Security

General discussion

Gravatar
0 Votes
Locked

Allow only Internet browsing

By Net Designer ·
I need to set up the router (Netopia R7200) with filters that will allow users only to browse the Internet (router is configured with NAT and LAN's IPs are in 10.0.0.0 range). No other traffic should be able to pass in to or out of the LAN (e.g. IMs, pop-ups, etc.).
The router allows to set up the Incoming and Outgoing filters with following settings example:

INCOMING:
Enabled: Yes
Forward: Yes
Source IP Address: 21.21.11.11
Source IP Address Mask: 255.255.255.255
Dest. IP Address: 17.23.23.11
Dest. IP Address Mask: 255.255.255.255
Protocol Type: TCP
Source Port Compare: No Compare
Source Port I 0
Dest. Port Compare: Equal
Dest. Port I 23
Established TCP Conns. Only: No


OUTGOING:
Enabled: Yes
Forward: Yes
Source IP Address: 17.23.23.11
Source IP Address Mask: 255.255.255.255
Dest. IP Address: 21.21.11.11
Dest. IP Address Mask: 255.255.255.255
Protocol Type: TCP
Source Port Compare: Equal
Source Port I 23
Dest. Port Compare: No Compare
Dest. Port I 0
Established TCP Conns. Only: No

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

gravatar
Collapse -

by CG IT In reply to Allow only Internet brows ...

well I checked Netopias site and they don't show a R7200. they have the following in the R series:
2000,2020,3100-U,3100-UA,5100,5200,5300,5320,5320-XL,**0,**00,**20-XL

anyways what your question??? after reading you question I kept wondering what your question was.

gravatar
Collapse -

by Net Designer In reply to

Well, I would say: look closer, my friend.
http://www.netopia.com/en-us/equipment/tech/doc_center.html and look up R7200.

gravatar
Collapse -

by Curacao_Dejavu In reply to Allow only Internet brows ...

i am not sure you can do it with that router.
You you need to do is to allow only port 80 traffic.
I dont use my routers for that I use www.microsift.com/isa with which I can manage which users go online and using what protocol and when, etc etc.
you might want to try also whic has a lot of those features but is free.

Leopold

gravatar
Collapse -

by Net Designer In reply to

Poster rated this answer.

gravatar
Collapse -

by Net Designer In reply to Allow only Internet brows ...

To further discuss this and clarify for "D.R. The Corporate Groups" what my question was.
R7200 has two set of rules: Incoming traffic and Outgoing Traffic.
To set up the rule for outgoing is relatively simple: allow only port 80 for the destination port and rule would look like this.

OUTGOING:
Enabled: Yes
Forward: Yes
Source IP Address: 10.0.2.0 (LAN subnet)
Source IP Address Mask: 255.255.255.0 (only care about last octet which is node address)
Dest. IP Address: 0.0.0.0 (any address)
Dest. IP Address Mask: 0.0.0.0 (don't care to match)
Protocol Type: TCP
Source Port Compare: No Compare (don't care what it is)
Source Port I 0
Dest. Port Compare: Equal (must equal Port ID)
Dest. Port I 80
Established TCP Conns. Only: No

The problem for me is to set up the Incoming Rule that will only allow returns of web pages requests from LAN.
I tried allowing only those with Source Port ID set to 80 but it don't let any traffic in.
My understanding is that the web pages that come back to LAN could have dynamic ports as their Source Port ID - but I'm not sure about this as I'm not a security specialist.
So to cut a long story short, how do I block all traffic except returning web pages requested from LAN?

Another thought was to set the TCP ACK bit to Yes (last option in the rule):
The manual says about this: "The TCP header contains one bit called the ACK bit (or TCP Ack bit). This ACK bit appears only with TCP, not UDP. The ACK bit is part of the TCP mechanism that guarantees the delivery of data. The ACK bit is set
whenever one side of a connection has received data from the other side. Only the first TCP packet will not have
the ACK bit set; once the TCP connection is in place, the remainder of the TCP packets with have the ACK bit
set".
What they are saying here is that if I set the ACK bit to Yes, than only pages originated from the LAN will be allowed back in.
Suggestons, ideas? Thanks.

gravatar
Collapse -

by briantruitt In reply to Allow only Internet brows ...

I think what you might need is a third party piece of hardware/software like Websense. I don't think port blocking and filtering are going to be the solution. Keep in mind that applications like IE, IM, and the sort are established on one port number, but then normally switch to different ports after that initial connection is made. For example, you connect to yahoo.com on yahoo.com's port 80 but you receive yahoo's data on your IP address using like port 25600. Make life simple and use a solution that's made for your problem. Although I've never used Websense, I have heard tale that it can do exactly what you want it to do and more. You could keep playing with the Netopia and maybe after a week or two get it working correctly, but that's time better spent doing something else.

gravatar
Collapse -

by Net Designer In reply to

After looking at traffic patterns using Ethereal, I noticed that all HTTP communication is going like this.
The LAN computer initiating the request to someone's web server will always have dynamic port ID and the web server itself will always have port ID set to 80. So, the filters were set like this:

OUTGOING:
Enabled: Yes
Forward: Yes
Source IP Address: 10.0.2.0 (LAN subnet)
Source IP Address Mask: 255.255.255.0 (only care about subnet 10.0.2.0)
Dest. IP Address: 0.0.0.0 (any address)
Dest. IP Address Mask: 0.0.0.0 (don't care to match)
Protocol Type: TCP
Source Port Compare: No Compare (don't care what it is)
Source Port I 0
Dest. Port Compare: Equal (must equal Port ID)
Dest. Port I 80
Established TCP Conns. Only: No

INCOMING:
Enabled: Yes
Forward: Yes
Source IP Address: 0.0.0.0 (any address)
Source IP Address Mask: 0.0.0.0 (don't care to match)
Dest. IP Address: 10.0.2.0 (LAN subnet)
Dest. IP Address Mask: 255.255.255.0 (only care about subnet 10.0.2.0)
Protocol Type: TCP
Source Port Compare: Equal (must equal Port ID)
Source Port I 80
Dest. Port Compare: No Compare (don't care what it is)
Dest. Port I 0
Established TCP Conns. Only: No

Basically, firewall will block any transmission unless it goes out to port 80 or comes in from port 80.
I don't know at this point if it will block IMs, Kazaa, GoToMyPC, etc, but will test those as soon as I can.
Does anyone know what ports those apps use or where can I find a list of ports?

gravatar
Collapse -

by CG IT In reply to Allow only Internet brows ...

Well I found the Netopia R7200 ADSL router under discontinued hardware. Still couldn't find and documents I could read about it's capabilities.

But, If your asking IT people here IF the packet filters you've created on your Netopias R7200 router will block ALL traffic on ALL 65000 ports except port 80, heck, it's anyones quess.

I'm with the other answers. Go with a software solution or another hardware solution.

gravatar
Collapse -

by punderwood In reply to Allow only Internet brows ...

When the browser requests a page it will use a source port greater than 1024, I do not know if you can create a filter to allow ports higher than 1024 for outbound going to port 80 and vice versa for inbound. All my exp is with Cisco. As for your sencond question about what apps use what port numbers I would recommend www.ietf.org and www.sans.org
Napster eDonkey Gnutella Kazaa
tcp 8888 tcp 4661 tcp/udp 6345 tcp 80 (WWW)
tcp 8875 tcp 4662 tcp/udp 6346 tcp/udp 1214
tcp 6699 udp 4665 tcp/udp 6347
tcp/udp 6348
tcp/udp 6349

Back to Security Forum

Start or search

Related Discussions

Related Forums