Solved

Basic firewall config : help!

Posted on 2004-09-07
21
275 Views
Last Modified: 2013-11-16
I have a d-link adsl modem/firewall that is completely open right now, supplying internet connectivity to a 192.168.0.* network using one public ip address with NAT.

I would like to make the firewall active, however, (as most sane people would) but the firewall's I'e worked on in the past (watchguard firewall, cisco etc)  were about 5 yrs ago and theory's a little rusty right now.

I basically want to arrange access for a few ports from specific ip addresses in the outside world to be allowed to access certain local ip addresses and I want the internal network to have full access to the outside world. The adsl modem/router has two interfaces, ethernet (local ethernet network obviously) and Demon (adsl connection, 1 public ip address).

I've tried activating the firewall with what i remember as the proper rules to give the local network access to the outside world but it doesnt seem t'be working.

stuff like
Source Ip: 192.168.0.0/24
Interface: Ethernet
Port: >
Start port: 0

Dest Ip: 0.0.0.0/32
Port: >
Start port: 0

doesnt work.

Could anyone have a look at the screenshots listed and gimme a hand please?

http://www.steelsword.org.uk/firewall1.gif
http://www.steelsword.org.uk/firewall2.gif

thanks for any advice.

Daryn
0
Comment
Question by:daryn
  • 10
  • 10
21 Comments
 
LVL 3

Expert Comment

by:Julian_C
ID: 11995287
Please excuse me if I've missed the point......

Without much knowledge of the model of router in question I think that in it's default state there will be full access from the internal to external which achieves one of your goals. The other is not achievable using the firewall functionality on it's own. If you had multiple external IP address then you'd set NAT rules to send traffic arriving on particular exteranal IP adresses to assigned internal IP addresses. However, with a single external Ip you'll need to use the devices "port forwarding" functions. In that way you say whatever arrives on Port 80 is sent to 192.168.0.x and whatever arrives on port 6881 goes to 192.168.0.y fro example. If you wish to limit which external IP's can connect in this way then you'd filter this with the FW. But, by it's definition the only traffic allowed in is just the certain ports forwarded to the particular internal IP's and this may suffice. Of course, depending on the router you may have to set port forwardeing for the desired ports AND set a FW rule that allows the internal IP address in question to receive the traffic. This is the case with my model.

Cheers
Julian
0
 

Author Comment

by:daryn
ID: 11995639
as it is at the moment, the firewall is disabled and the pc's in the local network use network address translation to have full access to any ip address on any port in the outside world and this works fine.

Are you saying I need one ip address for the firewall part and one for the router part of the modem/router? I'm using port forwarding right now successfully since with one public ip address on the router, as you say, I need to use port forwarding to reach inside the firewall with an external ip address on another network.

However, this port forwarding provides no security as it does not check which ip address is the source ip address of the pc attempting to access our internal network, simply leaving the port wide open for anyone to stroll in. already had several hack attempts against w2k3's iis so far. this is unacceptable to us which is why I'm trying to get the firewall working to get essentially the same system as port forwarding working while checking the source ip address to see if i want to let it in.

Is the situation thus that I have to use the port forward in conjunction with the firewall? Thought the firewall would have worked on it's own, seperately from port forwarding. I've enabled the firewall, however, and the pc's on the local network instantly lose access to the outside world, leading me to reckon that a rule is needed to allow pc's from the internal network to contact the outside world and this is where i'm getting a little confused and helpless.

Daryn
0
 
LVL 3

Expert Comment

by:Julian_C
ID: 11995778
So, on your model port forwarding is open and once you set up a rule to forward requests to a port anybody can make that call?

If this is the case then you need to identify the IP addresses or range of the clients that are allowed to ake the call to the port. Are these known remote clients?

I see, once you turn the FW on you lose all internal to external connections. OK. I have to dash out now. When I get back I'll look at your screen shots and see if I can work out rules you require.

Cheers
Julian
0
 

Author Comment

by:daryn
ID: 11996190
tar v. much
0
 
LVL 12

Expert Comment

by:ColinRoyds
ID: 12001201
try this link if it's still not resolved, they give a step by step guide with screenshots http://www.portforward.com/routers.htm
0
 

Author Comment

by:daryn
ID: 12004958
that link still doesnt give much help.

I've gotten port forwardin working fine, it's working right now. what i need is some way to combine the firewall with the port forwarding so that i have a way to limit which ip addresses can work through those certain ports.

I have 2 offices. I want office 1 to run a web server that only office 2 can access.

I want to setup office 1's router so that it port forwards requests on port 80 to 192.168.0.10 but only requests from the ip address of office 2's internet connection.  the guide you mentioned sadly gives nothing of this second part, the ip limiting requirement. I'm sending a message to them to see if they can offer any help but do you (or anyone who reads this) have any idea if this is even possible with the dsl-504?

the firewall configuration lets me specify :
Source:
Ip address: xxx.xxx.xxx.xxx
< > =   (whether the port is less then, more then  or equal to)
start port :
end port

Destination:
Ip address: xxx.xxx.xxx.xxx
< > =   (whether the port is less then, more then  or equal to)
start port :
end port


So this leads me to suspect that i should be able to input the source ip address (83.99.xxx.xxx or something), port = 0 to 60000 and the destination address as 192.168.0.20, port = 80 to 80 and then the external ip address should be allowed through.

OR

do i have to use them in conjunction with each other, to allow port forwarding on certain ports and then firewall will work in conjunction with the port forwarding?

Aside from all that, I still have no way to allow the internal network to get outside once i activate the firewall??

aarrgghh!?

thanks

Daryn
0
 
LVL 3

Expert Comment

by:Julian_C
ID: 12005027
OK, I'm looking at the screen shots and there's something I don't understand. It says. "If not matched" PASS. To me this is the reverse logic of the rules you are talking about? And you can't just swap it to FAIL if not matched. Am I going mad or is that why your rules don't work?

Cheers
Julian
0
 

Author Comment

by:daryn
ID: 12006653
forgive me. that was the state of the firewall config when it's disabled.

ie it lets absolutely anything through. I'm not at my site right now so i cant play around with it and enable the firewall to show you the proper pics because i'm doing it through a remote desktop connection. sorry bout that.

when the firewall is enabled, it is indeed "If not matched" Block. At that point, no matter what rule i can come up with (and like i said, it's been a while since i did firewall config so i might not be coming up with the right rules) the local pc's cannot access anything at all on any port in the outside world, just internal stuff.
0
 
LVL 3

Expert Comment

by:Julian_C
ID: 12007311
OK, that makes more sense. It was giving me a headache trying to work through whether a double negative with a pass would in fact block the desired port etc etc :-)

So, if I look at firewall1.gif and assume it's off but the rule I can see is what you want it is saying lat everyone access your internal machines IE allow all from 0.0.0.0 mask 0.0.0.0 to access 192.168.0.0 mask 255.255.255.0. This rule applies to all ports.

firewall2.gif is the same?

So, you need a rule that says block is not match to

Source 192.168.0.0 mask 255.255.255.0 Port 1024-65536
Destination 0.0.0.0 mask 0.0.0.0 port 1-65536
Protocol TCP/IP

I think this is the error in your rule at the top of the page. I think you had:
Destination 0.0.0.0 mask 255.255.255.255 port 1-65536

which means an actual single IP 0.0.0.0 which is a little limitting. If you change this you should get access to the net with the FW on..:-)

As for the external to internal rule lets assume you have a port forward rule set up to forward traffic on port 80 through to 192.168.0.110. You have an external office on internet IP xxx.yyy.zzz.abc that you want to allow access. You will need something like the following to work.

Source xxx.yyy.zzz.abc MASK 255.255.255.255  (This is not the same as the hosts subnet mask. It means that it is a single host with 4*255. 3*255 would give a range.EG 192.168.1.0 MASK 255.255.255.0 means all addresses between 192.168.1.0 - 192.168.1.255 ) As this is a source request it usually uses an arbitary port from 1024-65536. So, to restate.

SOURCE xxx.yyy.zzz.ABC MASK 255.255.255.255 PORT 1024-65536
DESTINATION 192.168.0.110 MASK 255.255.255.255 PORT 80
PROTOCOL TCP/IP


Cheers
Julian



0
 
LVL 3

Expert Comment

by:Julian_C
ID: 12007363
I just reread this and it's not too clear but your original question said you wanted to create a rule that was:

allow
source 192.168.0.0/24 all ports
dest    0.0.0.0/32 all ports

but what you should have had (i think) was:

allow
source 192.168.0.0/24 all ports
dest    0.0.0.0/0 all ports

Cheers
Julian
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:daryn
ID: 12007778
i kinda thought that myself (thats what i remember doing the last time i did firewalls) but if you look in the second screenshot, you'll see a drop down menu with different subnet masks and network id's etc. it reads from 255.255.255.255/32 to 255.0.0.0/8, leaving me with no bloody /0 option.

confusing as heck...

(and sorry for my own adding to the confusion!)

Daryn
0
 
LVL 3

Accepted Solution

by:
Julian_C earned 350 total points
ID: 12016009
OK then, we can't do 0.0.0.0/0 to show all external destinations in rule for internal to access all external. How about the source being 192.168.0.0 mask 255.255.255.0 but the destination being left blank to show any IP. Some other d-link products are configured like that.

Cheers
Julian
0
 

Author Comment

by:daryn
ID: 12016897
thanks v. much. have to admit, never thought of that at all.

i'll have a crack at that next week when i'm on site.

will letcha know how it turns out..!!
0
 
LVL 3

Expert Comment

by:Julian_C
ID: 12018055
Good luck!
0
 
LVL 3

Expert Comment

by:Julian_C
ID: 12072891
Any news on this?

Cheers
Julian
0
 

Author Comment

by:daryn
ID: 12072991
oddly enough i'm right here on the site now and no, still no flippin luck.

close to kicking the damn thing and tellin em to buy a cisco......
0
 

Author Comment

by:daryn
ID: 12072999
leaving the fields blank brings a javascript error up stating that there must be an integer in the field.

cant be a symbol or anything like * i spose.

I'm at a complete loss. I've blitzed the rules with everything i can think of and nothin. could it be the firewall's just dead?
0
 

Author Comment

by:daryn
ID: 12074873
problem fixed.

pipex advised me to do a firmware upgrade and, cacking my pants cheerfully, I followed their advice and lo, there was a /0 in the subnet mask list!!!!

all working fine now (just about!)

thanks v. much for your help and take care!

Daryn
0
 
LVL 3

Expert Comment

by:Julian_C
ID: 12075137
Well I never!! I was just reading all the versions I could find of the dsl-504 manuals in the hope of finding something to help, when I saw your last comment! Fancy having to put a /0 option out in a firmware upgrade! Does that mean that there's lots of users out there not using the firewall?!

I'm glad it finally worked out.

Best Regards
Julian
0
 

Author Comment

by:daryn
ID: 12082978
god knows. horrific thought aint it.
such a simple, basic function of a firewall and they left it out of the firmware. how? HOW, GODAMMIT!?!?!?

-slaps himself-

-gets himself under control a little-

ahem.

isnt dlink a wonderful company.
:)

0
 
LVL 3

Expert Comment

by:Julian_C
ID: 12083489
All those consumer device manufacturers are the same. The only exception that I've ever found is Dratek and thier excellent Vigor range of products. Anyway, your OK for now..... until you want to do something else they failed to test prior to release ;-)

Cheers
Julian
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now