How to limit DTTS opening ports

The DTTS (Don’t Talk To Strangers) engine operates on allowing any traffic to destination IP address(es) once a DNS query is allowed and answered.

In cases where the desired outcome is to only permit access to specific destination ports, this can be achieved by adding REJECT/BLOCK rules, which override the DTTS ALLOW rules.

For example, if the desire is to block all UDP ports + all TCP ports (except ports 80 and 443), the two block rules would look like this logically:

  • Reject all TCP traffic destined to ports other than 80 or 443 on the Internet
  • Reject all UDP traffic destined anywhere on the Internet

Practically speaking, on the pfSense platform you would create a PORT alias, we call it nonHTTPHTTPS like this:

Then you can apply a logical REJECT rule like this:

Likewise, to block all UDP traffic, the rule would look like this:

Using the above rules, the net result would be that a network would limit DTTS functionality to TCP port 80 and 443 as all BLOCK/REJECT rules override opening of any other ports.

Note that this specific example would also block internet-bound QUIC and NTP traffic and any other commonly used UDP service, but we understand some security requirements ask for this.