0 Kudos

NOT type of firewall rule

Submitted by - a week ago
Status: New Idea

Suggestion:

 

Current USG offers drop/accept/reject configurations.How about allowing a rule category which is of NOT type. Example:

 

- Reject all packets NOT destined for Open DNS servers using DNS port 53.

- Reject all packets NOT destined for XXX SMTP server using SMTP port XXX.

 

Comments
by
Sunday

I think this isn't fully thought through.

 

Those two examples would mean that e.g. any HTTP traffic would be rejected (as it qualifies as "not destined for Open DNS servers using DNS port 53").

What you probably meant was that port 53 is rejected unless it is destined for a certain opendns server?

Then what would "reject all packets not destined to outlook.com servers port 443" mean? Only allow https connections to outlook.com and no other servers? Or allow outlook.com connections to only use port 443? How would thr router know which of the two you meant?

 

Just do as we did before, split it into two rules:

rule N: Allow port 53 to server x

rule N+1: Reject port 53

 

by
Sunday

@Alestrix : Thank you! Question: should the 2 rules be in LAN_IN or LAN_LOCAL? 

by
Monday

I use the zone based firewall configuration, so I'm a bit rusty regarding the answer to your question. You might have to add it to both

- to LAN_LOCAL to prevent the router's DNS server to be used by the client

- to LAN_IN for all other DNS query destinations

by
Monday

This doesn't work.

If I set in my smart phone like 8.8.8.8 it happily connects.

 

I have in NETWORK = WAN, setup Open DNS

I have in NETWORK = GUEST, setup: Open DNS, guarding

I have in GUEST IN = Allow connection to Open DNS against DNS port

I have in GUEST LOCAL = Drop connections from ANY to ANY using DNS port.

 

Nothing working. I tried moving both the allow and reject into GUEST IN : Nope. GUEST_LOCAL: Nope.