Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


IP Based ACL

Posted on 2007-07-31
Medium Priority
Last Modified: 2008-01-09
I just setup a new Linksys WRVS4400N in our office.  The problem I am having is that when I setup the IP Based ACL on the firewall (the way I have done it in the past anyway) I loose Internet browsing capability.  Our needs here are pretty simple so I like to keep the router locked down pretty tight.  The setup is pretty straight forward.  The rules are as follows (in order):

1. Allow DNS from LAN to WAN
2. Allow HTTP from LAN to WAN
3. Allow HTTPS from LAN to WAN
4. Allow POP3 from LAN to WAN
5. Allow SMTP from LAN to WAN
6. Allow FTP from LAN to WAN
7. Allow RDP(3389) from LAN to WAN
8. Deny ANY from LAN to WAN
9. Deny ANY from WAN to LAN

This configuration has worked for me at several other locations just fine.  However, here I have to disable rule #9 in order for users to surf the web -- which makes no sense to me.  Why would I have to allow inbound traffic at all to get this basic functionality?  Any ideas?
Question by:slattdog
  • 2
LVL 79

Accepted Solution

lrmoore earned 1500 total points
ID: 19599552
You have to allow return traffic from whatever you've allowed out.
Basic behavior of any SPI firewall is to allow nothing in unless it is a specific response to a specific outbound request, i.e. user wants http://www.whatever.com  and the SPI creates a connection between the natted IP/port and the target host tcp/80 with and the response will be allowed in.
When you explicitly say DENY ANY that includes the responses, too.
No inbound, unsolicited traffic will be allowed unless and until you create service rules and nat rules to go along with the service rules (like to allow smtp email in to your mail server, if you have one)
You simply don't need to add rule #9

Author Comment

ID: 19599689
What you are saying makes perfect sense.  What has me perplexed, however, is that I know I have set up devices in the past similar to this.  Is it the SPI piece specifically that is causing this behavior?  (i.e. perhaps the other devices I setup were simply NAT routers without SPI?)

Author Comment

ID: 19599795
The router has two "built-in" rules that you can't edit or delete.
1. Allow ANY from LAN to ANY
2. Allow ANY from WAN to ANY

My understanding was that these rules by themselves would allow any and all traffic to pass through the router.  This is an understandable "default" so that the average person who just plugs it in would not have access problems.  Are you saying that left in its default configuration it would block all unsolicited traffic from the WAN?

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question