IP Based ACL

Posted on 2007-07-31
Last Modified: 2008-01-09
I just setup a new Linksys WRVS4400N in our office.  The problem I am having is that when I setup the IP Based ACL on the firewall (the way I have done it in the past anyway) I loose Internet browsing capability.  Our needs here are pretty simple so I like to keep the router locked down pretty tight.  The setup is pretty straight forward.  The rules are as follows (in order):

1. Allow DNS from LAN to WAN
2. Allow HTTP from LAN to WAN
3. Allow HTTPS from LAN to WAN
4. Allow POP3 from LAN to WAN
5. Allow SMTP from LAN to WAN
6. Allow FTP from LAN to WAN
7. Allow RDP(3389) from LAN to WAN
8. Deny ANY from LAN to WAN
9. Deny ANY from WAN to LAN

This configuration has worked for me at several other locations just fine.  However, here I have to disable rule #9 in order for users to surf the web -- which makes no sense to me.  Why would I have to allow inbound traffic at all to get this basic functionality?  Any ideas?
Question by:slattdog
    LVL 79

    Accepted Solution

    You have to allow return traffic from whatever you've allowed out.
    Basic behavior of any SPI firewall is to allow nothing in unless it is a specific response to a specific outbound request, i.e. user wants  and the SPI creates a connection between the natted IP/port and the target host tcp/80 with and the response will be allowed in.
    When you explicitly say DENY ANY that includes the responses, too.
    No inbound, unsolicited traffic will be allowed unless and until you create service rules and nat rules to go along with the service rules (like to allow smtp email in to your mail server, if you have one)
    You simply don't need to add rule #9

    Author Comment

    What you are saying makes perfect sense.  What has me perplexed, however, is that I know I have set up devices in the past similar to this.  Is it the SPI piece specifically that is causing this behavior?  (i.e. perhaps the other devices I setup were simply NAT routers without SPI?)

    Author Comment

    The router has two "built-in" rules that you can't edit or delete.
    1. Allow ANY from LAN to ANY
    2. Allow ANY from WAN to ANY

    My understanding was that these rules by themselves would allow any and all traffic to pass through the router.  This is an understandable "default" so that the average person who just plugs it in would not have access problems.  Are you saying that left in its default configuration it would block all unsolicited traffic from the WAN?

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
    Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now