• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 960
  • Last Modified:

IP Based ACL

I just setup a new Linksys WRVS4400N in our office.  The problem I am having is that when I setup the IP Based ACL on the firewall (the way I have done it in the past anyway) I loose Internet browsing capability.  Our needs here are pretty simple so I like to keep the router locked down pretty tight.  The setup is pretty straight forward.  The rules are as follows (in order):

1. Allow DNS from LAN to WAN
2. Allow HTTP from LAN to WAN
3. Allow HTTPS from LAN to WAN
4. Allow POP3 from LAN to WAN
5. Allow SMTP from LAN to WAN
6. Allow FTP from LAN to WAN
7. Allow RDP(3389) from LAN to WAN
8. Deny ANY from LAN to WAN
9. Deny ANY from WAN to LAN

This configuration has worked for me at several other locations just fine.  However, here I have to disable rule #9 in order for users to surf the web -- which makes no sense to me.  Why would I have to allow inbound traffic at all to get this basic functionality?  Any ideas?
  • 2
1 Solution
You have to allow return traffic from whatever you've allowed out.
Basic behavior of any SPI firewall is to allow nothing in unless it is a specific response to a specific outbound request, i.e. user wants http://www.whatever.com  and the SPI creates a connection between the natted IP/port and the target host tcp/80 with and the response will be allowed in.
When you explicitly say DENY ANY that includes the responses, too.
No inbound, unsolicited traffic will be allowed unless and until you create service rules and nat rules to go along with the service rules (like to allow smtp email in to your mail server, if you have one)
You simply don't need to add rule #9
slattdogAuthor Commented:
What you are saying makes perfect sense.  What has me perplexed, however, is that I know I have set up devices in the past similar to this.  Is it the SPI piece specifically that is causing this behavior?  (i.e. perhaps the other devices I setup were simply NAT routers without SPI?)
slattdogAuthor Commented:
The router has two "built-in" rules that you can't edit or delete.
1. Allow ANY from LAN to ANY
2. Allow ANY from WAN to ANY

My understanding was that these rules by themselves would allow any and all traffic to pass through the router.  This is an understandable "default" so that the average person who just plugs it in would not have access problems.  Are you saying that left in its default configuration it would block all unsolicited traffic from the WAN?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now