UDP port 123 for outgoing connections towards peers and servers, the same port they use to listen for incomming connections).

It really depends on what the goal is. If users behind router should have an impression that they have access to internet, then just allowing tcp 80 and 443 for web browsing could be enough for lot of them. They also need dns, but not necessarily allowed to go out, it can be redirected to router itself and most won't notice. Everything else could be blocked and even though it will make more demanding users very unhappy, it might be enough e.g. for basic office use.

Here is what I have as for now:

80
8080
443
22
53
5930 (teamviewer)
993
465

I also have some special ports for services, etc., would include that too.

NTP is local, as are other sercvices.

General idea is to allow general internet access to needed services, but prevent special local servers fro talking with the world. - The LAN is rather large, so I would like to prevent any communication not actually needed. I know I could create smart firewall rules, etc, but it seems more sensible to open on demand + later filtering on L7 if *really* needed.

some of mentioned ports are known to be used for hacking purposes by infected devices. For example:
- port 22 (SSH) can be misused for reverse tunneling.
- port 80 is very common for DDoS because nobody filters it. I recently saw an issue where home user had infected device, which was opening thousands of HTTP/TCP connections to Alibaba but instead of crashing their server, it crashed ISPs CCR1072. (bug in garbage collector when NAT has setting and amount of connections exceeds allowed range)
- port 53 can be used for DNS DDoS - again very common

Sounds like you are trying to provide IPS functionality on pure RouterOS. Maybe it would be easier to install proper IPS appliance and let it filter your traffic?

some of mentioned ports are known to be used for hacking purposes by infected devices. For example:
- port 22 (SSH) can be misused for reverse tunneling.
- port 80 is very common for DDoS because nobody filters it. I recently saw an issue where home user had infected device, which was opening thousands of HTTP/TCP connections to Alibaba but instead of crashing their server, it crashed ISPs CCR1072. (bug in garbage collector when NAT has setting

Code: Select all

to-ports=xxx

and amount of connections exceeds allowed range)
- port 53 can be used for DNS DDoS - again very common

Sounds like you are trying to provide IPS functionality on pure RouterOS. Maybe it would be easier to install proper IPS appliance and let it filter your traffic?

I am aware of those issues, but I do have to start from somewhere. Also, budget is a bit limited here. I do have a 3011 router, but I don't have other appliances.
My first step would be to filter out anything that is not explicitly needed, then focus on what is left.

Each client is protected by BitDefender AV/Firewall Enterprise solution (rather different than consumer one), which performs really well.
The firewall works by installing additional (invisible) passthrough network device over which all traffic traverses, so it reliably catch everything and also filters on HTTP traffic, allowing blocking of content, systemwide (PCs). For business agents I block:

• hate, violence, illegal drugs, racism

• gambling

• pornography

• hacking

• scams

• narcotics

So, if I reduce the attack surface portwise, it should be relatively easy to find a rogue device in a network. - I had a situation last year when entire network was bogged down by one user forgetting to turn off P2P program when he got to work. We had 10 Mbit/s link at that point. Now it is 40, and getting to 100 later this year.

I also intend to introduce Squid proxy and pi-hole DNS later on. Squid would serve computer network and Pi-hole entire network. - I have three WiFi networks: normal (part of LAN), secluded wifi for users, guest wifi.

If people are using p2p on your network (it is not forbidden), then put that person on the VLAN with only access to the internet.
Also by putting them on vlan you can schedule them such that they are limited by number of sessions during the work period.

If people are using p2p on your network (it is not forbidden), then put that person on the VLAN with only access to the internet.
Also by putting them on vlan you can schedule them such that they are limited by number of sessions during the work period.

Well, that is the thing - this is a company, and no one should use p2p stuff. However, I don't want to cause problems for people, most of them don't understand the underlying problems that can come out of it. It is simpler to block, and be done with it.

As the IT person it is your responsibility to ensure the network functions.
If people are not adhering to policies then ensure a policy is created.
If I am the president or CEO of a company and my IT person comes to me and admits, yes I knew they were using P2P and watching porn but instead of informing yourself I tried to cover it up by blocking what they were doing, you would be fired so fast:
a. you should have already had implementations in place that stop that shit cold
b. you should have implementations in place that detect bad behaviour
c. you need to report such things as it is the job of others to take action such as the HR department.

The worst transgression however is definitely c. because no one expects their own folks to be the problem in terms of hacking. Many companies have specific email servers just for spam and phishing (aka barracuda servers etc), as companies know that even reasonable folks can make mistakes on email.
By reporting c, you can also often justify additional expenses for equipment to help you detect and block outgoing crap.

Finally, the only person you are getting into trouble is yourself! Others need to take responsibility for their actions. Most companies will issue one or two warnings because no one wants to lose a valuable employee that is trained but the threat to the company and to everyone is not to be taken so lightly. More importantly you are transferring their problems and making it your responsibility to attempt to fix. WRONG!!!

I highly recommend you talk to these folks and see if their service will meet some or all of your needs.....
I think it could be used to stop p2p and other activities cold.
https://axiomcyber.com/shield/

However the first line of defense is educated workers and that is something you can do to back up policy.
Help them understand why they should not do such activities, not only to retain their jobs, but the damage that can be done by
such activities and the harm that could come to the company and everybody losing their jobs for example. Such simple things like don't use
personal USB sticks at work etc etc..........

I understand your logic. What I am trying to do is make the issue not possible to happen, and usually the simplest approaches are the best. (Also, I really don't want to have to report anyone.) Currently there is browsing content filtering in place, and that works nice. You wouldn't believe this, but I actually had a rebellion in one company that has a lot of mobile notebook users when I took over and introduced porn blocking. The general idea is to have the system reasonably protected, meaning not overdoing anything. Every endpoint is protected on the spot by updated system and av/firewall solution I manage centrally. Additionally I am trying to build robust border firewall with Mikrotik, and that would probably be enough. WiFi links can not communicate with the wired network, so no trouble there either (only a few open ports). As for internal data theft and other issues, I guess you can't really protect against that. NSA couldn't do it.

As for the Axiom - do I understand that they provide auto-updating firewall script for MikroTik routers? Is it possible to actually see how that works?
What they do seems like building IP block lists + some smart FireWall rules, and feed that daily into the box.
Another question is would my 3011 be powerful enough to run it.

Do you run Axiom scripts on any router?

Yes the axiom scripts ran just fine on my small hex and on my more powerful RB450gx4.
You should also check out MOAB it does probably everything axiom does minus layer 7 rules but is far far more cost effective.

Im glad to see you understand the logic. I too also understand there may be cultural norms and practices are different but we both
know that sites such as Porn related carry many trojans and other items that can take down a network. Your job
is primarily prevention because once infected potentially the network you are responsible for is gone.

What i mean to say is that you need to get people off work computers for personal stuff and dont laugh, it could mean
putting computers on vlans on every floor that are for personal use only. That way people have the option of
accessing other stuff at work but not using work computers. Then you can still have the education bit and enforcement of policies.

Yes the axiom scripts ran just fine on my small hex and on my more powerful RB450gx4.
You should also check out MOAB it does probably everything axiom does minus layer 7 rules but is far far more cost effective.

Im glad to see you understand the logic. I too also understand there may be cultural norms and practices are different but we both
know that sites such as Porn related carry many trojans and other items that can take down a network. Your job
is primarily prevention because once infected potentially the network you are responsible for is gone.

What i mean to say is that you need to get people off work computers for personal stuff and dont laugh, it could mean
putting computers on vlans on every floor that are for personal use only. That way people have the option of
accessing other stuff at work but not using work computers. Then you can still have the education bit and enforcement of policies.

This site (MOAB): https://itexpertoncall.com/additional_info/moabpre.html ?

As for the users, there is an interesting phenomenon happening - mobile revolution. I simply tell users to surf privately on their phones, which they were already doing already so I don't have much problems about it + WiFi is isolated. I also try to provide people with good WiFi coverage in toilets to be able to surf in peace while taking a dump.

As for those scripts - they seem to be blocklists + some smart rules?

Yes, nothing fancy but he provides all the backend work so that they can be used on MT products and are continually updated.
Its stable and it works!

Thanks. Seems like a good value, tho I must say that the guy's mannerism on his site is unneededly brash.

Thanks. Seems like a good value, tho I must say that the guy's mannerism on his site is unneededly brash.

It can be but I have chatted with him through email and he is very sincere and patient.

Thanks. Seems like a good value, tho I must say that the guy's mannerism on his site is unneededly brash.

It can be but I have chatted with him through email and he is very sincere and patient.

That is nice to hear. Will probably give it a try to test.

Thanks for help!