DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
2820 Firewall : Testing to block port 80 (Web test on Win7)
- zgap111
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 28
- Thank you received: 0
27 Mar 2010 18:20 #61406
by zgap111
2820 Firewall : Testing to block port 80 (Web test on Win7) was created by zgap111
I'm having a problem with the 2820 (f/w 3.3.3) firewall.
What I want to do is quite specific, but I'm not getting the results...
My tests have now come down to:
Testing port 80 for Web Browsing.
And it's not giving me the results I'm looking for.
Here's what I've tried: (I'm adding to the #2 Data Filter set, from rule 2 onwards)
========
#1
Under Firewall General Setup: Default rule = BLOCK (I've noticed this blocks everything)
So to test I've added to filter:
LAN>WAN
Port All = "Pass Immediately" and it allows WEB Browsing.
I change the Port to 80 TCP/UDP = "Pass Immediately" then WEB browsing is disabled (!? = google homepage does not appear)
Is this wrong?
========
#2a
I've then tried setting the default rule = PASS
Then filter #2/2 = Port All = Block if no further match = web browsing does not work.
filter #2/3 = "Port All" = web browsing ok, change to "port 80 TCP/UDP" = no web browsing!
Same again, allowing only port 80 does not give me web browsing?
(Strange & luckily - the Router webpage still functioned even when everything was blocked...)
#2b
Then tried this:
Then filter #2/2 = Port All = Block immediately = web browsing does not work.
Changed Port 80 TCP/UDP = Block immediately = web browsing works (!!??!!)
========
It's as though web browsing is not on port 80 !?
NAT settings are all blank (no port re-direction setup), except for DMZ enabled for an IP.
I'm using Windows 7 Pro
Hope there's an explanation somehow...
Thanks.
What I want to do is quite specific, but I'm not getting the results...
My tests have now come down to:
Testing port 80 for Web Browsing.
And it's not giving me the results I'm looking for.
Here's what I've tried: (I'm adding to the #2 Data Filter set, from rule 2 onwards)
========
#1
Under Firewall General Setup: Default rule = BLOCK (I've noticed this blocks everything)
So to test I've added to filter:
LAN>WAN
Port All = "Pass Immediately" and it allows WEB Browsing.
I change the Port to 80 TCP/UDP = "Pass Immediately" then WEB browsing is disabled (!? = google homepage does not appear)
Is this wrong?
========
#2a
I've then tried setting the default rule = PASS
Then filter #2/2 = Port All = Block if no further match = web browsing does not work.
filter #2/3 = "Port All" = web browsing ok, change to "port 80 TCP/UDP" = no web browsing!
Same again, allowing only port 80 does not give me web browsing?
(Strange & luckily - the Router webpage still functioned even when everything was blocked...)
#2b
Then tried this:
Then filter #2/2 = Port All = Block immediately = web browsing does not work.
Changed Port 80 TCP/UDP = Block immediately = web browsing works (!!??!!)
========
It's as though web browsing is not on port 80 !?
NAT settings are all blank (no port re-direction setup), except for DMZ enabled for an IP.
I'm using Windows 7 Pro
Hope there's an explanation somehow...
Thanks.
Please Log in or Create an account to join the conversation.
- njh
- Offline
- Member
Less
More
- Posts: 306
- Thank you received: 0
27 Mar 2010 19:04 #61407
by njh
2900Gi/v2.5.6; 2900/v2.5.6
Replied by njh on topic 2820 Firewall : Testing to block port 80 (Web test on Win7)
Please can you clarify what you mean by port. Are you talking about source port or destination port?
Also, without modifying the rules at all, are you able to browse the internet?
Also, without modifying the rules at all, are you able to browse the internet?
2900Gi/v2.5.6; 2900/v2.5.6
Please Log in or Create an account to join the conversation.
- zgap111
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 28
- Thank you received: 0
28 Mar 2010 03:25 #61410
by zgap111
Replied by zgap111 on topic 2820 Firewall : Testing to block port 80 (Web test on Win7)
Port:
Under : Firewall > filter setup
I chose #2 data filter
I select 2:
Direction = LAN > WAN
Source IP = Any
Destination IP = Any
Service Type = Any / 80 TCP/UDP <<<< This is the port, right?
Fragments = Don't Care
I start with default settings, and I can browse the web using the default settings.
Reason why I'm at this stage of testing is that I want to block all trafffic except web & email. I've set it up but I can see non-web/email traffic still going through. so I'm testing the firewall to see what is going on, so far it's not blocking web on port 80...
Hope something's wrong somewhere...
Under : Firewall > filter setup
I chose #2 data filter
I select 2:
Direction = LAN > WAN
Source IP = Any
Destination IP = Any
Service Type = Any / 80 TCP/UDP <<<< This is the port, right?
Fragments = Don't Care
I start with default settings, and I can browse the web using the default settings.
Reason why I'm at this stage of testing is that I want to block all trafffic except web & email. I've set it up but I can see non-web/email traffic still going through. so I'm testing the firewall to see what is going on, so far it's not blocking web on port 80...
Hope something's wrong somewhere...
Please Log in or Create an account to join the conversation.
- njh
- Offline
- Member
Less
More
- Posts: 306
- Thank you received: 0
28 Mar 2010 09:08 #61412
by njh
2900Gi/v2.5.6; 2900/v2.5.6
Replied by njh on topic 2820 Firewall : Testing to block port 80 (Web test on Win7)
I don't have a 2820 and it works somewhat differently to my routers.
I have had a look at your manual and would really need to play with the router. What you are doing looks like it should be OK. In principle what you want is a series of rules:
1 - Outbound, block if no further match
2 - Outbound, allow destination port 80
3 - Outbound, allow destination port 443
On your PC what is it listing as its DNS servers (from a command prompt, "ipconfig /all")? I am wondering if you have blocked your DNS lookups.
I have had a look at your manual and would really need to play with the router. What you are doing looks like it should be OK. In principle what you want is a series of rules:
1 - Outbound, block if no further match
2 - Outbound, allow destination port 80
3 - Outbound, allow destination port 443
On your PC what is it listing as its DNS servers (from a command prompt, "ipconfig /all")? I am wondering if you have blocked your DNS lookups.
2900Gi/v2.5.6; 2900/v2.5.6
Please Log in or Create an account to join the conversation.
- zgap111
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 28
- Thank you received: 0
28 Mar 2010 16:15 #61414
by zgap111
Replied by zgap111 on topic 2820 Firewall : Testing to block port 80 (Web test on Win7)
I think your rules set is what I tried in 2a, I agree it should work, but it's not.
I've cleared all rules, left the defualt one on "xNetBios -> DNS" onRule 1.
On Rule 2 I did this:
Lan>Wan
Source = Any
Destination = Any
Service Type = TCP/UDP Port from 80 to 80
Fragments = Don't Care
Filter = Block Immediately
Okay'ed it. Should be blocking all web traffic? Nope, I'm writing this reply with this rule on now.
Reagarding "ipconfig /all" , this is the output for the cable going to the router:
=======
Windows IP Configuration
Host Name . . . . . . . . . . . . : Praise
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Mixed
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
Physical Address. . . . . . . . . : XXXXXXXXXXXXXX
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::a520:fcbd:e8d1:ed27%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.88.13(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 28 March 2010 15:57:16
Lease Expires . . . . . . . . . . : 31 March 2010 15:57:16
Default Gateway . . . . . . . . . : 192.168.88.1
DHCP Server . . . . . . . . . . . : 192.168.88.1
DHCPv6 IAID . . . . . . . . . . . : 234890380
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-72-AB-97-00-24-8C-94-BD-5D
DNS Servers . . . . . . . . . . . : 62.6.40.162
194.74.65.69
NetBIOS over Tcpip. . . . . . . . : Enabled
======
One note, I do have : Under LAN : "bind IP to MAC" = "enable" = I don't know if this over rules any firewall settings? I don't think it should.
Another note: UPnP is disabled on the router (just in case it might auto re-direct some ports).
Thanks. It's a real mystery.
I've cleared all rules, left the defualt one on "xNetBios -> DNS" onRule 1.
On Rule 2 I did this:
Lan>Wan
Source = Any
Destination = Any
Service Type = TCP/UDP Port from 80 to 80
Fragments = Don't Care
Filter = Block Immediately
Okay'ed it. Should be blocking all web traffic? Nope, I'm writing this reply with this rule on now.
Reagarding "ipconfig /all" , this is the output for the cable going to the router:
=======
Windows IP Configuration
Host Name . . . . . . . . . . . . : Praise
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Mixed
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
Physical Address. . . . . . . . . : XXXXXXXXXXXXXX
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::a520:fcbd:e8d1:ed27%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.88.13(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 28 March 2010 15:57:16
Lease Expires . . . . . . . . . . : 31 March 2010 15:57:16
Default Gateway . . . . . . . . . : 192.168.88.1
DHCP Server . . . . . . . . . . . : 192.168.88.1
DHCPv6 IAID . . . . . . . . . . . : 234890380
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-72-AB-97-00-24-8C-94-BD-5D
DNS Servers . . . . . . . . . . . : 62.6.40.162
194.74.65.69
NetBIOS over Tcpip. . . . . . . . : Enabled
======
One note, I do have : Under LAN : "bind IP to MAC" = "enable" = I don't know if this over rules any firewall settings? I don't think it should.
Another note: UPnP is disabled on the router (just in case it might auto re-direct some ports).
Thanks. It's a real mystery.
Please Log in or Create an account to join the conversation.
- njh
- Offline
- Member
Less
More
- Posts: 306
- Thank you received: 0
28 Mar 2010 16:57 #61415
by njh
2900Gi/v2.5.6; 2900/v2.5.6
Replied by njh on topic 2820 Firewall : Testing to block port 80 (Web test on Win7)
For some reason your PC is not using your router for DNS look ups. Normally I would expect your DNS servers (I hate the expression as the S in DNS =server!) to read the same as your gateway. Is there any reason you have done this? Have you forced your DNS servers either in the router or in the PC?
There are 2 ways round this. Either you have to change your settings to use the router for your DNS or you have to allow outbound DNS through the router as well as web browsing. To do this, allow TCP/UDP destination port 53.
Personally I would set up the PC to use the router as its DNS as the router then acts as a local DNS cache.
There are 2 ways round this. Either you have to change your settings to use the router for your DNS or you have to allow outbound DNS through the router as well as web browsing. To do this, allow TCP/UDP destination port 53.
Personally I would set up the PC to use the router as its DNS as the router then acts as a local DNS cache.
2900Gi/v2.5.6; 2900/v2.5.6
Please Log in or Create an account to join the conversation.
Moderators: Sami
Copyright © 2024 DrayTek