Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

hardware firewall basics question - with port forwarding turned on, can only certain IPs get in?

Posted on 2014-01-30
8
424 Views
Last Modified: 2014-01-30
Is this an exotic or common feature in firewalls?

Say you have a port forwarding rule in place to allow incoming packets to get to a device on the LAN.

But that can open you up to malicious attacks on that port against that device the port forwarding is set up for.

So>>>>  in (some / most / all / none?) firewalls, you can set it up so only specific public IPs from outside (certain IPs / a range of IPs?) can get in via the port?

Like port forward 8080 to 192.168.1.33 ONLY IF the request from the outside is coming from 4.3.3.0/24 or just 4.3.3.4 ?
0
Comment
  • 3
  • 3
  • 2
8 Comments
 
LVL 15

Accepted Solution

by:
Robert Sutton Jr earned 333 total points
ID: 39823044
I'm not exactly sure what type of answer you seek. With that being said, typically the safest and common method is a 1:1 NAT. If you are setting up or have set up a NAT rule for a specific port from and to Ip's we are under the assumption that you put the rule there in the first place. Therefore, deeming the outside host as a trusted source. Almost all firewalls typically offer a 1:1 static NAT feature. I hope this helps.
0
 
LVL 12

Assisted Solution

by:duttcom
duttcom earned 167 total points
ID: 39823048
I can do that with my Netgear firewall; what you are needing is fairly standard functionality AFAIK.
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39823050
what I'm looking to know is - is this a common feature?

I want to forward port x to a device in the LAN, but only if the data is coming from a specific IP address from outside. that way it'll keep out hackers.  yes, there's port forwarding rules set up, but they allow traffic from any machine on the web to come in on that port.  I want to only allow the packets to get in if they are coming from that trusted public location.

1:1 nat - how does that compare to 'standard' nat in Linksys / netgear firewalls - devices inside the LAN get a 192.x.x.x address and the box keeps track of requests going out and the reply coming back gets to the right machine.

port forwarding
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 15

Assisted Solution

by:Robert Sutton Jr
Robert Sutton Jr earned 333 total points
ID: 39823057
Typically on SOHO routers it will be Under the static routing and normally has an option or drop down menu to select; IE:  LAN:LAN; WAN:LAN, etc. Hope this helps.


IE: <outside Ip> : <Inside Ip>
Interface: WAN       <drop down menu typically>
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39823065
OK, thanks!  warlock, you made me realize - the port forwarding page has settings for LAN port and iP info AND remote port and IP info.  so just put the outside trusted IP in the 2nd part of the page.  DUH!

But the provider really wanted me to put in a range of several allowed IP addresses.  Have to make a rule for each IP address (can't do a range of public IPs it seems : (

And some routers have a limit on how many rules you can make?

OK, help me out and check the next question!

http://www.experts-exchange.com/Networking/Security/Q_28352954.html
0
 
LVL 12

Expert Comment

by:duttcom
ID: 39823077
What you are asking for is exactly the sort of thing a firewall is supposed to do.

If I have an app running on my network on 192.X.X.X port 123 (set up on that port to allow it to be separated from other TCP/HTTP traffic on 8080), I would first set up a custom "Service" of TCP traffic on port 123 called My123 (for example). Then I would create a group of WAN users with the IP range of 4.3.3.0 to 4.3.3.4 called 123users, next I would create a rule that would forward incoming traffic on port 123 to 192.X.X.X:123, specifying that the rule applies to the 123users WAN group.

Anyone outside that WAN group IP range will not get in, those that do will be forwarded to the correct port to access the app.
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39823108
dutt - thanks. some router / 'firewalls' don't have all that ability, at least not to do the group of wan users, right? I'm thinking lower end Linksys, etc.  I am dealing with a Verizon Actiontec specifically, which also doesn't have that group of wan users capability.  just have to list each IP separately as long as the router can hold that many rules  : (
0
 
LVL 12

Expert Comment

by:duttcom
ID: 39823155
You've hit on the problem - firewalls are one of those things were the variety of features and functionality vary widely. Bear in mind also that what you may be looking for is called something unexpected, so the feature might be there just called something else.

Make sure you understand what all the features of your firewall do - you may find that the firewall has some proprietary features that are called something snappy but are really just a normal bit of functionality dressed up as a feature with a confusing name.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question