1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Firewall access rules RV042

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by ianlinksys, Sep 1, 2006.

  1. ianlinksys

    ianlinksys LI Guru Member


    When I set up access rules in the firewall section they dont work.
    If test the connections from a web site that probes the port it always reports they are in stealth mode (no reply).

    If however I try the same thing from the setup tab- port forwarding It works - Port open. I do not want to do this as I cannot specify a source IP address allowing any IP address to connect to this port - this caused me alot of grief in the past with hackers

    Thanks for any help
  2. pablito

    pablito Network Guru Member

    I see what you want to do and I can say that the rules won't let you do it. There isn't enough flexibility in the firewall/forwarding rules.

    The only way I can see to do it is to put in the port forward and then put your allow and deny rules on the destination internal machine. It is a good idea to lock down the internal machines anyway. I bumped into this when I needed ssh for a while but wanted to limit it to specific IPs.
  3. ianlinksys

    ianlinksys LI Guru Member

    Ah, ok that seems strange thou - surely if that's the case the firewall access rules are a complete waste of time. What use do they serve?
  4. pablito

    pablito Network Guru Member

    Yeah that is the problem with consumer grade products, make it so simple that it isn't flexible.
    A normal firewall would require you to enter the port forward and then a firewall rule(s). The rules need to be in the right order. Pretty simple but I can tell you that many people don't understand and that would cause support calls. That is what Linksys is thinking I would guess.

    So, a port forward adds a behind the scene rule for Any->(TCP/UDP port)->WAN->Internal_Net. It would be nice to have control over those rules.

    The firewall rules are more suited to blocking specific ports and or users/networks. My rules are slowly expanding to block certain trouble areas. I also add rules to prevent certain protocols and those rules come before the allow anything from the internal net rule.
  5. pablito

    pablito Network Guru Member

    Just today I was training a user on a commercial firewall and had to explain that not only did they have to configure a port forward they had to create firewall rules to match. Sensible defaults with editable logic would be nice. The rules are created but are hidden from the interface.

    Which just made me think about all the subnet blocking rules I have in place for locations that have proved to be too persistent with their attacks. Those rules do little good since the port forwards allow them in anyway....

    Ideally we'll get 3rd party firmware that allows the more geeky folks to make rules that make more sense security wise. Hmm, a company that offers a "pro" version of firmware alongside the default easy version would get more of my business. Make the pro version a user to user only support license (I'd even host the forum, maybe).

    In the meantime you should always config the internal servers with sensible security even if it seems redundant. It isn't redundant, it is prudent.
    Let me guess: SMTP or perhaps SSH was the target? If it is a gamer type of app then I'm out of answers, 'homey don't know bling'. :)

Share This Page