Block outgoing connections from a lan ephemeral port to a single wan port?
traindancer
Posts: 3 Freshman Member
My ancient USG-20W gave up the ghost a few days ago and was replaced with a new USG-40 (V4.33). Nice router, but I'm having issues with the firewall. I configured the old USG-20w to block all outgoing DNS connections except to ZyWALL. This had the effect that all DNS requests had to go through the router. But I can't get the USG-40 configured the same in that I can't specify blocking traffic "from" an ephemeral local source port "to" a wan destination port of 53. The dialog for defining a "service" doesn't allow entry of "any" for the port number. There must be a way to limit outgoing DNS requests to only interrogate ZyWALL, but I can't figure it out.
0
Accepted Solution
-
I'm a knucklehead, I had an error in my policy definitions! Everything works now, sorry for the noise.0
All Replies
-
There is a predefined service group object, DNS(which include the DNS_TCP & DNS_UDP object).
In the firewall rule, scroll-down the service list to the "Group" section, you will see it.
0 -
Yes, thanks. I tried the DNS service group, but it doesn't block the traffic. The rule has the "starting port" set to 53, while we need the "ending port" to be 53. I tried creating my own service group and while it's possible to enter "53" into the ending port field, leaving the starting port field empty, it doesn't stay that way. After saving the rule, ending port is cleared and 53 is moved to starting port. We need the ending port to remain 53, but it won't "take". Note that this worked okay with my ancient USG-20W. The create screen wants a port range to be specified, 1-65535, but we really need "any".0
-
I'm a knucklehead, I had an error in my policy definitions! Everything works now, sorry for the noise.0
-
If you want to block port 53, then just enter 53 in either staring or ending port field.
You can refer the help on USG.
Then create a firewall rule to block from LAN1 to WAN with service DNS service group object and set the action to DENY.
The firewall rule checking is first matching.
So that you need to check the order of this rule. Put it in front of the allow rules.
At least, all works on my USG110(4.33).
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight