comp.security.firewalls

danibe_at_my-deja.com
Date: 12/24/04


Date: 24 Dec 2004 11:18:00 -0800

I recently purchased a NETGEAR FVS328 firewall. I am trying to
configure it to block ANY traffic from a range of internal addresses
("LAN Users" in NETGEAR's jargon).

While the FVS328 lets me specify a range of addresses, it doesn't have
an option to block ALL traffic from that range. It only allows me to
specify one service per rule to be blocked. While I could enter as many
rules as there are services in the listbox FVS328 provides, this is
tedious (and most probably doesn't block ALL traffic?).

The list of services currently "blockable" by FVS328 is:

AIM(TCP:5190)
BGP(TCP:179)
BOOTP_CLIENT(UDP:68)
BOOTP_SERVER(UDP:67..68)
CU-SEEME(TCP/UDP:7648)
DNS(TCP/UDP:53)
FINGER(TCP:79)
FTP(TCP:21)
H.323(TCP:1720)
HTTP(TCP:80)
HTTPS(TCP:443)
ICQ(TCP:5190)
IRC(TCP/UDP:6660..6669)
NEWS(TCP:119)
NFS(UDP:2049)
NNTP(TCP:119)
POP3(TCP:110)
PPTP(TCP:1723)
RCMD(TCP:512)
REAL-AUDIO(TCP:7070)
REXEC(TCP:514)
RLOGIN(TCP:513)
RTELNET(TCP:107)
RTSP(TCP/UDP:554)
SFTP(TCP:115)
SMTP(TCP:25)
SNMP(TCP/UDP:161)
SNMP-TRAPS(TCP/UDP:162)
SQL-NET(TCP:1521)
SSH(TCP/UDP:22)
STRMWORKS(UDP:1558)
TACACS(UDP:49)
TELNET(TCP:23)
TFTP(UDP:69)
VDOLIVE(TCP:7000)
IMAP2(TCP:143)
IMAP3(TCP:220)
PING(ICMP:8)
ICMP-INFO(ICMP:3..11)
ICMP-TIMESTAMP(ICMP:13)

Any suggestion how to work around this problem?

I don't mind so much about the tedius part, but I *would* like to block
ALL possible outgoing ports for a certain range of IP addresses
(assigned for internal LAN access only). Is this possible with the
FVS328?

I could do it quite easily with my Linux box running ipchains or
iptables, but that Linux box no longer serves as the Internet gateway
for my LAN.

Thanks,
Daniel