Since the firewall has smart queue rules, it’s time to set them up. Firstly, let’s thank firewall people from getting around to adding domain based rules. Secondly, thumbs down on providers who don’t disclose their purposed based domains names.
First step, go find all the ports for the services you rely on. I vaguely recall that streaming services are all over UDP. Because nobody wants to do all the TCP handshakes. So when setting up my rules, i’ll just allocate the UDP connections to the HIGH Priority smart queue.
Second step, create the rules you want. For my setup, I had to go through and create up individual smart rules as to give priority to these endpoints or specific ports. I did manage to set up some network segmentation, so the rules are only scoped to the primary vlan that my phones, laptops, and tablets use. Wish firewalla managed a list or enabled a community defined list, so I wouldn’t have to hunt these all down.
Zoom
(Zoom Firewall Ports)[https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0060548]
| Protocol | Ports | Source | Destination |
| TCP | 80,443 | All Zoom clients | *.zoom.us |
| TCP | 443, 8801, 8802 | All Zoom clients | |
| UDP | 3478, 3479, 8801 - 8810 | All Zoom clients |
Google Meet
(Google Meet Firewall Ports)[https://support.google.com/a/answer/1279090?hl=en]
- For audio and video, set up outbound UDP ports 3478 and 19302–19309.
- If you want to limit the number of Chrome WebRTC ports being used, use the ports specified at WebRTC UDP Ports .
- Or, you can limit those ports with your firewall.
- stream.meet.google.com
- youtube.googleapis.com
- www.youtube-nocookie.com
- googlevideo.com
Slack Huddles (aka Amazon Chime)
- Check that your network is set up to allow outbound traffic to UDP/22466. Otherwise, huddles will use TCP/443 for media transport (video and audio).
- Allow outbound traffic to TCP/443. This is required for huddles to function, even if outbound traffic to UDP/22466 is allowed for media transport.
- If you’d like, you can limit access to a specific IP range: 99.77.128.0/18. If your environment requires you to allow Slack’s required domains , make sure you approve *.m.chime.aws. We aren’t able to provide a list of static domains, and suggest allowing by wildcard to avoid any network disruptions.
^ That’s because they don’t manage the service… https://cloud-native.slack.com/help/urls
| |
Looks like they use chime under the hood for their “huddles”. So lets get the correct information for the
https://docs.aws.amazon.com/chime/latest/ag/network-config.html https://answers.chime.aws/articles/123/hosts-ports-and-protocols-needed-for-amazon-chime.html
- Amazon Chime Meetings, Chat, and Business Calling uses 99.77.128.0/18 TCP/443 UDP/3478
MS Teams
Of course this would be black hole of vague redirects to find the actual information. What a shitshow MS. Also, wish I could just set a domain fore these fools. https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
Skype for Business Online and Microsoft Teams
| ID | Category | ER | Addresses | Ports |
|---|---|---|---|---|
| 11 | Optimize Required | Yes | 13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15, 2603:1063::/38 | UDP: 3478, 3479, 3480, 3481 |
| 12 | Allow Required | Yes | *.lync.com, *.teams.microsoft.com, teams.microsoft.com13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15, 52.238.119.141/32, 52.244.160.207/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2603:1063::/38, 2620:1ec:6::/48, 2620:1ec:40::/42 | TCP: 443, 80 |
| 16 | Default Required | No | *.keydelivery.mediaservices.windows.net, *.streaming.mediaservices.windows.net, mlccdn.blob.core.windows.net | TCP: 443 |
| 17 | Default Required | No | aka.ms | TCP: 443 |
| 18 | Default Optional Notes: Federation with Skype and public IM connectivity: Contact picture retrieval | No | *.users.storage.live.com | TCP: 443 |
| 19 | Default Optional Notes: Applies only to those who deploy the Conference Room Systems | No | adl.windows.com | TCP: 443, 80 |
| 27 | Default Required | No | *.secure.skypeassets.com, mlccdnprod.azureedge.net | TCP: 443 |
| 127 | Default Required | No | *.skype.com | TCP: 443, 80 |
| 180 | Default Required | No | compass-ssl.microsoft.com | TCP: 443 |
Apple
https://support.apple.com/en-us/HT202944 https://support.apple.com/en-us/102036
I do a bunch of RDP to headless machines, so need to give those ports some priority.
| 16384–16403 | UDP | Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) | — | connected, — | Messages (Audio RTP, RTCP; Video RTP, RTCP) |
| 16384–16387 | UDP | Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) | — | connected, — | FaceTime, Game Center |
| 16393–16402 | UDP | Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) | — | — | FaceTime, Game Center |
| 16403–16472 | UDP | Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) | — | — | Game Center |
| 5223 | TCP | Apple Push Notification Service (APNS) | — | — | iCloud DAV Services (Contacts, Calendars, Bookmarks), Push Notifications , FaceTime, iMessage, Game Center, Photo Stream |
| 3478–3497 | UDP | — | — | nat-stun-port - ipether232port | FaceTime, Game Center |
| 3283 | TCP/UDP | Apple Remote Desktop and Classroom | — | net-assistant, classroom | Apple Remote Desktop |
| 5900 | TCP | Remote Framebuffer | 6143 | rfb | Apple Remote Desktop, Screen Sharing |
| 5900 | UDP | Remote Framebuffer, Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) | — | — | Apple Remote Desktop, Screen Sharing |
| 5901–5902 | UDP | Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) | — | — | Apple Remote Desktop, Screen Sharing |