Firewall – Typical outbound port list for guest access

firewallnetworking

I manage a weekly rental house that includes wireless Internet access. I've allowed all outbound ports on my router but my ISP has disabled my Internet access twice now because guests have downloaded (or served up) copyrighted content. So I'd like to institute some port filtering to discourage p2p sharing (see disclaimer below). But I don't want to inconvenience the 99.9% of folks who keep things above-board.

My question is, what outbound ports are typically open for rental/hotel wireless Internet access, or where can I find such a list? TCP 80,443,25,110 at a minimum. Though my own email service uses 995 and 465 for SSL, some may use IMAP, I personally use SSH and FTP, so I'll open those. Roughly I figure I need to open access to privileged ports, and close 1024 & above. Is there a whitelist I should institute for commonly used high ports? And does it make sense to block UDP > 1024 ?

Disclaimer: I realize anyone replying to this message could circumvent the port filtering and share content to their heart's content. I do not need comprehensive p2p blocking, which requires more than a port whitelist. Anyone staying at the house shoulders the responsibility for their Internet use, per the rental contract. Also anyone savvy enough to circumvent the port filters would hopefully be savvy enough to use some sort of peer blocking, thereby preventing the ISP from taking down the service.

Best Answer

A general list of ports to open on "guest networks" which are relatively safe:

Outbound TCP:

53                  DNS unless you provide it (yes, TCP. Read the RFCs)
80, 443             Web Browsing
110, 995            EMail (pop3, pop3s)
143, 993            EMail (IMAP, IMAPS)
587                 EMail (SMTP Submission RFC 6409)

Outbound UDP:

53                  DNS again, unless you provide it
123                 NTP (Optional, but nice.)

Inbound TCP/UDP: NONE (Only established stateful connections from the above list)

As others have mentioned, bandwidth throttling may be a more effective way of dealing with torrenters.

As a non-technical measure to protect yourself from action (by your ISP or by copyright holders) you should also provide your renters with an acceptable internet use policy, noting that the renter's use of the internet access is their sole responsibility, illegal activity is not tolerated, and that violations of that policy will result in loss of internet access on this and all future visits.

There are template AUPs, but yours can be as simple or complex as you want, I recommend getting it down to one side of a regular sheet of paper.

Related Solutions

Networking – Typical Network Latency for East to West Coast USA

Speed of Light:
You are not going beat the speed of light as an interesting academic point. This link works out Stanford to Boston at ~40ms best possible time. When this person did the calculation he decided the internet operates at about "within a factor of two of the speed of light", so there is about ~85ms transfer time.

TCP Window Size:
If you are having transfer speed issues you may need to increase the receiving window tcp size. You might also need to enable window scaling if this is a high bandwidth connection with high latency (Called a "Long Fat Pipe"). So if you are transferring a large file, you need to have a big enough receiving window to fill the pipe without having to wait for window updates. I went into some detail on how to calculate that in my answer Tuning an Elephant.

Geography and Latency:
A failing point of some CDNs (Content Distribtuion Networks) is that they equate latency and geography. Google did a lot of research with their network and found flaws in this, they published the results in the white paper Moving Beyond End-to-End Path Information to Optimize CDN Performance:

First, even though most clients are served by a geographically nearby CDN node, a sizeable fraction of clients experience latencies several tens of milliseconds higher than other clients in the same region. Second, we find that queueing delays often override the benefits of a client interacting with a nearby server.

BGP Peerings:
Also if you start to study BGP (core internet routing protocol) and how ISPs choose peerings, you will find it is often more about finances and politics, so you might not always get the 'best' route to certain geographic locations depending on your ISP. You can look at how your IP is connected to other ISPs (Autonomous Systems) using a looking glass router. You can also use a special whois service:

whois -h v4-peer.whois.cymru.com "69.59.196.212"
PEER_AS | IP               | AS Name
25899   | 69.59.196.212    | LSNET - LS Networks
32869   | 69.59.196.212    | SILVERSTAR-NET - Silver Star Telecom, LLC

It also fun to explore these as peerings with a gui tool like linkrank, it gives you a picture of the internet around you.

VirtualBox Networking – How to Set Up Networking for Host and Guest

Try this:

Setup the virtualbox to use 2 adapters:
- The first adapter is set to NAT (that will give you the internet connection).
- The second adapter is set to host only.
Start the virtual machine and assign a static IP for the second adapter in Ubuntu (for instance 192.168.56.56). The host Windows will have 192.168.56.1 as IP for the internal network (VirtualBox Host-Only Network is the name in network connections in Windows). What this will give you is being able to access the apache server on ubuntu, from windows, by going to 192.168.56.56. Also, Ubuntu will have internet access, since the first adapter (set to NAT) will take care of that.
Now, to make the connection available both ways (accessing the windows host from the ubuntu guest) there's still one more step to be performed. Windows will automatically add the virtualbox host-only network to the list of public networks and that cannot be changed. This entails that the firewall will prevent proper access.
To overcome this and not make any security breaches in your setup:
- go to the windows firewall section, in control panel,
- click on advanced settings. In the page that pops up,
- click on inbound rules (left column), then on new rule (right column). Chose custom rule, set the rule to allow all programs, and any protocol. For the scope, add in the first box (local IP addresses) 192.168.56.1, and in the second box (remote IP) 192.168.56.56. Click next, select allow the connection, next, check all profiles, next, give it a name and save.

That's it, now you have 2 way communication, with apache/any other service available as well as internet. The final step is to setup a share. Do not use the shared folders feature in virtualbox, it's quite buggy especially with windows 7 (and 64 bit). Instead use samba shares - fast and efficient.

Follow this link for how to set that up: https://wiki.ubuntu.com/MountWindowsSharesPermanently

Best Answer

Related Solutions

Networking – Typical Network Latency for East to West Coast USA

VirtualBox Networking – How to Set Up Networking for Host and Guest

Related Topic