|
Posted by on December 24, 2004, 11:37 am
If you were Registered and logged in, you could reply and use other advanced thread options
Oops... this is a classic case of RTFM. To be more precise - RTEFM ('E'
stands for "Entire"). ;-)
The manual says: "Service. From this list, select the application or
service to be allowed or blocked. The list already displays many common
services, *but you are not limited to these choices. Use the Services
menu to add any additional services or applications that do not already
appear.*"
Thus, I can now figure out a "trick" to accomplish what I want: By
default BLOCK access from ALL ip addresses (even those that I want to
access the Internet). Then, add rules that provide access to the
allowed PCs for the specific services which I *know* I am going to use.
I think this is even more secure by definition. Duh! :-)
Thanks to everyone who responded. :-D
Daniel
danibe@my-deja.com wrote:
> I recently purchased a NETGEAR FVS328 firewall. I am trying to
> configure it to block ANY traffic from a range of internal addresses
> ("LAN Users" in NETGEAR's jargon).
>
> While the FVS328 lets me specify a range of addresses, it doesn't
have
> an option to block ALL traffic from that range. It only allows me to
> specify one service per rule to be blocked. While I could enter as
many
> rules as there are services in the listbox FVS328 provides, this is
> tedious (and most probably doesn't block ALL traffic?).
>
> The list of services currently "blockable" by FVS328 is:
>
> AIM(TCP:5190)
> BGP(TCP:179)
> BOOTP_CLIENT(UDP:68)
> BOOTP_SERVER(UDP:67..68)
> CU-SEEME(TCP/UDP:7648)
> DNS(TCP/UDP:53)
> FINGER(TCP:79)
> FTP(TCP:21)
> H.323(TCP:1720)
> HTTP(TCP:80)
> HTTPS(TCP:443)
> ICQ(TCP:5190)
> IRC(TCP/UDP:6660..6669)
> NEWS(TCP:119)
> NFS(UDP:2049)
> NNTP(TCP:119)
> POP3(TCP:110)
> PPTP(TCP:1723)
> RCMD(TCP:512)
> REAL-AUDIO(TCP:7070)
> REXEC(TCP:514)
> RLOGIN(TCP:513)
> RTELNET(TCP:107)
> RTSP(TCP/UDP:554)
> SFTP(TCP:115)
> SMTP(TCP:25)
> SNMP(TCP/UDP:161)
> SNMP-TRAPS(TCP/UDP:162)
> SQL-NET(TCP:1521)
> SSH(TCP/UDP:22)
> STRMWORKS(UDP:1558)
> TACACS(UDP:49)
> TELNET(TCP:23)
> TFTP(UDP:69)
> VDOLIVE(TCP:7000)
> IMAP2(TCP:143)
> IMAP3(TCP:220)
> PING(ICMP:8)
> ICMP-INFO(ICMP:3..11)
> ICMP-TIMESTAMP(ICMP:13)
>
> Any suggestion how to work around this problem?
>
> I don't mind so much about the tedius part, but I *would* like to
block
> ALL possible outgoing ports for a certain range of IP addresses
> (assigned for internal LAN access only). Is this possible with the
> FVS328?
>
> I could do it quite easily with my Linux box running ipchains or
> iptables, but that Linux box no longer serves as the Internet gateway
> for my LAN.
>
> Thanks,
> Daniel
| 
XML site map