USG LITE 60AX ignoring explicit deny firewall rule when a nat rule is active
Freshman Member
Please tell me i'm wrong.
Just noticed that if i set up a nat rule, and leave "allow remote ip" to "any", it just open up that port for any source address despite "explicit deny" rule in packet filter firewall. Also, "allow remote ip" field in the NAT rule can't be anything but a single host. You can't even put a subnet in it. I feel very uncomfortable knowing that my rdp has been wide open for days.
I really hope this is a bug and not a legit behaviour.
All Replies
-
The NAT rule is what traffic that rule would apply for but the firewall rule locks it down more.
so if you have a firewall limiting remote/source then a port scan will be blocked
0 -
i agree with you, that's how it should behave but It does NOT.
You have this "implicit deny rule" at the end of the chain that should do it.
I had to rewrite it (the deny rule) at the end of my custom rules to make it work. You can try it yoursef, set up a nat rule for everyone without opening the same service in firewall and see if it get exposed or not.
0 -
don't have a USG LITE so can't test
I'm not sure how the the USG LITE does it firewall differently to USG models
The USG LITE models seem to not be that good I think when Zyxel did the cut down of VPN models like VPN300 was a better way.
0
Guru Member
Categories
- All Categories
- 442 Beta Program
- 3K Nebula
- 223 Nebula Ideas
- 129 Nebula Status and Incidents
- 6.6K Security
- 638 USG FLEX H Series
- 357 Security Ideas
- 1.8K Switch
- 86 Switch Ideas
- 1.4K Wireless
- 54 Wireless Ideas
- 7K Consumer Product
- 301 Service & License
- 494 News and Release
- 93 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.8K FAQ
- 34 Documents
- 88 About Community
- 109 Security Highlight
