When using code tags, hit the "code" button then put you code between the ] and [.

There is no DROP EGRESS rule. What you see is an IPS rule which will drop anything in the snortsam_EGRESS ipset set.

If, by removing those two rules you can still browse it may be because of the DNSthingyIPE rule. What the drop all default does is add a DROP rule right at the end of the chain. If a packet matches anywhere further up the chain, that match is taken and no further processing takes place so the DROP rule does not get hit. It is a but more complicated with extra chains like DNSthingyIPE, where it does not count as a match when it jumps to that chain, but if it them matches any rule in the DNSthingyIPE chain, that does count as a match and there will be no further processing. After jumping to the DNSthingyIPE, if there are no matches, the packets continue in the FORWARD chain.

I'm running GM business paid version with the DTTS feature. I watched this fellows video on youtube which does exactly what I wanted https://www.youtube.com/watch?v=vt-HZVHTaf4 at the 6:00 mark area. The egress firewall states: It allows you to block certain kinds of traffic from leaving your network. So when i set the default to block but allow https and http I thought if I disabled those protocols it would block my traffic. It doesn't. So GM is overriding the egress firewall or is that the firewall isn't responding correctly. I know very little about how iptables and firewalls work so I'm sure I'll frustrate any reader but I thought one of the concepts was the order in which rules are applied. So when I toggle the ports to disable this is the result of the iptables. Shouldn't the DROP all EGRESS dst get priority over DNSthingy?

Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set snortsam_SELF src,dst,dst

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set snortsam_EGRESS dst

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set snortsam_INGRESS src

    0     0 DNSthingyEST  all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

    0     0 DNSthingyIPE  all  --  *      *       0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     all  --  pptp+  *       0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     icmp --  *      *       172.22.22.0/24       0.0.0.0/0            icmptype 0

    0     0 ACCEPT     icmp --  *      *       172.22.22.0/24       0.0.0.0/0            icmptype 8

    0     0 ACCEPT     icmp --  *      *       172.22.22.0/24       0.0.0.0/0            icmptype 11

    0     0 DROP       all  --  *      *       172.22.22.0/24       0.0.0.0/0  

The normal default operation of most (all?) routers is to block all unsolicited traffic from the internet, allow everything out and allow back in any replies to the outbound traffic. You have changed this to not allow anything out and then to allow by exception, and you have then allowed http and https, so no sites are blocked.

Having said that, you are then running GM. GM is a DNS filtration tool and DNS. If GM blocks a site the DNS lookup fails so you should not be able to access it unless your client has a cached copy of the DNS **or** if you are ussing some form of secure DNS like Firefox can or AVG can (but your firewall changes may stop that). Are you using the free or paid version of GM?

Hi Nick, I'm really out of my element when it comes to iptables and the like - it was the main reason i chose ClearOS over products like pfsense and sophos. I liked the menu and presentation of clearos is was good for me. So I'm trying to follow. I don't use proxy and don't host any website or services just want super secure LAN traffic going in and out. the fewer open ports the better that's why I thought gateway management and egress with limited open ports was a good choice. But I think you're indicating the egress is controlling outbound traffic from the wan to the internet. Then do I need to create rules for the lan - I thought Lan was protected out of the box so to speak?

I've edited you post to use code tags and not quote tags.

It looks like you have two allow rules for tcp;80 and tcp:443. Those allow ruled take precedence over DNSThingy/Gateway Management but there will be some interaction.

With regards the other comment, the firewall has a number of separate chains. The FORWARD chain controls WAN > LAN traffic and the OUTPUT chain controls traffic originating from ClearOS. The Egress Firewall only affects traffic going through the FORWARD chain. If you run the proxy (and you probably don't as you are using DNSThingy/Gateway Management) then internet traffic, as it is processed by ClearOS, as far as the firewall is concerned, counts as coming from ClearOS and not from the LAN.

Nick, the egress is set to - Block all outgoing traffic - specify allowed destinations. I'm not sure I fully understand your server and lan ideal. If you mean to say it should only apply to LAN attached clients that is what I am trying against. LAN attached workstation at one time was not able to get out through the firewall using the egress setting now it can (of course when i toggle it)

iptables -nVL FORWARD output

 Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set snortsam_SELF src,dst,dst

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set snortsam_EGRESS dst

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set snortsam_INGRESS src

  172 47040 ACCEPT     tcp  --  *      *       172.22.22.0/24       0.0.0.0/0            tcp dpt:80

32884   21M ACCEPT     tcp  --  *      *       172.22.22.0/24       0.0.0.0/0            tcp dpt:443

50559   42M DNSthingyEST  all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

  147  170K DNSthingyIPE  all  --  *      *       0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     all  --  pptp+  *       0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     icmp --  *      *       172.22.22.0/24       0.0.0.0/0            icmptype 0

    0     0 ACCEPT     icmp --  *      *       172.22.22.0/24       0.0.0.0/0            icmptype 8

    0     0 ACCEPT     icmp --  *      *       172.22.22.0/24       0.0.0.0/0            icmptype 11

    0     0 DROP       all  --  *      *       172.22.22.0/24       0.0.0.0/0    

The Egress firewall only operates on the FORWARD chain so for LAN > WAN traffic and not server > WAN. Note that if you use the proxy, outgoing traffic from the LAN is server > WAN and not LAN > WAN. In the Egress firewall, what is the firewall Mode?
Also what is the result of:

iptables -nvL FORWARD

Please put the results between "code" tags.