DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

how to setup firewall for incoming packets

  • andres
  • Topic Author
  • Offline
  • New Member
  • New Member
More
17 Jan 2014 17:07 #78766 by andres
how to setup firewall for incoming packets was created by andres
Hi,

I thought this was easy but I cannot get this to work, so maybe a friendly soul here can point me to some documentation/example on how to do this?

I've got a few servers out there which all want to use rsync to backup onto my NAS which sits behind a Draytek 2710. However, I don't want the entire interweb to be able to access my NAS, so I'm thinking that the firewall should be able to do this. I know that in NAT->Port Redirection I have to redirect the RSYNC port (873) to my local NAS. With that I can do rsync, so all is good. However, I cannot seem to configure the Filters so that everybody else gets blocked.

Rather than me describing what doesn't work, maybe there is a description/example of how to do this?

Thanks,
Andres

Please Log in or Create an account to join the conversation.

  • andres
  • Topic Author
  • Offline
  • New Member
  • New Member
More
18 Jan 2014 17:16 #78772 by andres
Replied by andres on topic Re: how to setup firewall for incoming packets
ok. so I'm quite confused now. I cannot seem to get it to block.

I have setup the port forwarding for port 873 to go to my NAS.

And then configured the filters as follows:

- Created an IP group "permitted" which contains the IP addresses of all the servers that are permitted to access the server.
- in Firewall->Filter Setup->Default Data Filter changed "Next Filter Set" to "Set#3".
- added the following to Filter Set 3:
rule 1: Direction WAN->LAN
Service Type TCP/UDP Port from any to 873 (rsync)
Filter Action: Block if no further match
rule 2: Direction WAN->LAN
Service Type TCP/UDP Port from any to 2200 (ssh)
Filter Action: Block if no further match
rule 3: Direction WAN->LAN
Source IP: "permitted" IP Group
Filter: Pass Immediately


So what I see is that both rsync and ssh work, but if I remove one of the servers from the "permitted" group it still works, so I presume it doesn't actually block?

Please Log in or Create an account to join the conversation.

  • andres
  • Topic Author
  • Offline
  • New Member
  • New Member
More
18 Jan 2014 18:26 #78774 by andres
Replied by andres on topic Re: how to setup firewall for incoming packets
ok, different configuration... still doesn't work...

reset all filters and rules to default..

create ip group containing all permitted servers

filter set 2 rule 2
direction wan->lan
destination 192.168.5.8 (nas server)
service type tcp/udp port 873
filter block if no further match

filter set 2 rule 3
direction wan->lan
source ip "permitted" ip group
destination 192.168.5.8
service type any
filter pass immediately

I can rsync but again, when I take out one of the servers I can still rsync from that server. so still doesn't block?

Please Log in or Create an account to join the conversation.

Moderators: Sami