Solved

hardware firewall basics question - with port forwarding turned on, can only certain IPs get in?

Posted on 2014-01-30
8
413 Views
Last Modified: 2014-01-30
Is this an exotic or common feature in firewalls?

Say you have a port forwarding rule in place to allow incoming packets to get to a device on the LAN.

But that can open you up to malicious attacks on that port against that device the port forwarding is set up for.

So>>>>  in (some / most / all / none?) firewalls, you can set it up so only specific public IPs from outside (certain IPs / a range of IPs?) can get in via the port?

Like port forward 8080 to 192.168.1.33 ONLY IF the request from the outside is coming from 4.3.3.0/24 or just 4.3.3.4 ?
0
Comment
  • 3
  • 3
  • 2
8 Comments
 
LVL 15

Accepted Solution

by:
The_Warlock earned 333 total points
Comment Utility
I'm not exactly sure what type of answer you seek. With that being said, typically the safest and common method is a 1:1 NAT. If you are setting up or have set up a NAT rule for a specific port from and to Ip's we are under the assumption that you put the rule there in the first place. Therefore, deeming the outside host as a trusted source. Almost all firewalls typically offer a 1:1 static NAT feature. I hope this helps.
0
 
LVL 12

Assisted Solution

by:duttcom
duttcom earned 167 total points
Comment Utility
I can do that with my Netgear firewall; what you are needing is fairly standard functionality AFAIK.
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
Comment Utility
what I'm looking to know is - is this a common feature?

I want to forward port x to a device in the LAN, but only if the data is coming from a specific IP address from outside. that way it'll keep out hackers.  yes, there's port forwarding rules set up, but they allow traffic from any machine on the web to come in on that port.  I want to only allow the packets to get in if they are coming from that trusted public location.

1:1 nat - how does that compare to 'standard' nat in Linksys / netgear firewalls - devices inside the LAN get a 192.x.x.x address and the box keeps track of requests going out and the reply coming back gets to the right machine.

port forwarding
0
 
LVL 15

Assisted Solution

by:The_Warlock
The_Warlock earned 333 total points
Comment Utility
Typically on SOHO routers it will be Under the static routing and normally has an option or drop down menu to select; IE:  LAN:LAN; WAN:LAN, etc. Hope this helps.


IE: <outside Ip> : <Inside Ip>
Interface: WAN       <drop down menu typically>
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:BeGentleWithMe-INeedHelp
Comment Utility
OK, thanks!  warlock, you made me realize - the port forwarding page has settings for LAN port and iP info AND remote port and IP info.  so just put the outside trusted IP in the 2nd part of the page.  DUH!

But the provider really wanted me to put in a range of several allowed IP addresses.  Have to make a rule for each IP address (can't do a range of public IPs it seems : (

And some routers have a limit on how many rules you can make?

OK, help me out and check the next question!

http://www.experts-exchange.com/Networking/Security/Q_28352954.html
0
 
LVL 12

Expert Comment

by:duttcom
Comment Utility
What you are asking for is exactly the sort of thing a firewall is supposed to do.

If I have an app running on my network on 192.X.X.X port 123 (set up on that port to allow it to be separated from other TCP/HTTP traffic on 8080), I would first set up a custom "Service" of TCP traffic on port 123 called My123 (for example). Then I would create a group of WAN users with the IP range of 4.3.3.0 to 4.3.3.4 called 123users, next I would create a rule that would forward incoming traffic on port 123 to 192.X.X.X:123, specifying that the rule applies to the 123users WAN group.

Anyone outside that WAN group IP range will not get in, those that do will be forwarded to the correct port to access the app.
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
Comment Utility
dutt - thanks. some router / 'firewalls' don't have all that ability, at least not to do the group of wan users, right? I'm thinking lower end Linksys, etc.  I am dealing with a Verizon Actiontec specifically, which also doesn't have that group of wan users capability.  just have to list each IP separately as long as the router can hold that many rules  : (
0
 
LVL 12

Expert Comment

by:duttcom
Comment Utility
You've hit on the problem - firewalls are one of those things were the variety of features and functionality vary widely. Bear in mind also that what you may be looking for is called something unexpected, so the feature might be there just called something else.

Make sure you understand what all the features of your firewall do - you may find that the firewall has some proprietary features that are called something snappy but are really just a normal bit of functionality dressed up as a feature with a confusing name.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now