?
Solved

hardware firewall basics question - with port forwarding turned on, can only certain IPs get in?

Posted on 2014-01-30
8
Medium Priority
?
432 Views
Last Modified: 2014-01-30
Is this an exotic or common feature in firewalls?

Say you have a port forwarding rule in place to allow incoming packets to get to a device on the LAN.

But that can open you up to malicious attacks on that port against that device the port forwarding is set up for.

So>>>>  in (some / most / all / none?) firewalls, you can set it up so only specific public IPs from outside (certain IPs / a range of IPs?) can get in via the port?

Like port forward 8080 to 192.168.1.33 ONLY IF the request from the outside is coming from 4.3.3.0/24 or just 4.3.3.4 ?
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 15

Accepted Solution

by:
Robert Sutton Jr earned 1332 total points
ID: 39823044
I'm not exactly sure what type of answer you seek. With that being said, typically the safest and common method is a 1:1 NAT. If you are setting up or have set up a NAT rule for a specific port from and to Ip's we are under the assumption that you put the rule there in the first place. Therefore, deeming the outside host as a trusted source. Almost all firewalls typically offer a 1:1 static NAT feature. I hope this helps.
0
 
LVL 12

Assisted Solution

by:duttcom
duttcom earned 668 total points
ID: 39823048
I can do that with my Netgear firewall; what you are needing is fairly standard functionality AFAIK.
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39823050
what I'm looking to know is - is this a common feature?

I want to forward port x to a device in the LAN, but only if the data is coming from a specific IP address from outside. that way it'll keep out hackers.  yes, there's port forwarding rules set up, but they allow traffic from any machine on the web to come in on that port.  I want to only allow the packets to get in if they are coming from that trusted public location.

1:1 nat - how does that compare to 'standard' nat in Linksys / netgear firewalls - devices inside the LAN get a 192.x.x.x address and the box keeps track of requests going out and the reply coming back gets to the right machine.

port forwarding
0
Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

 
LVL 15

Assisted Solution

by:Robert Sutton Jr
Robert Sutton Jr earned 1332 total points
ID: 39823057
Typically on SOHO routers it will be Under the static routing and normally has an option or drop down menu to select; IE:  LAN:LAN; WAN:LAN, etc. Hope this helps.


IE: <outside Ip> : <Inside Ip>
Interface: WAN       <drop down menu typically>
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39823065
OK, thanks!  warlock, you made me realize - the port forwarding page has settings for LAN port and iP info AND remote port and IP info.  so just put the outside trusted IP in the 2nd part of the page.  DUH!

But the provider really wanted me to put in a range of several allowed IP addresses.  Have to make a rule for each IP address (can't do a range of public IPs it seems : (

And some routers have a limit on how many rules you can make?

OK, help me out and check the next question!

http://www.experts-exchange.com/Networking/Security/Q_28352954.html
0
 
LVL 12

Expert Comment

by:duttcom
ID: 39823077
What you are asking for is exactly the sort of thing a firewall is supposed to do.

If I have an app running on my network on 192.X.X.X port 123 (set up on that port to allow it to be separated from other TCP/HTTP traffic on 8080), I would first set up a custom "Service" of TCP traffic on port 123 called My123 (for example). Then I would create a group of WAN users with the IP range of 4.3.3.0 to 4.3.3.4 called 123users, next I would create a rule that would forward incoming traffic on port 123 to 192.X.X.X:123, specifying that the rule applies to the 123users WAN group.

Anyone outside that WAN group IP range will not get in, those that do will be forwarded to the correct port to access the app.
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39823108
dutt - thanks. some router / 'firewalls' don't have all that ability, at least not to do the group of wan users, right? I'm thinking lower end Linksys, etc.  I am dealing with a Verizon Actiontec specifically, which also doesn't have that group of wan users capability.  just have to list each IP separately as long as the router can hold that many rules  : (
0
 
LVL 12

Expert Comment

by:duttcom
ID: 39823155
You've hit on the problem - firewalls are one of those things were the variety of features and functionality vary widely. Bear in mind also that what you may be looking for is called something unexpected, so the feature might be there just called something else.

Make sure you understand what all the features of your firewall do - you may find that the firewall has some proprietary features that are called something snappy but are really just a normal bit of functionality dressed up as a feature with a confusing name.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question