Port / Protocol forwarding

When using IP Masquerading, devices on the external network cannot initiate connections to devices on the internal network.

To work around this, Port Forwards can be set up to allow external users to connect to a specific port, or range of ports on the external interface of the console server/cellular router , and have the console server/cellular router redirect the data to a specified internal address and port range.

To setup a port/protocol forward:

 Navigate to the System: Firewall page, and click on the Port Forwarding tab  Click Add New Port Forward

 Fill in the following fields:

Name: Name for the port forward. This should describe the target and the service that the port forward is

used to access

Input Interface: This allows the user to only forward the port from a specific interface. In most cases, this should

be left as "Any"

Source Address/Address Range: This allows the user to restrict access to a port forward to a specific source IP address

or IP address range of the data. This may be left blank. IP address ranges use the format ip/netmask

(where netmask is in bits 1-32)

Destination Address/Address Range: The destination IP address/address range to match. This may be left blank

IP address ranges use the format ip/netmask (where netmask is in bits 1-32)

Input Port Range: The range of ports to forward to the destination IP. These will be the port(s) specified when

accessing the port forward. These ports need not be the same as the output port range.

Protocol: The protocol of the data being forwarded. The options are TCP or UDP or “TCP and UDP” or

Output Address: The target of the port forward. This is an address on the internal network where packets sent to

the Input Interface on the input port range are sent.

Output Port Range: The port or range of ports that the packets will be redirected to on the Output Address.

Ranges use the format start-finish. Only valid for TCP and UDP protocols

For example, to forward port 8443 to an internal HTTPS server on 192.168.10.2, the following settings would be used:

Input Interface: Any Input Port Range: 8443 Protocol: TCP

Output Address: 192.168.10.2 Output Port Range: 443 5.8.4 Firewall rules

Firewall rules can be used to block or allow traffic through an interface based on port number, the source and/or destination IP address (range), the direction (ingress or egress) and the protocol. This can be used to allow custom on- box services, or block traffic based on policy.

To setup a firewall rule:

User Manual

133

Data Center and Remote Site Management - User Manual

Note Prior to firmware V3.4 this tab was labeled Port Rules and fewer firewall rules could be configured

 Click New Firewall Rule  Fill in the following fields:

Name: Name the rule. This name should describe the policy the firewall rule is being used to implement (e.g. block ftp, Allow Tony)

Interface: Select the interface that the firewall rule will be applied to (i.e. Any, Dialout/Cellular, VPN,

Network Interface, Dial-in etc)

Port Range: Specify the Port or range of Ports (e.g. 1000 – 1500) that the rule will apply to. This may be left blank for Any

Source MAC address Specify the source MAC address to be matched. This may be left blank for any. MAC addresses use the format XX:XX:XX:XX:XX:XX, where XX are hex digits

Source Address Range: Specify the source IP address (or address range) to match. IP address ranges use the format ip/netmask (where netmask is in bits 1-32). This may be left blank for Any Destination Range: Specify the destination IP address/address range to match. IP address ranges use the

format ip/netmask (where netmask is in bits 1-32). This may be left blank.

Protocol: Select if the firewall rule will apply to TCP or UDP or “TCP and UDP” or ICMP or ESP or GRE or Any

Direction: Select the traffic direction that the firewall rule will apply to (Ingress = incoming or Egress) Action: Select the action (Accept or Block) that will be applied to the packets detected that match

the Interface+ Port Range+ Source/destination Address Range+ Protocol+ Direction For example, to block all SSH traffic from leaving Dialout Interface, the following settings can be used:

Interface: Dialout/Cellular Port Range: 22

Protocol: TCP Direction: Egress

Action: Block

The firewall rules are processed in a set order- from top to bottom. So rule placement is important. For example with the following rules, all traffic coming in over the Network Interface is blocked except when it comes from two nominated IP addresses (SysAdmin and Tony):

To allow all incoming traffic on all interfaces from the SysAdmin:

To allow all incoming traffic from Tony:

To block all incoming traffic from the Network Interface:

Interface Any Any Network Interface

Port Range Any Any Any

Source MAC Any Any Any

Source IP IP address of SysAdmin IP address of Tony Any

Destination IP Any Any Any

Protocol TCP TCP TCP

Direction Ingress Ingress Ingress

Action Accept Accept Block

However if the Rule Order above was to be changed so the “Block Everyone Else” rule was second on the list then the traffic coming in over the Network Interface from Tony would be blocked.

In document User Manual. Revision Data Center and Remote Site Management - User Manual (Page 131-136)