Windows Defender Firewall outbound default

Paperspace states it’s firewall settings here: https://support.paperspace.com/hc/en-us/articles/236401787-What-types-of-firewalls-and-anti-virus-software-does-Paperspace-support-

But this requires that all outbound traffic be allowed, as per the default for Windows Defender Firewall.

We are trying to configure a more hardened environment that only allows specific outbound traffic, i.e. no using web browsers, et. al.

Any attempt to block outbound traffic so far causes the Paperspace remote access to break down. So far I have tried blocking all by default and then adding Allow rules for Paperspace 9980-9982 (TCP & UDP) and Salt minions at ports 4505,4506 (TCP only)–since Paperspace is apparently using Salt for management.

Note these firewall changes don’t break an existing remote session, but it prevents any subsequent reconnection. What other outbound ports are required? It cannot possibly be that it needs ALL ports open.

Hi @c4augustus the list of ports are not for outbound traffic, they are for inbound. For outbound traffic, if you want to limit browsing activity (note: you would benefit from a content filter), you’ll need to whitelist any host our VMs speak http(s) to such as the api and the log server.

In this case, you would block all outbound 80 and 443 with the exception of
api.paperspace.io
syslog.paperspace.io

Alternatively, you could block all outbound http/https and just allow the paperspace app (called Winagent) whitelist access to everything. This is probably a better idea because you don’t need to keep track nor know what hosts we talk to.

Thanks for the information, Daniel. I’ll give it a try.

BTW, we’ve switched our hardening strategy to use simplewall instead of Windows Defender Firewall because the latter is a nightmare to try and control.

1 Like

Windows Firewall is not fun at all :wink: Let us know how it goes!