hardware firewall basics question - with port forwarding turned on, can only certain IPs get in?

Is this an exotic or common feature in firewalls?

Say you have a port forwarding rule in place to allow incoming packets to get to a device on the LAN.

But that can open you up to malicious attacks on that port against that device the port forwarding is set up for.

So>>>>  in (some / most / all / none?) firewalls, you can set it up so only specific public IPs from outside (certain IPs / a range of IPs?) can get in via the port?

Like port forward 8080 to ONLY IF the request from the outside is coming from or just ?
Who is Participating?
Robert Sutton JrConnect With a Mentor Senior Network ManagerCommented:
I'm not exactly sure what type of answer you seek. With that being said, typically the safest and common method is a 1:1 NAT. If you are setting up or have set up a NAT rule for a specific port from and to Ip's we are under the assumption that you put the rule there in the first place. Therefore, deeming the outside host as a trusted source. Almost all firewalls typically offer a 1:1 static NAT feature. I hope this helps.
duttcomConnect With a Mentor Commented:
I can do that with my Netgear firewall; what you are needing is fairly standard functionality AFAIK.
BeGentleWithMe-INeedHelpAuthor Commented:
what I'm looking to know is - is this a common feature?

I want to forward port x to a device in the LAN, but only if the data is coming from a specific IP address from outside. that way it'll keep out hackers.  yes, there's port forwarding rules set up, but they allow traffic from any machine on the web to come in on that port.  I want to only allow the packets to get in if they are coming from that trusted public location.

1:1 nat - how does that compare to 'standard' nat in Linksys / netgear firewalls - devices inside the LAN get a 192.x.x.x address and the box keeps track of requests going out and the reply coming back gets to the right machine.

port forwarding
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

Robert Sutton JrConnect With a Mentor Senior Network ManagerCommented:
Typically on SOHO routers it will be Under the static routing and normally has an option or drop down menu to select; IE:  LAN:LAN; WAN:LAN, etc. Hope this helps.

IE: <outside Ip> : <Inside Ip>
Interface: WAN       <drop down menu typically>
BeGentleWithMe-INeedHelpAuthor Commented:
OK, thanks!  warlock, you made me realize - the port forwarding page has settings for LAN port and iP info AND remote port and IP info.  so just put the outside trusted IP in the 2nd part of the page.  DUH!

But the provider really wanted me to put in a range of several allowed IP addresses.  Have to make a rule for each IP address (can't do a range of public IPs it seems : (

And some routers have a limit on how many rules you can make?

OK, help me out and check the next question!

What you are asking for is exactly the sort of thing a firewall is supposed to do.

If I have an app running on my network on 192.X.X.X port 123 (set up on that port to allow it to be separated from other TCP/HTTP traffic on 8080), I would first set up a custom "Service" of TCP traffic on port 123 called My123 (for example). Then I would create a group of WAN users with the IP range of to called 123users, next I would create a rule that would forward incoming traffic on port 123 to 192.X.X.X:123, specifying that the rule applies to the 123users WAN group.

Anyone outside that WAN group IP range will not get in, those that do will be forwarded to the correct port to access the app.
BeGentleWithMe-INeedHelpAuthor Commented:
dutt - thanks. some router / 'firewalls' don't have all that ability, at least not to do the group of wan users, right? I'm thinking lower end Linksys, etc.  I am dealing with a Verizon Actiontec specifically, which also doesn't have that group of wan users capability.  just have to list each IP separately as long as the router can hold that many rules  : (
You've hit on the problem - firewalls are one of those things were the variety of features and functionality vary widely. Bear in mind also that what you may be looking for is called something unexpected, so the feature might be there just called something else.

Make sure you understand what all the features of your firewall do - you may find that the firewall has some proprietary features that are called something snappy but are really just a normal bit of functionality dressed up as a feature with a confusing name.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.