RV042/RV082 series firewall rules tutorial?

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by ca_picker, Nov 11, 2007.

  1. ca_picker

    ca_picker LI Guru Member

    Let's say an attacker somehow gained access to a machine on the LAN (192.168.x.x), i.e. someone browsed a malicious website or something, and was able to set up a stealth server on some port to phone home, send out spams, be a bot for DDoS, etc.

    Do the default RV0*2 rules prevent outbound traffic from such a beast? If not, how should I go about preventing this (looking on specifics on rules to set up on the RV042, recommended ports to block, etc.)? Keeping in mind that I want to retain access for some common services like HTTP, VNC, RDC, etc. etc. only on the LAN and VPNs (a secondary question/confirmation is, are the VPNs assumed to be on the LAN port, for purposes of firewall rule evaluation as they appear to be)?
  2. ca_picker

    ca_picker LI Guru Member

    I'm not so sure that is practical. I just tried a very restrictive block rule:
    Deny - All Traffic - Any Interface - Any IP - Any IP

    Then ahead of those opened up a few of the common ports, i.e.:
    Allow - 80 - LAN - <LAN IPs> - Any IP
    Allow - 143 - LAN - <LAN IPs> - Any IP

    And that is definitely effective, but perhaps too much so: it also prohibits basics such as ping and traceroute, with no (apparent) way to open these ICMP protos.

    Suggestions? I do like the idea of opening up just what I need; that's the safest, but I do need ping and traceroute.
  3. ca_picker

    ca_picker LI Guru Member

    OK, 3 posts in a row :)

    Playing around with this, I discovered that the built-in service definition for "All Traffic" is special, and includes things like ICMP and IGMP protocols, such as ping mentioned above, which cannot be accessed in user-defined services.

    So I made my own service definitions, one for TCP 1~65535 and one for UDP 1~65535. Then set up my rules like this:

    Priority   Name                 Action   SrcIf   Source      Dest 
    --------   ----                 ------   -----   ------      ----
    1          Allow HTTP[80]       Allow    LAN     <LAN IPs>   Any IP
    2          Allow POP3[110]      Allow    LAN     <LAN IPs>   Any IP
    3          Allow IMAP[143]      Allow    LAN     <LAN IPs>   Any IP
    .. (additional allow rules for various services)
    x          Allow All Traffic*   Allow    LAN     <VPN IPs>   <VPN IPs>
    y          Deny All UDP**       Deny     Any     Any         Any
    z          Deny All TCP***      Deny     Any     Any         Any
    -          Allow All Traffic*   Allow    LAN     Any         Any
    -          Deny All Traffic*    Deny     WAN1    Any         Any
    -          Deny All Traffic*    Deny     WAN2    Any         Any
    (the last 3 are the built-in rules that 
    cannot be deleted or modified by the user)
      *x = RV042's built-in "All Traffic" special service definition
     **y = my custom service definition, UDP 1~65535
    ***z = my custom service definition, TCP 1~65535

    I think this is doing what I want, which is basically:
    • allow anything within the LAN/VPNs
    • Allow common services (web, mail, etc.)
    • Block everything else
    Comments? Suggestions?
  4. ca_picker

    ca_picker LI Guru Member

    Just an update on this: I have employed this technique at one of my sites and it seems to be working reasonably well. I have a list of about a dozen or so ports that I need to open for outbound traffic (http, https, ftp, ntp, imap, pop3, a few other misc.) but not as bad as I thought.

    Reviewing the logs has revealed lots of interesting stuff about my network that I was previously unaware of...much more than I'd dreamed of; a surprising amount of multicast stuff.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice