USG LITE 60AX ignoring explicit deny firewall rule when a nat rule is active
Freshman Member
Please tell me i'm wrong.
Just noticed that if i set up a nat rule, and leave "allow remote ip" to "any", it just open up that port for any source address despite "explicit deny" rule in packet filter firewall. Also, "allow remote ip" field in the NAT rule can't be anything but a single host. You can't even put a subnet in it. I feel very uncomfortable knowing that my rdp has been wide open for days.
I really hope this is a bug and not a legit behaviour.
Accepted Solution
-
Hi @SistemistaDaRidere ,
This is expected behavior not only on the USG LITE 60AX, but also on other Nebula mode firewalls.
When a NAT rule is configured, the device will automatically create a firewall rule to allow the specified port and source IP. This rule takes higher priority than any explicit deny rule.
Regarding the Allow Remote IP field, we are currently evaluating support for input as a subnet or an IP range.
Zyxel_Judy
0
Zyxel Employee
All Replies
-
The NAT rule is what traffic that rule would apply for but the firewall rule locks it down more.
so if you have a firewall limiting remote/source then a port scan will be blocked
0 -
i agree with you, that's how it should behave but It does NOT.
You have this "implicit deny rule" at the end of the chain that should do it.
I had to rewrite it (the deny rule) at the end of my custom rules to make it work. You can try it yoursef, set up a nat rule for everyone without opening the same service in firewall and see if it get exposed or not.
0 -
don't have a USG LITE so can't test
I'm not sure how the the USG LITE does it firewall differently to USG models
The USG LITE models seem to not be that good I think when Zyxel did the cut down of VPN models like VPN300 was a better way.
0 -
Hi @SistemistaDaRidere ,
This is expected behavior not only on the USG LITE 60AX, but also on other Nebula mode firewalls.
When a NAT rule is configured, the device will automatically create a firewall rule to allow the specified port and source IP. This rule takes higher priority than any explicit deny rule.
Regarding the Allow Remote IP field, we are currently evaluating support for input as a subnet or an IP range.
Zyxel_Judy
0 -
thank you for your reply
Just to let you know, the automatically created firewall rule is not visible in the list, also, if i rewrite a deny rule to lockout surce ip other than the expected ones, it takes priority over the nat rule.
0
Guru Member
Categories
- All Categories
- 442 Beta Program
- 3K Nebula
- 228 Nebula Ideas
- 130 Nebula Status and Incidents
- 6.6K Security
- 648 USG FLEX H Series
- 357 Security Ideas
- 1.8K Switch
- 86 Switch Ideas
- 1.4K Wireless
- 55 Wireless Ideas
- 7.1K Consumer Product
- 304 Service & License
- 496 News and Release
- 94 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 5K FAQ
- 34 Documents
- 89 About Community
- 110 Security Highlight
