Blocking all outbound services except HTTP- Surely Easy?

Arsey 2

Arsey 2

Arsey 2

Associate
Joined
16 Feb 2009
Posts
54
Hey guys,

Currently have a DG834GT- have one host connected to this router that I need to block all outbound ports except port 80: http

Have tried setting up a rule in outbound services which blocks all ports, then a seperate rule that allows port 80.

Trouble in logs I keep getting (HTTP rule not match) because obviously the router uses PAT and NAT to the web so the router see the HTTP request from the host is being sent from a really high port number (50645-60000) and therefore doesn't match the HTTP rule i set to allow HTTP through the firewall.

basically what i'm asking is- is there a way to block a Host on my LAN from requesting any port except port 80 using a netgear DG834GT router.

(I may have seriously overconfused this and I am probably just overlooking something seriously easy)

Thanks very much for your help!
 
Destination port match, source port will be randomised. And remember to allow port 53 as well, you're not going to be doing much browsing without that...
 
ahh thank you LordSplodge- In the DG834GT there is an order of logic it's supposed to follow (going from rule 1 first then to the end) So i've setup block all ports first, then allow port 80 and port 53- still wasn't working.

I'll implement your suggestion now by blocking all ports between 1-52 in one rule than 54-79 in another rule then 81-65535 in another rule, leaving only port 80 and 53 open and hope it works!

thanks again

Edit: Still not working- there doesn't seem to be an option on the DG834G to specify that i want to block the destination port not the source port
 
Last edited:
I've never touched one but destination port is going to be needed, the client randomises the source for http (and most services actually) so you'll need to be able to specify destination port to reliably block anything. Then again, I've never been impressed with the firewall functions on home routers so it's entirely possible it can't do it I suppose...
 
Setup your allow's first - rule 1 should allow port 53, rule 2 should be allow port 80 (and probably 443 for secure sites if you want)
Then deny everything else. Else you'll hit the deny first and that'll probably stop it going anywhere
 
Do you not also have to allow inbound connections for the response packet?

e.g You allow the outgoing connection on a source port >1024 to port 80. Then you also need to allow the response SYN|ACK packet coming inbound from port 80? Might be wrong though, maybe the firewall automatically handles TCP connection establishment?

OT: Bigredshark just dropped you a mail about an ISP question im hoping you can advise me on :)
 
No, reply connections for tcp are usually held in the state table of the firewall engine so that it knows to expect a response, udp -dns is an exception to this in that you expect a response, so that's held in state too. It would be impractical to add entries for both outbound and response connections :)
 
Chief Wiggum said:
No, reply connections for tcp are usually held in the state table of the firewall engine so that it knows to expect a response, udp -dns is an exception to this in that you expect a response, so that's held in state too. It would be impractical to add entries for both outbound and response connections :)
Click to expand...

Thanks, makes sense. I was looking at some example rule sets the other day where they defined both ways, I suppose it must have been a stateless firewall :)
 
You must log in or register to reply here.
Back
Top Bottom