More constrained port rules

[ngrayson]

Guys,

I'm set up to use transparent redirect but I have a perculiar extended networking requirement. Port security on "lan connections to internet" is set to deny all except execptions, the idea being that if we do get a trojan its outgoing ports are limited to 80 & 443 so it cant drill holes ou to whatever malicious server it wants.

My son has decied he wants to be online with his PS3. This seems to take a scatter gun approach on its use of outgoing ports and is drilling holes all over the place. In DHCP I reserve IP address based on MAC address so basically, the network is hardwired and each machine has a known IP address. What I'd like to do in for "lan connections to internet" is to make a rule which only applies to his PS3 IP address. I dont think this is currently possible unless you can come up with a method.

I know I can set up TCP mapping for each port to redirect explicitly to his machine but if his brother want to do the same, that will break this solution.

So, will it be possible to constrain a firewall port rule to an IP address (or assummed user) in wingate 200X or can you suggest an alternate solution today.

Many thanks
Neil

[ChrisH]

Hi Neil, Just "thinking" out loud here. What if you set "LAN connections to Internet" to default setting of "Allow" but under ENS policies restrict only to PS3 IP/MAC (and/or #2 sons PS3 IP/MAC)?

[ngrayson]

HI Chris,

An interesting thought, I'm struggling with this though. A bit more information that you dont have (sorry, my fault) is that each also has a PC from which I want the ports tied down again to 80 & 443.

The problem is that you cant tie a set of port rules to a source IP address because there is only one global set of rules. Yes you can say they can or cannot have access to the resource but its still all or nothing.

I know there are other firewall solutions which I can do this with but I'm a big wingate fan and would ideally like to only have the one product.

Maybe it will be in the next gen product.

Thanks for the suggestion though
Neil

[adrien]

Hi Neil

Actually for NAT connections, the connection is reported to the engine, and if it doesn't pass policy checks, the connection is terminated.

So there are 2 layers. 1 being the port security table, and the next layer being the policies.

Policies have access to the protocol, IPs and ports info, so you can therefore set up policies which are IP-specific. So you could set up 2 ENS policies such as:

1. Allow everyone access to port 80 and 443
2. Allow access to all ports for specific client IP.

the IP protocol number values are 1=ICMP, 6=TCP, 17=UDP if you want to get protocol-specific on your rules.

Adrien

[ngrayson]

Hi Adrien, Chris,

I bow to your superior knowledge and I'll give it a go.

Many thanks for the suggestions.
Neil

[ngrayson]

Hi Adrien (or anyone),

some thoughts on this as 1) I have not used policies and 2) I'm having a "thicky" moment.

Initially,the concept is to set "Lan locations to the internet" allow all for TCP and UDP (except the redirected ports). This is possible and also with cloaking. I like the comfort of seeing the red cross and Blue arrow as it shows me that things are working or not, if set to allow all does it still show this in the firewall pane?

Next, turn off default rights i.e. ignored.

Secondly, Im struggling to see the difference between the locaton tab and under advanced, having a criteria which says "is met of client IP =". Are the two not the same? If different then I understand that I need to add to each filter a criterion to check "IP address = a.b.c.d"

Lastly if I create a number of policies. Policy 3 for the PS3 is to open up a range of ports under differing protocols for a given client IP.

policy 1) General tab set to Everyone but Just has the location set to my IP address with nothing under the advanced. This allows me (as the network god) complete access on any port.

Policy 2) General tab set to Everyone (no location on location tab) but under advanced,
is met if Filter1
Criterion1 is
client port = 443 ---- This gives the PC's and PS3 access to all for SSL

Policy 3) General tab set to Everyone
set Location = a.b.c.d <- No 1 son PS3 address
advanced Tab
is met if
Filter1 -> allow access to UDP ports aaaa-bbbb
Criterion1
ip protocol number = 17 UDP
Criterion2
Client port > aaaa
Criterion3
Client Port < bbbb
Filter2 -> allow access to UDP ports aaaa-bbbb
Criterion1
ip protocol number = 17
Criterion2
Client port > CCCC
Criterion3
Client Port < dddd
Filter3-> allow access to TCP ports aaaa-bbbb
Criterion1
ip protocol number = 6 TCP
Criterion2
Client port > aaaa
Criterion3
Client Port < bbbb
Filter4-> allow access to TCP ports cccc-dddd
Criterion1
ip protocol number = 6
Criterion2
Client port > cccc
Criterion3
Client Port < dddd

Am I understanding this all correctly or have I missed somthing?

Sorry for appearing thick.

Neil

[adrien]

Hi Neil

1. Having the access show in the firewall panel. It is possible to have anything show in there, you would just create a port range, set the action to allow, and then check the box that says notify connections. However, in this case I don't think it would be useful, since it would show everything as being allowed.

However when you get a policy violation, it pops up in the system messages tab... not quite so easy to see, but still visible.

2. Location tab vs using ClientIP in the advanced tab. These actually refer to the same thing, it's just the location tab is easier to use. You just put the IPs in there that you want the rights to be granted to. If you use instead the advanced tab, for each filter you'd need to specify the ips.

Those policies you've outlined look fine. You seem to have grasped well the concept of how the grants of rights are combined :)

Cheers

Adrien

[ngrayson]

Hi Adrien,

Many thanks. 'm glad the the location panel is the same as it means I can define on set of policies for both PS3 and simply add both IP's in the location panel.

I think I have a good handle on it now.

Many thanks to you (and Chris).

Cheers
Neil

[labull]

Neil - Your "thicky moment" is hereditary - you get it from your kids. You'll have many more.

[ngrayson]

I think your right, it must come form the kids Dohhhh!

I have tried to set this up exactly as I described but did not get what I expected.

I set it so that default rights are ignored (I think this enforces the policy rules).
I set the LAN connections to the internet for TCP and UDP to allow all with cloaking.

I set up only two policies one of which was "everyone" with a location entries for all machines but the filter criterion was set to "is met if Client port is 433" Also tried if serv port is 433. I'm assuming that client is the source port and server the destination port which contols where Wingate parses the frame.

Second policy, again everyone, location was set to the PS3 address. Filter 1, criterion1 was protocol number = 6, criterion 2 was port > XXXX and criterion 3 was port < yyyy> There were 3 similar filters with 3 criterion as per above but with with different port ranges.

What I expected was that anyone would get access to port 433. The PS3 would have access only to ports 10000-10100 and 50000-50100.

To Test this, I opened a web browser and intentionally set out to the address to my ISP WEB site with a port of 82 expecting this to fail and as per Adriens posting a message in the system panel. I get a message in the firewall panel saying its rejected. I get nothing in the system panel and worse still with Wireshark, when I look at the outgoing ADSL interface, I see the http request go set to port 82. So it tells me its blocked but still appears to pass it.

In short, it seems to grant access irrespective of the policy. The obvious conclusion is that I have the default rights set wrong but I did not.

Any clues anyone?

Cheers
Neil

[adrien]

one question - which version of WinGate is this?

ENS policies were broken in 6.5.1 I think, fixed in 6.5.2

[adrien]

p.s. generally don't set rules based on ClientPort. This will usually never match, as most client software when it allocates its local port number gets allocated a random (ephemeral) one by the OS.

So if you mandate client port, you'd end up blocking pretty much everything. Just apply policy to destination / server port.

Cheers

Adrien

[ngrayson]

Hi Adrien,

It was late last night when I was playing and I kind of figured it had to be the server port and not the client port during the day today at work.

I'm using 6.2.2. I tried 6.5.1and it had the dialer issue. I've seen reports that this is still suspect in 6.5.2. Do you have a verions you can PM me a link to, to try?

Cheers
Neil

[adrien]

Hi

yes, looks like dialer still won't initiate a dial on 2k3 with 6.5.2 - turned out in the end to be related to build dev environment on the build machine - different to developers machines, so we'd fix and test, all good, then do a build but that wouldn't work. Fixed that one now. Working on a driver fix related to timing out connection entries, so we hope to get a 6.5.3 out within the week.

I'll see if there is a recent build you can look at, but what you're trying to do should work fine in 6.2.2 as well.

Adrien

[ngrayson]

Hi Adrien,

OK, I'll have a another crack at it. Just as a matter fo curiosity, the wingate help says that the policies being met support logical and and logical or functions. This is not directly evident as selection criteria so I assumme that for any given policy, the or condition is the at the Filter level so Filter1 OR Filter2 Or Filter3 and the and level is the Criteria so under Fiilter1, we have Criteria1 AND Cirteria2 AND Criteria3. Is that assumption correct? If so, then I cant see anything wrong with my filters.

Adrien, I do appreciate the time you have spent with me on this.

Best regards
Neil

[adrien]

yes, that's correct.


Adrien