Solved

hardware firewall basics question - with port forwarding turned on, can only certain IPs get in?

Posted on 2014-01-30
8
425 Views
Last Modified: 2014-01-30
Is this an exotic or common feature in firewalls?

Say you have a port forwarding rule in place to allow incoming packets to get to a device on the LAN.

But that can open you up to malicious attacks on that port against that device the port forwarding is set up for.

So>>>>  in (some / most / all / none?) firewalls, you can set it up so only specific public IPs from outside (certain IPs / a range of IPs?) can get in via the port?

Like port forward 8080 to 192.168.1.33 ONLY IF the request from the outside is coming from 4.3.3.0/24 or just 4.3.3.4 ?
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 15

Accepted Solution

by:
Robert Sutton Jr earned 333 total points
ID: 39823044
I'm not exactly sure what type of answer you seek. With that being said, typically the safest and common method is a 1:1 NAT. If you are setting up or have set up a NAT rule for a specific port from and to Ip's we are under the assumption that you put the rule there in the first place. Therefore, deeming the outside host as a trusted source. Almost all firewalls typically offer a 1:1 static NAT feature. I hope this helps.
0
 
LVL 12

Assisted Solution

by:duttcom
duttcom earned 167 total points
ID: 39823048
I can do that with my Netgear firewall; what you are needing is fairly standard functionality AFAIK.
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39823050
what I'm looking to know is - is this a common feature?

I want to forward port x to a device in the LAN, but only if the data is coming from a specific IP address from outside. that way it'll keep out hackers.  yes, there's port forwarding rules set up, but they allow traffic from any machine on the web to come in on that port.  I want to only allow the packets to get in if they are coming from that trusted public location.

1:1 nat - how does that compare to 'standard' nat in Linksys / netgear firewalls - devices inside the LAN get a 192.x.x.x address and the box keeps track of requests going out and the reply coming back gets to the right machine.

port forwarding
0
Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 15

Assisted Solution

by:Robert Sutton Jr
Robert Sutton Jr earned 333 total points
ID: 39823057
Typically on SOHO routers it will be Under the static routing and normally has an option or drop down menu to select; IE:  LAN:LAN; WAN:LAN, etc. Hope this helps.


IE: <outside Ip> : <Inside Ip>
Interface: WAN       <drop down menu typically>
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39823065
OK, thanks!  warlock, you made me realize - the port forwarding page has settings for LAN port and iP info AND remote port and IP info.  so just put the outside trusted IP in the 2nd part of the page.  DUH!

But the provider really wanted me to put in a range of several allowed IP addresses.  Have to make a rule for each IP address (can't do a range of public IPs it seems : (

And some routers have a limit on how many rules you can make?

OK, help me out and check the next question!

http://www.experts-exchange.com/Networking/Security/Q_28352954.html
0
 
LVL 12

Expert Comment

by:duttcom
ID: 39823077
What you are asking for is exactly the sort of thing a firewall is supposed to do.

If I have an app running on my network on 192.X.X.X port 123 (set up on that port to allow it to be separated from other TCP/HTTP traffic on 8080), I would first set up a custom "Service" of TCP traffic on port 123 called My123 (for example). Then I would create a group of WAN users with the IP range of 4.3.3.0 to 4.3.3.4 called 123users, next I would create a rule that would forward incoming traffic on port 123 to 192.X.X.X:123, specifying that the rule applies to the 123users WAN group.

Anyone outside that WAN group IP range will not get in, those that do will be forwarded to the correct port to access the app.
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39823108
dutt - thanks. some router / 'firewalls' don't have all that ability, at least not to do the group of wan users, right? I'm thinking lower end Linksys, etc.  I am dealing with a Verizon Actiontec specifically, which also doesn't have that group of wan users capability.  just have to list each IP separately as long as the router can hold that many rules  : (
0
 
LVL 12

Expert Comment

by:duttcom
ID: 39823155
You've hit on the problem - firewalls are one of those things were the variety of features and functionality vary widely. Bear in mind also that what you may be looking for is called something unexpected, so the feature might be there just called something else.

Make sure you understand what all the features of your firewall do - you may find that the firewall has some proprietary features that are called something snappy but are really just a normal bit of functionality dressed up as a feature with a confusing name.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASA 5505 latency problem 8 64
802.1X auth setup and configuration 3 37
Skype password reset 1 31
Palo Alto site-to-site vpn monitoring 5 49
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question