Network services filters

[onebigfish]

I have never used network service filters before, but I think that is what I need in the following scenario. I need to replicate a network configuration that a customer has so that we can troubleshoot a situation with one of our controls. This is the information I got from their network administrator:

"All inbound and outbound traffic is blocked unless we explicitly allow it, though I think we always have ports 80 and 443 open. Only the traffic you requested be whitelisted has been allowed (except for port 22 SSH)."

I have assigned one of our controls a static IP address. What I am trying to do is block all incoming and outgoing traffic through our gateway router (Asus RT-AX58U) except for ports 80, 443, and a few others that our controls use for that IP address. I am assuming that the filter table type "deny" will block items I list in the table, while "allow" will block everything except what I put in the table.

Let's say the control's IP address is 192.168.1.123 and the router's is 192.168.1.19. I have never used these before so I am wondering if someone can tell me which numbers go where in the table? Or is there a better way to do this?

[icecream-guy]

from the Manual:

The Network Services Filter blocks LAN to WAN packet exchanges
and restricts network clients from accessing specific web services
such as Telnet or FTP.

Select the Filter table type. Black List blocks the specified
network services. White List limits access to only the specified
network services.

Specify the day and time when the filters will be active.

To specify a Network Service to filter, enter the Source IP,
Destination IP, Port Range, and Protocol. Click the + button.

Click Apply.

I am guessing that DENY is blacklist and
ALLOW is white list.
--

this seems to only apply outbound

DMZ appears to open _all_ ports to inside host.

This is probably not the best device to mock up scenarios.

[deanwebb]

Allow list, TCP 80 and 443. That way, EVERYTHING else is blocked. Securitay!

[onebigfish]

Thanks for the replies.

So for outgoing, the source IP would be the control's and the destination would be the router's, and incoming would be the opposite, correct?

If this is not the best type of device for mocking up scenarios, what is a better option?


Thanks!

[deanwebb]

The *best* device for handling filters like this is a commercial-grade firewall. Palo Alto, Fortinet are my two recommended vendors. But this does illustrate the limitations of consumer-grade / small-business-grade gear. They'll only do so many things. If you require more finesse or robustness, then a higher-price commercial-grade device is on order. But, if this is in an operational technology environment, it may be all you have to work with, so we better make it work, eh?

Back to the question: Outbound, the source is the control. Destination is "any" - either the word or a wildcard IP address entry like 0.0.0.0 or *.*.*.*, whatever the vendor permits. Inbound, it's any -> control. If we use only the router IP address, then traffic not originating from the router will play through.

[onebigfish]

The *best* device for handling filters like this is a commercial-grade firewall. Palo Alto, Fortinet are my two recommended vendors. But this does illustrate the limitations of consumer-grade / small-business-grade gear. They'll only do so many things. If you require more finesse or robustness, then a higher-price commercial-grade device is on order. But, if this is in an operational technology environment, it may be all you have to work with, so we better make it work, eh?

Palo Alto is what our customer uses. Of course, they are a multi-million dollar company and we are a small business. Hence the reason I have to make do with what we have, and with my skill level. 

Back to the question: Outbound, the source is the control. Destination is "any" - either the word or a wildcard IP address entry like 0.0.0.0 or *.*.*.*, whatever the vendor permits. Inbound, it's any -> control. If we use only the router IP address, then traffic not originating from the router will play through.

So something like the attached should block all ports for 192.168.1.123 except for 80 and 443, correct? I know it's clunky using a blacklist for this and I'd love to use a whitelist but that would mess up the other uses of the router.

[deanwebb]

Lol, yeah, that'll do the job. It'll be a pain to maintain if they want to open up another port.

Is this on an OT network, branch office, or what? Curious about where it's located and if it's a one-off that they bought to do one job or if you'll see this everywhere.