DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

2820 Firewall : Testing to block port 80 (Web test on Win7)

  • zgap111
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
27 Mar 2010 18:20 #61406 by zgap111
I'm having a problem with the 2820 (f/w 3.3.3) firewall.

What I want to do is quite specific, but I'm not getting the results...

My tests have now come down to:
Testing port 80 for Web Browsing.

And it's not giving me the results I'm looking for.

Here's what I've tried: (I'm adding to the #2 Data Filter set, from rule 2 onwards)

========
#1
Under Firewall General Setup: Default rule = BLOCK (I've noticed this blocks everything)
So to test I've added to filter:
LAN>WAN
Port All = "Pass Immediately" and it allows WEB Browsing.

I change the Port to 80 TCP/UDP = "Pass Immediately" then WEB browsing is disabled (!? = google homepage does not appear)

Is this wrong?

========

#2a
I've then tried setting the default rule = PASS
Then filter #2/2 = Port All = Block if no further match = web browsing does not work.
filter #2/3 = "Port All" = web browsing ok, change to "port 80 TCP/UDP" = no web browsing!

Same again, allowing only port 80 does not give me web browsing?
(Strange & luckily - the Router webpage still functioned even when everything was blocked...)

#2b
Then tried this:
Then filter #2/2 = Port All = Block immediately = web browsing does not work.
Changed Port 80 TCP/UDP = Block immediately = web browsing works (!!??!!)
========

It's as though web browsing is not on port 80 !?

NAT settings are all blank (no port re-direction setup), except for DMZ enabled for an IP.

I'm using Windows 7 Pro

Hope there's an explanation somehow...

Thanks.

Please Log in or Create an account to join the conversation.

More
27 Mar 2010 19:04 #61407 by njh
Please can you clarify what you mean by port. Are you talking about source port or destination port?

Also, without modifying the rules at all, are you able to browse the internet?

2900Gi/v2.5.6; 2900/v2.5.6

Please Log in or Create an account to join the conversation.

  • zgap111
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
28 Mar 2010 03:25 #61410 by zgap111
Port:

Under : Firewall > filter setup
I chose #2 data filter
I select 2:
Direction = LAN > WAN
Source IP = Any
Destination IP = Any
Service Type = Any / 80 TCP/UDP <<<< This is the port, right?
Fragments = Don't Care

I start with default settings, and I can browse the web using the default settings.

Reason why I'm at this stage of testing is that I want to block all trafffic except web & email. I've set it up but I can see non-web/email traffic still going through. so I'm testing the firewall to see what is going on, so far it's not blocking web on port 80...

Hope something's wrong somewhere...

Please Log in or Create an account to join the conversation.

More
28 Mar 2010 09:08 #61412 by njh
I don't have a 2820 and it works somewhat differently to my routers.

I have had a look at your manual and would really need to play with the router. What you are doing looks like it should be OK. In principle what you want is a series of rules:
1 - Outbound, block if no further match
2 - Outbound, allow destination port 80
3 - Outbound, allow destination port 443

On your PC what is it listing as its DNS servers (from a command prompt, "ipconfig /all")? I am wondering if you have blocked your DNS lookups.

2900Gi/v2.5.6; 2900/v2.5.6

Please Log in or Create an account to join the conversation.

  • zgap111
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
28 Mar 2010 16:15 #61414 by zgap111
I think your rules set is what I tried in 2a, I agree it should work, but it's not.

I've cleared all rules, left the defualt one on "xNetBios -> DNS" onRule 1.

On Rule 2 I did this:
Lan>Wan
Source = Any
Destination = Any
Service Type = TCP/UDP Port from 80 to 80
Fragments = Don't Care
Filter = Block Immediately

Okay'ed it. Should be blocking all web traffic? Nope, I'm writing this reply with this rule on now.

Reagarding "ipconfig /all" , this is the output for the cable going to the router:

=======
Windows IP Configuration

Host Name . . . . . . . . . . . . : Praise
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Mixed
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
Physical Address. . . . . . . . . : XXXXXXXXXXXXXX
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::a520:fcbd:e8d1:ed27%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.88.13(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 28 March 2010 15:57:16
Lease Expires . . . . . . . . . . : 31 March 2010 15:57:16
Default Gateway . . . . . . . . . : 192.168.88.1
DHCP Server . . . . . . . . . . . : 192.168.88.1
DHCPv6 IAID . . . . . . . . . . . : 234890380
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-72-AB-97-00-24-8C-94-BD-5D
DNS Servers . . . . . . . . . . . : 62.6.40.162
194.74.65.69
NetBIOS over Tcpip. . . . . . . . : Enabled
======

One note, I do have : Under LAN : "bind IP to MAC" = "enable" = I don't know if this over rules any firewall settings? I don't think it should.

Another note: UPnP is disabled on the router (just in case it might auto re-direct some ports).

Thanks. It's a real mystery.

Please Log in or Create an account to join the conversation.

More
28 Mar 2010 16:57 #61415 by njh
For some reason your PC is not using your router for DNS look ups. Normally I would expect your DNS servers (I hate the expression as the S in DNS =server!) to read the same as your gateway. Is there any reason you have done this? Have you forced your DNS servers either in the router or in the PC?

There are 2 ways round this. Either you have to change your settings to use the router for your DNS or you have to allow outbound DNS through the router as well as web browsing. To do this, allow TCP/UDP destination port 53.

Personally I would set up the PC to use the router as its DNS as the router then acts as a local DNS cache.

2900Gi/v2.5.6; 2900/v2.5.6

Please Log in or Create an account to join the conversation.

Moderators: Sami