Block outgoing connections from a lan ephemeral port to a single wan port?

traindancer
traindancer Posts: 3  Freshman Member
First Comment
edited April 2021 in Security
My ancient USG-20W gave up the ghost a few days ago and was replaced with a new USG-40 (V4.33).  Nice router, but I'm having issues with the firewall.  I configured the old USG-20w to block all outgoing DNS connections except to ZyWALL.  This had the effect that all DNS requests had to go through the router.  But I can't get the USG-40 configured the same in that I can't specify blocking traffic "from" an ephemeral local source port "to" a wan destination port of 53.  The dialog for defining a "service" doesn't allow entry of "any" for the port number.  There must be a way to limit outgoing DNS requests to only interrogate ZyWALL, but I can't figure it out.

Accepted Solution

  • traindancer
    traindancer Posts: 3  Freshman Member
    First Comment
    Answer ✓
    I'm a knucklehead, I had an error in my policy definitions!  Everything works now, sorry for the noise.

All Replies

  • Ian31
    Ian31 Posts: 174  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    edited February 2019
    There is a predefined service group object, DNS(which include the DNS_TCP & DNS_UDP object).
    In the firewall rule, scroll-down the service list to the "Group" section, you will see it.

  • traindancer
    traindancer Posts: 3  Freshman Member
    First Comment
    Yes, thanks. I tried the DNS service group, but it doesn't block the traffic.  The rule has the "starting port" set to 53, while we need the "ending port" to be 53.  I tried creating my own service group and while it's possible to enter "53" into the ending port field, leaving the starting port field empty, it doesn't stay that way.  After saving the rule, ending port is cleared and 53 is moved to starting port.  We need the ending port to remain 53, but it won't "take".  Note that this worked okay with my ancient USG-20W.  The create screen wants a port range to be specified, 1-65535, but we really need "any".
  • traindancer
    traindancer Posts: 3  Freshman Member
    First Comment
    Answer ✓
    I'm a knucklehead, I had an error in my policy definitions!  Everything works now, sorry for the noise.
  • Ian31
    Ian31 Posts: 174  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    If you want to block port 53, then just enter 53 in either staring or ending port field.
    You can refer the help on USG.


    Then create a firewall rule to block from LAN1 to WAN with service DNS service group object and set the action to DENY.


    The firewall rule checking is first matching.
    So that you need to check the order of this rule. Put it in front of the allow rules.

    At least, all works on my USG110(4.33).

Security Highlight