Why are my rules not blocking?


I'm a bit worried about my Firewall rules not working properly. I have a Zyxel router and after examining the logs, I have noticed that my rules are forwarding on access requests eventhough, to me, the rule should block it. The default action for packets not matching the rules is set to block.

1)Below is one record of access being granted on Rule 5:

Firewall rule match: TCP (W to L, rule:5)

192.x.x.30:1433 ACCESS FORWARD

Rule 5 is set up as the following: Source IP = Any Dest IP = 192.x.x.2/ (This is our Win 2003 server's internal IP address) Service = TCP 4125 Action = Forward

Should my rule designate our server's external IP address in the Dest IP address?

How can access be granted on Rule 5 which is concerned wuth port 4125 and the access request designates port 1433?

Until I get a better understanding of what is going on, I have disabled access through Rule 5 (my apologies to the China Network Communications Group Corporation for stopping your access requests to our server).

2)Below is one record of access being granted on Rule 3:

Firewall rule match: TCP (W to L, rule:3)

192.x.x.30:80 ACCESS FORWARD

Rule 3 is set up as the following: Source IP = x.x.x.205/ (our Win2003 servers external IP add) Dest IP = 192.x.x.2/ (our Win 2003 servers internal IP add) Service = TCP 444 Action = Forward

In this case the source & destination IP address of the rule does not match that of the logged source & destination IP address. The

192.x.x.30 machine is an older Win2k server on our network.

Any help most appreciated.

Reply to
Loading thread data ...

It was long since I played with my Netgear RT314, though it had similar rulesets as Zyxel's. What I recall is that you had to make sequences of simple comparisions, first matching one criteria like 'source IP', if matched go to *next rule* for 'destination IP', and if all were ok, you do a forward. (any one rule fail, you drop the packet)

Otherwise, if you make a combination the rules would be 'or':ed together, like 'either soure OR destination match will pass the rule' Non-intuitive IMO.

Just an additional thought; maybe the 'rule mask' shouldn't be your actual netmask. Try with a 'rule mask' of if you only want to match a specific IP? I suspect the could mean *any* IP of the internal IP:s will match. (But maybe I'm mistaken here?)

Reply to
Rolf Blom


Advice was spot on. Many, many thanks.


Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.