1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

RV042/RV082 series firewall rules tutorial?

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by ca_picker, Nov 11, 2007.

  1. ca_picker

    ca_picker LI Guru Member

    Let's say an attacker somehow gained access to a machine on the LAN (192.168.x.x), i.e. someone browsed a malicious website or something, and was able to set up a stealth server on some port to phone home, send out spams, be a bot for DDoS, etc.

    Do the default RV0*2 rules prevent outbound traffic from such a beast? If not, how should I go about preventing this (looking on specifics on rules to set up on the RV042, recommended ports to block, etc.)? Keeping in mind that I want to retain access for some common services like HTTP, VNC, RDC, etc. etc. only on the LAN and VPNs (a secondary question/confirmation is, are the VPNs assumed to be on the LAN port, for purposes of firewall rule evaluation as they appear to be)?
  2. ca_picker

    ca_picker LI Guru Member

    I'm not so sure that is practical. I just tried a very restrictive block rule:
    Deny - All Traffic - Any Interface - Any IP - Any IP

    Then ahead of those opened up a few of the common ports, i.e.:
    Allow - 80 - LAN - <LAN IPs> - Any IP
    Allow - 143 - LAN - <LAN IPs> - Any IP

    And that is definitely effective, but perhaps too much so: it also prohibits basics such as ping and traceroute, with no (apparent) way to open these ICMP protos.

    Suggestions? I do like the idea of opening up just what I need; that's the safest, but I do need ping and traceroute.
  3. ca_picker

    ca_picker LI Guru Member

    OK, 3 posts in a row :)

    Playing around with this, I discovered that the built-in service definition for "All Traffic" is special, and includes things like ICMP and IGMP protocols, such as ping mentioned above, which cannot be accessed in user-defined services.

    So I made my own service definitions, one for TCP 1~65535 and one for UDP 1~65535. Then set up my rules like this:

    Priority   Name                 Action   SrcIf   Source      Dest 
    --------   ----                 ------   -----   ------      ----
    1          Allow HTTP[80]       Allow    LAN     <LAN IPs>   Any IP
    2          Allow POP3[110]      Allow    LAN     <LAN IPs>   Any IP
    3          Allow IMAP[143]      Allow    LAN     <LAN IPs>   Any IP
    .. (additional allow rules for various services)
    x          Allow All Traffic*   Allow    LAN     <VPN IPs>   <VPN IPs>
    y          Deny All UDP**       Deny     Any     Any         Any
    z          Deny All TCP***      Deny     Any     Any         Any
    -          Allow All Traffic*   Allow    LAN     Any         Any
    -          Deny All Traffic*    Deny     WAN1    Any         Any
    -          Deny All Traffic*    Deny     WAN2    Any         Any
    (the last 3 are the built-in rules that 
    cannot be deleted or modified by the user)
      *x = RV042's built-in "All Traffic" special service definition
     **y = my custom service definition, UDP 1~65535
    ***z = my custom service definition, TCP 1~65535

    I think this is doing what I want, which is basically:
    • allow anything within the LAN/VPNs
    • Allow common services (web, mail, etc.)
    • Block everything else
    Comments? Suggestions?
  4. ca_picker

    ca_picker LI Guru Member

    Just an update on this: I have employed this technique at one of my sites and it seems to be working reasonably well. I have a list of about a dozen or so ports that I need to open for outbound traffic (http, https, ftp, ntp, imap, pop3, a few other misc.) but not as bad as I thought.

    Reviewing the logs has revealed lots of interesting stuff about my network that I was previously unaware of...much more than I'd dreamed of; a surprising amount of multicast stuff.

Share This Page