I’ve a firewall rule that permits a client to go to the internet. I’ve simply dropped all traffic from client to zone RED (that is the internet) and vice versa.
Now I want to allow one specific port from the client to be accessible from the internet. I can set Port Forward up to allow that specific port from the RED zone to the client and vice versa, but isn’t my firewall rule gonna overwrite the port forward?
If it does, then what do you recommend, how should I allow only one port to communicate to the internet and drop every other communication from/to the internet?
Isn’t the traffic from internet to red already blocked by default?
I’m not sure that it needs a specific rule to do drop connections from internet to red.
RED is the internet zone itself, isn’t it? If I (for example) drop traffic from RED to a specific client, then that host can’t reach out to the internet and back. However, this does not affects the rest of the clients in the network.
Think about direction. Dropping traffic from RED to a client, (which BTW as pointed out by @saitobenkei is the default) does not affect any traffic going from a client to the internet via the RED interface. That would have to be a different rule.
They are different things. In the first you are asking for an inbound connection. In the second, an outbound.
You need to be more specific on your requirements. Are you asking that one client can only reach out to the internet on a specific port and it must get it’s replies back. Or are you expecting “someone” on the internet to connect to the client via a specific port.
OK. Now I understand your point. Sorry for being a slow learner. However, I still don’t know what if I allow one port to be open on the firewall for in&out communication to the client while also having a firewall rule like DROP: Client -> Red ?
If you want to open a port “from client to internet” you have to configure it in “Firewall Rules” and not in “Port Forwarding”.
Then you have to move (drag and drop) the rule “permit the client connection” above the rule that block “green to internet” connection.
When all is done, you have to click to “Apply Changes” red button.
Interesting, maybe I didn’t understand the answer, but order matters? Say I have a rule blocking everything to everyone, if I put a rule allowing a specific port above that it would supercede it? Thanks.
The rules added in GUI, are applied as they are written, including the order.
BTW, the order of the rules (from top to bottom), is applied not only to firewall.
This applies wherever there are filters, generally speaking (firewall, web filters, …).
Usually, are applied rules to block and to allow.
Always, first (top) are rules to block and second (bottom) are rules to allow.
1 Like
alefattorini
(Alessio Fattorini)
Split this topic
15