Good resources for home users?

I have been using UTM Home for about five years so far. I am very pleased with the rich feature set, and am quite familiar with where everything hides. It took a while, but I can zip around pretty quickly in UTM to create rules, hosts, services, and other objects.

I also have had an XG box running in standby for a few months, and have been trying to mirror my UTM setup, while also attempting to leverage the XG paradigm of policies to reduce the number of FW rules I need. I would like to avoid copying UTM rules 1:1 into XG, where possible.

One area I think I can get some help from XG, is in gaming. My son plays games using GeForce Now (streaming, mostly using EC2) on our Nvidia Shield. My GF uses her Xbox, and I play games on my PC. Anyone who has had to get games working with a real (non-uPNP) firewall knows that games don't make this easy for us. Firewall rules that allow traffic on ports 10000:65535 to any of 16 /10 subnets in the EC2 blocks are a little clunky, and when a game starts sending voice chat to a new IP, or uses a new, larger range or ports, well... you get the idea.

I am looking for a resource for how to create smarter rules for gaming, and eliminate the whitelisted netblocks, massive service ranges, etc. To create the rules I have in mind, I would take the application report output filtered to the ip.addr for a given game device over a 24 or 48 hour period and compile the application categories related to gaming. From this, I would create a group that could later be used to allow all services to any IP as long as they are those applications.

Is this possible/practical? Where can I look for how-to info that will help me in my quest?

In hindsight, this request isn't for home-users only...

TIA!

  • Hi  

    In the XG firewall, you may create rule-based on FQDN, Source IP, Destination IP or defining specific service/ports and apply content filtering.

    If you want to allow every access to specific host/IPs used for gaming, you can create IP host/group based firewall rule and apply "Allow All" web and app filter policy, it will allow all the traffic from the Source IP mentioned in the firewall rule and at the same time, it will log reports to analyze later and restrict the web and app filter policy as per your requirement.

  • In reply to Keyur:

    Hi Keyur,

    Thank you for your reply, but I think you misunderstood my post. I don't want to have Any > Any allow all rules on my network. That's what Netgear and Linksys devices are for. I want to be able to determine the application type, and allow my gaming devices to talk to any IP only when the application type has been determined to be gaming, or related.

    What I am hoping for is to be pointed to some good resources for creating rules by application type, meaning:

    • How do we analyze traffic traversing the firewall and determine the types of application traffic?
    • How do we make a group of those types of application categories?
    • How do we make a rule that utilizes those groups?
    • Can we make our own application category?
    • Can we categorize unclassified application types?

    In home firewalling, you tend to focus on the LAN > WAN traffic more so than enterprise that wants to secure web servers/resources.

    I can open the reporting section and filter by my GF's Xbox, for instance, and see that on a full day of gaming, the main application categories in descending order or traffic volume are: Gaming, Infrastructure, Windows Updates, XBOX Live, etc. I want to group those categories and allow them to any IP. I also want to be able to dig into the categories and see if some things are in there that I wouldn't want traversing the firewall.

    If this was the UTM, I would just open the manual and read, but the XG manual is hardly more than basic description of features. As in, "Application rule: Used to apply an application rule." Not very useful when determining how to perform a classification & categorization task.

    The reason I want this, is that I don't want to maintain large lists of EC2 servers, and groups of per-game services. For Fortnite alone, I am required to maintain the following services:

    • UDP 1:65535 → 13490:13495
    • UDP 1:65535 → 15000:15070
    • UDP 1:65535 → 5062
    • UDP 1:65535 → 6250
    • UDP 1:65535 → 7862:7863
    • UDP 10000:65535 → 9000:9100
    • UDP 1:65535 → 22222
    • UDP 1:65535 → 10000:45000

    The above services connect to any of 12 different EC blocks, /12 and larger. The green services above are used with two specific IP addresses. The orange service range above, I am currently tuning, and was needed only recently. Most of the traffic for the game is fairly limited to the smaller-ranged services (five ports here, 70 ports there, etc.), but lately, the orange service is randomly used to any of the 12 EC2 blocks. Each of those blocks has as many as 8 million IPs in the range, so you maybe can see why it would preferable to simply use the XG to say, "Allow traffic from Gaming Devices using {Fortnite application Category} to Any IP" instead of my current implementation.

    Thank you again for your reply, and the thought you put into it.

    tl;dr - I don't want to create Any > Any allow all rules on my network; I hope to find resources for how-to with the XG that covers my use-case.

  • In reply to gcracker:

    I can be wrong, but in my understatement:

     

    If you asking for this:

    "I want to be able to determine the application type, and allow my gaming devices to talk to any IP only when the application type has been determined to be gaming, or related."

    Then you're going to have issues, first of all, the gaming application list on XG barely have any new games to it, compared to the amount there is for Xbox,Steam,etc.

    But if you actually want to create an FW rule, that only allows WAN access when it's gaming related stuff, you're able to do it by using application filter (Blocking everything else but gaming), but at the end, since the gaming application list on XG is very "low", you will have way too many issues with it.

     

    Also another problem you're probably suffering in XG with gaming is:

    Sophos XG doens't have UPnP, which is a HUGE security issue to have it. - You're currently having issues with games that uses UPnP for port forwarding.

    If the problem is being port forwarding, since It doesn't have UPnP the entire process is manual.

    First of all, any game that doesn't relay on P2P connections - It connects directly to an server, means that there's no need for port forwarding.

    If the game uses UPnP, It means it needs port forwarding, if It's necessary, then you should be creating NAT rules based on the application and the host you will be setting on.

     

     

    At the end, if you don't want to have any headache with gaming related stuff on XG, you should create a FW rule to allow LAN => WAN traffic with match known users, and when necessary (P2P, or games that uses UPnP) create NAT rules based on the application. And block whatever you think is necessary after this.

  • In reply to Prism:

    Quite right - I don't want UPnP. I have no problem creating FW rules for the games, and have had no need to create NAT rules for them. They work perfectly well without NAT rules, even the Xbox.

    Since I am seeing Xbox traffic classified as gaming/xbox live, and I also see that the traffic from my PC (Steam, etc.) are properly classified, I think I should be able to make rules using those classes. Am I wrong?

    I am pretty confident that the XG FW rule structure allows creating application groups, so that administrators can create general LAN > WAN rules for staff.

    What I am really looking for here, is a resource for how to identify/classify traffic, create application groups, and then create rules that would reference them. I appreciate the suggestions, but I want info and how-to's more than anything.

     

    Thanks!

  • In reply to gcracker:

    Hi  

    As rightly said by  XG Application filter has a gaming category but it may not possible to add a signature for every game available.

    You can create a application filter and deny the categories you want and allow the gaming category or you can select an individual application to allow or deny and apply on the firewall rule created specifically for a host IP.

    You can check 'allow' or 'deny' logs from Log Viewer to check application

    You may check Live connection from current activities

  • In reply to Keyur:

    K, no good, well-known how-to resources. Got it. Thx anyway for all the replies.