port forwarding restrictions

jgauthier · June 8, 2021, 4:28pm

I have several ports opened for various things. I’d like to lock some of the ports down by IP address.

I’m not seeing how to do this with the firewall/NAT interface. Can someone help me out with how that is done?

rextended · June 8, 2021, 4:36pm

/export firewall

and explayn what port and what IP you want lock on it.

erlinden · June 8, 2021, 5:00pm

Even without an (complete) export, set the Src. Address (or a list if you have multiple IP addresses) on your NAT rule.

jgauthier · June 8, 2021, 5:41pm

Ugh. Seriously, I tried this and it did not work. Now, you tell me to do it and it works.

Thanks

anav · June 8, 2021, 7:59pm

Yes, setting the source address in the Dst NAT rule is the way to go.
Clearly for a list then one uses a source-address-list entry (aka make a firewall address list).

This is good because as soon as you add a source address list, when one does a scan of their ports, the port does not appear at all.
Without the source address list if you scan your ports, the dst nat port is visible but closed. I prefer invisible LOL.

Also if someone using the server has a dynamic IP, they can get free dyndns domains out there and thus can give you an IP you can use (domain name with the router will resolve).

k6ccc · June 8, 2021, 9:15pm

Anav, I want to clarify something about what you said. The way I read this did not make sense. What I understood you to say was that if I have a source address list, the port is not seen at all (good so far), but the implication was that if I don’t use a list, and only specify a single source address in the firewall rule, the port would be seen as closed (as opposed to invisible). In other words, it has to be a source address list, not one specific address in the firewall rule to make it invisible. That part does not make sense.

Like I said, if I read that correctly, this would make the port invisible:

add address=15.16.17.18 comment="Test" list="Test-allow-list"

add action=accept chain=input comment="testing" \
    dst-port=12345 in-interface=Ether1 protocol=tcp \
    src-address-list="Test-allow-list"

And this one would make it visible, but closed:

add action=accept chain=input comment="Testing" \
    dst-port=12345 in-interface=Ether1 protocol=tcp \
    src-address=15.16.17.18

The only difference being that in the first example, the source address 15.16.17.18 is in an address list, and in the second, it is specified in the firewall rule (in place of the address list).

Or did I read more into that then you intended?

anav · June 9, 2021, 1:09am

Good point I should clarify Ive only tested with a source-address-list.
I suspect you are right that with a source-address entry the result would be the same.

k6ccc · June 9, 2021, 1:27am

OK, I’m not losing my mind. I have used individual IPs in most situations and it appeared to be working fine.

anav · June 9, 2021, 10:42am

Well between the mass exodus of people, the covid fiasco, the vagrants pooping all over downtown, the opioid crisis mass shootings, droughts, wildfires, cosmetic surgery, the occasional earthquake…yes you should be crazy and should move up to Canada
Far saner here and besides, you can still buy California wines here too (but dont tell rexetended)

k6ccc · June 9, 2021, 3:06pm

Too cold.