2.9 Firewall Rules

Zorker · October 28, 2005, 11:31pm

Hi, I’m trying to allow only traffic I need to my web/email servers and blocking everything else. Now it seems to work the way I have it setup, however, I’m unable to send any traffic out from the boxes (such as web browse etc.) I would like it to allow all my local IP’s (in the address-list cram) to go out without any filtering. I just want to filter the incoming ports. Here is my forward rules.

add chain=forward src-address-list=cram action=accept comment=“” disabled=no
add chain=forward protocol=tcp dst-port=80 dst-address-list=cram action=accept comment=“Web” disabled=no
add chain=forward protocol=tcp dst-port=21 dst-address-list=cram action=accept comment=“FTP” disabled=no
add chain=forward protocol=tcp dst-port=53 dst-address-list=cram action=accept comment=“DNS TCP” disabled=no
add chain=forward protocol=udp dst-port=53 dst-address-list=cram action=accept comment=“DNS UDP” disabled=no
add chain=forward protocol=tcp dst-port=445 dst-address-list=cram action=accept comment=“SSL” disabled=no
add chain=forward protocol=tcp dst-port=5900 dst-address-list=cram action=accept comment=“VNC” disabled=no
add chain=forward protocol=tcp dst-port=3389 dst-address-list=cram action=accept comment=“RDP” disabled=no
add chain=forward protocol=tcp dst-port=25 dst-address-list=cram action=accept comment=“SMTP” disabled=no
add chain=forward protocol=tcp dst-port=110 dst-address-list=cram action=accept comment=“POP3” disabled=no
add chain=forward protocol=tcp dst-port=8383 dst-address-list=cram action=accept comment=“Webmail” disabled=no
add chain=forward protocol=tcp dst-port=8484 dst-address-list=cram action=accept comment=“Web Calendar” disabled=no
add chain=forward in-interface=External action=log log-prefix=“” comment=“” disabled=yes
add chain=forward in-interface=External dst-address-list=cram action=drop comment=“” disabled=yes

Is there something I’m missing here. No matter what I’ve tried, it will not let me out for web, ssh, traceroute/icmp etc. However, all my services are working fine, smtp, web, pop3 etc for outside users. Any ideas?

Thanks

Nik

andrewluck · October 29, 2005, 9:35am

Nik

It’s letting you out just fine. However, the router is blocking the return traffic. You need to add two rules similar to these:

28   ;;; Accept Internet Established
     chain=forward in-interface=Internet connection-state=established 
     action=accept 

29   ;;; Accept Internet Related
     chain=forward in-interface=Internet connection-state=related 
     action=accept

Regards

Andrew

Zorker · October 29, 2005, 4:13pm

Thanks much, that did the trick.

larmaid · October 30, 2005, 5:30pm

is it in dst-address-list or src-address-list…?