Block outgoing connections from a lan ephemeral port to a single wan port?
Options
traindancer
Posts: 3
My ancient USG-20W gave up the ghost a few days ago and was replaced with a new USG-40 (V4.33). Nice router, but I'm having issues with the firewall. I configured the old USG-20w to block all outgoing DNS connections except to ZyWALL. This had the effect that all DNS requests had to go through the router. But I can't get the USG-40 configured the same in that I can't specify blocking traffic "from" an ephemeral local source port "to" a wan destination port of 53. The dialog for defining a "service" doesn't allow entry of "any" for the port number. There must be a way to limit outgoing DNS requests to only interrogate ZyWALL, but I can't figure it out.
0
Accepted Solution
-
I'm a knucklehead, I had an error in my policy definitions! Everything works now, sorry for the noise.0
All Replies
-
There is a predefined service group object, DNS(which include the DNS_TCP & DNS_UDP object).
In the firewall rule, scroll-down the service list to the "Group" section, you will see it.
0 -
Yes, thanks. I tried the DNS service group, but it doesn't block the traffic. The rule has the "starting port" set to 53, while we need the "ending port" to be 53. I tried creating my own service group and while it's possible to enter "53" into the ending port field, leaving the starting port field empty, it doesn't stay that way. After saving the rule, ending port is cleared and 53 is moved to starting port. We need the ending port to remain 53, but it won't "take". Note that this worked okay with my ancient USG-20W. The create screen wants a port range to be specified, 1-65535, but we really need "any".0
-
I'm a knucklehead, I had an error in my policy definitions! Everything works now, sorry for the noise.0
-
If you want to block port 53, then just enter 53 in either staring or ending port field.
You can refer the help on USG.
Then create a firewall rule to block from LAN1 to WAN with service DNS service group object and set the action to DENY.
The firewall rule checking is first matching.
So that you need to check the order of this rule. Put it in front of the allow rules.
At least, all works on my USG110(4.33).
0
Master Member
Categories
- All Categories
- 396 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 81 Nebula Status and Incidents
- 5.1K Security
- 86 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 916 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 211 Service & License
- 337 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 2K FAQ
- 912 Nebula FAQ
- 419 Security FAQ
- 237 Switch FAQ
- 207 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 139 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 62 Security Highlight
