comp.security.firewalls

danibe_at_my-deja.com
Date: 12/24/04


Date: 24 Dec 2004 11:18:00 -0800

I recently purchased a NETGEAR FVS328 firewall. I am trying to
configure it to block ANY traffic from a range of internal addresses
("LAN Users" in NETGEAR's jargon).

While the FVS328 lets me specify a range of addresses, it doesn't have
an option to block ALL traffic from that range. It only allows me to
specify one service per rule to be blocked. While I could enter as many
rules as there are services in the listbox FVS328 provides, this is
tedious (and most probably doesn't block ALL traffic?).

The list of services currently "blockable" by FVS328 is:

AIM(TCP:5190)
BGP(TCP:179)
BOOTP_CLIENT(UDP:68)
BOOTP_SERVER(UDP:67..68)
CU-SEEME(TCP/UDP:7648)
DNS(TCP/UDP:53)
FINGER(TCP:79)
FTP(TCP:21)
H.323(TCP:1720)
HTTP(TCP:80)
HTTPS(TCP:443)
ICQ(TCP:5190)
IRC(TCP/UDP:6660..6669)
NEWS(TCP:119)
NFS(UDP:2049)
NNTP(TCP:119)
POP3(TCP:110)
PPTP(TCP:1723)
RCMD(TCP:512)
REAL-AUDIO(TCP:7070)
REXEC(TCP:514)
RLOGIN(TCP:513)
RTELNET(TCP:107)
RTSP(TCP/UDP:554)
SFTP(TCP:115)
SMTP(TCP:25)
SNMP(TCP/UDP:161)
SNMP-TRAPS(TCP/UDP:162)
SQL-NET(TCP:1521)
SSH(TCP/UDP:22)
STRMWORKS(UDP:1558)
TACACS(UDP:49)
TELNET(TCP:23)
TFTP(UDP:69)
VDOLIVE(TCP:7000)
IMAP2(TCP:143)
IMAP3(TCP:220)
PING(ICMP:8)
ICMP-INFO(ICMP:3..11)
ICMP-TIMESTAMP(ICMP:13)

Any suggestion how to work around this problem?

I don't mind so much about the tedius part, but I *would* like to block
ALL possible outgoing ports for a certain range of IP addresses
(assigned for internal LAN access only). Is this possible with the
FVS328?

I could do it quite easily with my Linux box running ipchains or
iptables, but that Linux box no longer serves as the Internet gateway
for my LAN.

Thanks,
Daniel



Relevant Pages

  • Re: wvdial via telnet does not work anymore
    ... > I want to be able to not login locally, but via telnet only, ... > with wvdial via telnet to the Linux box, ... > Internet services from within my LAN. ...
    (comp.os.linux.networking)
  • Re: Making linux firewall/gateway
    ... Your best to just dual home the Linux box and connect your LAN machines with ... linux box as opposed to just the switch. ... > internet connection), and it has one pci slot. ...
    (comp.os.linux.networking)
  • SuSE 9.3: LAN access/forwarding problems
    ... I cannot access the internet from another PC via the Linux box, ... I cannot ftp into the Linux box via internal LAN, ... I can also ftp from the Linux box to the second PC. ...
    (alt.os.linux.suse)
  • Re: Very embarrassing traffic shaping problem.
    ... On my LAN, I'd like configure my Linux Box in order ... to throttle the traffic that goes from the Internet down do my Linux ... eth0 and traffic from Internet to your workstation on eth1. ...
    (comp.os.linux.networking)
  • Re: Moving Exchange Server
    ... Placing them in the LAN gives internal users 100% access with no firewall to ... DMZ, thus 0% risk/ports open between them. ... If Microsoft Exchange and/or Active Directory cannot run ... >> Internet is better? ...
    (microsoft.public.exchange.setup)