jbibe
Premium,MVM
join:2001-02-22
2 edits | reply to MrYogi
Re: What ports to block?
said by MrYogi  :
Can someone give me instructions on how to block all but specific ports on Prestige 334?
I assume that you are referring to outbound ports, since all inbound ports are blocked by default. Do you plan to block services (Main Menu -> Firewall -> Services tab) for a part of the day?
Edit: Let me assume that you will not block any services. This assumption simplifies the change.
The default firewall rule in the L-W firewall set (Set 1) forwards all packets. If the user blocks some services for a part of the day, a rule (Rule 1) is automatically added to Set 1. The rule blocks the outbound packets with the preselected destination ports. The LAN to WAN log control on the Firewall Setting screen controls the actual logging. Remember that if you make any changes in the selected services or the logging, you will have to check all of the firewall rules.
Be sure to save your present configuration before you start.
1. Set the LAN to WAN logging on the Firewall Settings screen to Log All.
2. Enable Services Blocking
3. Enable Everyday (in Day to Block)
4. Enable All Day (in Time of Day to Block)
5. Add the Services (ports) that you want to allow
6. Press Apply
Now convert the default rule of Set 1 to block and log with no alerts, and Rule 1 of Set 1 to forward, not log, and no alerts.
7. Telnet to the P334, open menu 24.8, and enter the following commands
config retrieve firewall
config edit firewall set 1 default-permit block
config edit firewall set 1 log yes
config edit firewall set 1 alert no
config edit firewall set 1 rule 1 permit forward
config edit firewall set 1 rule 1 log none
config edit firewall set 1 rule 1 alert no
config save firewall
8. Review the firewall settings to ensure that they are correct
config retrieve firewall
config display firewall set 1
9. If all of the settings are correct, you are done.
10. Suppose that you forgot two of the desired ports; e.g., NTP (Port 123/UDP) and HTTPS (Port 443/TCP). Use the following commands to add the ports,
config retrieve firewall
config edit firewall set 1 rule 1 udp destport-single 123
config edit firewall set 1 rule 1 tcp destport-single 443
config save firewall
If you make any changes, be sure to review the final firewall settings. |
|
MrYogi
join:2003-03-28
Reston, VA | So all inbound ports are blocked by default? |
|
MrYogi
join:2003-03-28
Reston, VA
| 
Fiewall 1 | 
Fiewall 2 | 
Fiewall 3 |
|
|
StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Austin, TX
| reply to MrYogi
said by MrYogi :
So all inbound ports are blocked by default?
Out of the box yes. You could change it to Allow if you were crazy enough  There's no LAN-WAN blocking by default but as was discussed here
»lockdown LAN to WAN traffic
its a good idea to lock that down as well.
BTW, my example above was for a ZyWALL 2X Yogi. You don't get all of that nice stuff in a P334--at least not in the web interface.
--
Don't feed the trolls--it only makes them grow! |
|
Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
| reply to MrYogi
SO those four services are actually the four you wish to allow outbound and block the rest,,, according to Jbibes fiendishly and devilish conniving cunning methods 
--
Ain't nuthin but the blues! "Albert Collins". Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner" |
|
MrYogi
join:2003-03-28
Reston, VA | I thought those four outbound services are blocked.:o |
|
tnroroc
Let's Rock
join:2001-04-25
Matawan, NJ
| reply to jbibe
said by jbibe :
Edit: Let me assume that you will not block any services. This assumption simplifies the change.
Supposed I want to block all services except those I will actually be using? How does that change any of your instructions?
--
rok - Enjoy this game called life, nobody is actually keeping score. |
|
jbibe
Premium,MVM
join:2001-02-22
| The instructions assume that you want to block all services except the ones that you are using. If you want to block different services during part of the day (e.g., block all access to the Internet from 10 PM to 8 AM), then rule 1 of set 1 cannot be used. A different design is needed. |
|
tnroroc
Let's Rock
join:2001-04-25
Matawan, NJ
| I am a bit confused then.
In your initial instructions you were assuming no services being blocked. But in your last reply, you state blocking all services except the ones required.
--
rok - Enjoy this game called life, nobody is actually keeping score. |
|
jbibe
Premium,MVM
join:2001-02-22 | The P334 has a Services screen that permits you to select ports (services) to be blocked. If you plan to use that feature to block ports, then it cannot be used to allow a small number of outbound ports. |
|
Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
1 edit | reply to tnroroc
The confusion tnroroc is that your following Jbibes posts but reading the posters comments, vice listening to all jbibe all the time, its better than CNN. He speaks great truths, and he is a magician, in fact you have taken off all your clothes in front of your family did a dance on your front lawn and are now back at the computer fully dressed totally unaware of the impending daily newspaper pics.......
What jbibe has done is use the pretzel technique or I prefer to call it the "Bbarrera", turning ones sphinctor inside out~ He delineates only the services he wants to eventually allow by choosing them in the block services gui,,, and then goes to the CLI command structure and simply states everything but those choices will be blocked and everything else (whats left is the four rules) is allowed......
in the cli commands it looks like he changes the default setting LAN to WAN from allow to block (this is the firewall set)
then goes into the firewall rules and changes the block to forward..........
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner" |
|
tnroroc
Let's Rock
join:2001-04-25
Matawan, NJ |  So I was confused! And rightly so. But now I fully understand. |
|
tnroroc
Let's Rock
join:2001-04-25
Matawan, NJ
| reply to jbibe
Ugh! Is there a way to simply remove an added port to the allow list, I transposed 2 digits of one of the ports I wanted to add and now have an incorrect port allowed.
Also, as a best practice, should set 1 rule 1 just list ALL the ports I wish to allow, or should the ports be spread out across several rules under set 1? What about when one wants to allow ranges? Should these be part of the set 1 rule 1, or should they be a separate rule under set 1?
Thanks in advance!
--
rok - Enjoy this game called life, nobody is actually keeping score. |
|
jbibe
Premium,MVM
join:2001-02-22
2 edits | said by tnroroc :
Ugh! Is there a way to simply remove an added port to the allow list, I transposed 2 digits of one of the ports I wanted to add and now have an incorrect port allowed.
Based on my previous experience, my guess is that deleting a port will delete all the ports in the rule, but try anyway. Save your present configuration, and then delete the port. For example, assume that you want to remove port 1234/TCP:
config retrieve firewall
config delete firewall set 1 rule 1 tcp destport-single 1234
Before you save, display at the results of the delete
config display firewall set 1 rule 1
If all looks good, save the firewall. If all the ports have been removed, you will either need to add all of the ports, delete the rule and start over, or discard the modified rule.
quote:
Also, as a best practice, should set 1 rule 1 just list ALL the ports I wish to allow, or should the ports be spread out across several rules under set 1? What about when one wants to allow ranges? Should these be part of the set 1 rule 1, or should they be a separate rule under set 1?
A case can be made for allowing only the most important ports in rule 1. For example, you might want to restrict rule 1 to ports 80 and 443, or perhaps ports 80, 443, 25, and 110. Then adding the remaining ports in rule 2. The major disadvantage is the additional work adding rule 2, since the entire rule must be built with config commands.
You can allow ranges in rule 1, or in a separate rule. For example:
config edit firewall set 2 rule 1 tcp destport-range <start#> <end#>
|
|
tnroroc
Let's Rock
join:2001-04-25
Matawan, NJ
| You were correct, using delete deletes the entire selection of ports. :( I just added them back in individually.
Is it necessary to define the rules consecutively? In other words, if I have a rule that I wish to have as the last rule in the set, is it possible? What exactly IS the last available rule number in a set? Any performance implications in doing this?
Example:
Set 1 Rule 1
blah blah
blah blah
Set 1 Rule <whatever the last available number is>
blah blah
blah blah
--
rok - Enjoy this game called life, nobody is actually keeping score. ;) |
|
jbibe
Premium,MVM
join:2001-02-22
2 edits | I don't believe that you must enter the rules in sequence. During the save, I believe that the rules are placed in order, based on the rule number. I haven't performed any tests on the P334 to confirm these beliefs, so I might full of baloney.
I don't know the maximum number of rules in a firewall set for the P334. One way to estimate the number is to consider the W-L firewall set. One rule can be added for each SUA slot. This implies the number is at least 11 for the W-L firewall set. The available memory controls the actual limit. If you use
config display firewall set#
the available memory is shown at the end of the displayed information.
Edit: StuartMW demonstrated the "config display firewall buffer" command to show the memory available in the Z2X firewall buffers in the following post:
»ZyWALL 2/2X 3.62 WH.1 CI Command List now in HTML! |
|
tnroroc
Let's Rock
join:2001-04-25
Matawan, NJ
| I actually meant is it ok to have a gap in rule numbers. There already is a Set 1 Rule 1, if I want to add a rule to this set that will always be the last rule of the set, can I make it "Set 1 Rule 10", for instance?
--
rok - Enjoy this game called life, nobody is actually keeping score. |
|
jbibe
Premium,MVM
join:2001-02-22
1 edit | Each rule has two numbers -- a Runtime Rule Number and a Rule Number -- as shown here:
Runtime Rule Number: 1<1>
The number inside the < > is the Rule Number. The Rule Numbers can have gaps. During the save, the firmware forms the sequential Runtime Rule Numbers.
Edit: Add a Rule 10 and then display the Runtime Rule:
...
Z10W> config edit firewall set 1 rule 10 protocol 1
Z10W> config save firewall
Z10W> sys firewall acl disp
...
Runtime Rule Number: 1<10>
Note that Rule 10 is Runtime Rule Number 1.
Now add Rule 2 and then display the Runtime Rules:
...
Z10W> config edit firewall set 1 rule 2 protocol 2
Z10W> config save firewall
Z10W> sys firewall acl disp
...
Runtime Rule Number: 1<2>
...
Runtime Rule Number: 2<10>
...
Note that the Runtime Rules Numbers are sequential, but the Rule Numbers are not. Also note that Rule 2 is now before Rule 10. |
|
