1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Firewall rules tip on the RV0x

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by pablito, Oct 27, 2006.

  1. pablito

    pablito Network Guru Member

    One thing that bugs me about the RV (besides the load balancing) is that once you create a port forward you can't selectively block IPs from using the port forward, all source IPs will be forwarded. Apparently a port forward sets up a firewall allow rule that is at the top and you can't see or change it. Any deny rules you setup are ignored since the invisible allow rule comes first.

    A primary example I need better firewall rules is for SSH. I want to forward SSH but only from a few source IPs. Another might be that I want to block an external IP range for *everything*. I still use good security on the inside but having multi layer security is desired.

    So, to accomplish this you can use the UPnP rules instead of port forwarding. You don't have to enable UPnP, simply create the rules and leave UPnP itself turned off.

    Create your rule with the desired service (add the service if not already in the list) and the destination internal IP. A nice benefit is that you can also forward to an internally routed subnet that a normal port forward won't allow you to configure.

    After creating the rules you'll initially have an allow all rule that once again you can't see but apparently it is created below any custom firewall rules you setup (the way port forwarding should be doing). Now you can create your allow and deny rules as needed and they are not ignored. You can now allow that SSH connection from a trusted IP while denying SSH from everywhere else. Of course the rules order is important, allow rules for a specific port come before the deny all rules. If you want to block a specific source IP(s) from everything then place those rules at the top so they are dropped without further analysis.

    If you have multiple external IPs then One-to-One NAT is another way to do this.
     
  2. Toxic

    Toxic Administrator Staff Member

    Great find, well done! :thumbup:
     

Share This Page