I'm trying to configure a 7402GXL with custom rules to prevent LAN clients from accessing all but the necessary outbound protocols.
They are on an 192.168.16.0/24 subnet with the router at 192.168.16.1/24 connected to the web with a single static public IP via ADSL (BT ADSL2+)
With default Firewall security enabled and the "Medium" firewall setting the clients can access all the usual outbound services (HTTP, HTTPS, FTP, DNS, SMTP, POP3, NTP etc).
My problem is that I wish to restrict outbound DNS, POP3, SMTP, IMAP and some other protocols to only the Windows 2008 Small Business Server at 192.168.16.2/24
When I try to modify the default filters for DNS, POP3, SMTP, IMAP etc to specify 192.168.16.2/32 as the only source IP allowed to send outbound - the Firewall blocks the traffic.
If I relax the source IP back to any (0.0.0.0/0.0.0.0) then it works fine.
Similarly, if I wish to restrict outbound access to only the internal LAN clients (192.168.16.0/24) then the Firewall again blocks the traffic.
I'll use DNS as an example below:
Here is my default DNS rule (modified name and set protocols to TCP/UDP instead of having 2 separate DNS filters): This rule for DNS works fine until I try to limit the hosts (allowed to send outbound DNS) to my server's IP (192.168.16.2/32) - I'm assuming I must use a 32 bit mask to limit the IPs to a single host (see below) Using the above rule (DNS Outbound from a single host) the outbound DNS query to my default public DNS server (212.139.132.4)fails (see Error log below) (<MyStaticIP> replaces my public IP address)
----------- system log buffer head --------------
Apr 28 21:10:24 gateway.local:firewall:info: 19179.817 Blocked Prot=6, Apr 28 21:10:37 gateway.local:firewall:info: 19193.227 Blocked Prot=17, <MyStaticIP>:50001 > 212.139.132.4:53 -Default Defense
Apr 28 21:10:39 gateway.local:firewall:info: 19195.227 Blocked Prot=17, <MyStaticIP>:50001 > 212.139.132.4:53 -Default Defense
----------- system log buffer tail --------------
Notice that the Error Log lists <MyStaticIP> as the source IP for the failed DNS query - and not the internal IP of the host sending the outbound DNS traffic.
I wish to limit outbound SMTP, POP3, POP3 SSL, IMAP, IMAP SSL, SMTP TLS, SMTP SSL and other protocols so that only the server at 192.168.16.2/24 can send outbound.
How can this be achieved ?? I get the same failure results for other protocols I've tried.
I also wish to filter inbound SMTP (TCP:25) and RDP (TCP/UDP:3389) connections to a specific number of Public IPs/IP Ranges - can I filter inbound connections in a similar manner ??
I normally use Draytek, Cisco and Netgear devices and don't usually have this problem.
In fairness, these other devices are normally object based configs and you have to define a separate filter for LAN>WAN, WAN>LAN, LAN>LAN etc. - the Inbound/Outbound settings on the 7402GXL's filters are a bit vague to me...
I hope I've not waffled on too much and given you guys enough info to go on... - What is the way forward???
Graeme