Inbound / Outbound Firewall Rule Confusion

SaltandSauce · 24 Jun 2013 at 20:11

Hi Guys,

I've got myself a server that I've configured with a static IP address of 192.168.0.11 as you can see from the picture below.

The thing is, I'm not 100% confident in the inbound and outbound firewall rules that I've set within my router. I want to basically allow uTorrent and HTTP traffic but have this limited to the server with the address specified above. Do I require both inbound and outbound? Secondly, is the configuration that I've setup in the table below correct?

I've also got myself a new VPN server that I want to implement. I'll soon want to add this to the firewall rules to three different machines on the network. I know I'll need to specify the three machines but once again, I'm not confident in whether I'll require both inbound and outbound or just one of the two.

Any help would be much appreciated. Networking is still something I'm getting myself used to.

Thanks guys!

quackers · 24 Jun 2013 at 21:43

You shouldn't need to have any outbound rules, unless you're using some sort of Cisco device with access lists.

I'm a bit confused by the inbound rules, that looks to me (i could be wrong) that you are allowing all ports to 192.168.0.11 in the wan users section.

What router is it? If I port forward in on my netgear router, it's what ports I want forwarding to an IP, nice and simply that looks very confusing.

KIA · 24 Jun 2013 at 21:58

Inbound only, in most cases. You should specific the exact ports.

quackers · 24 Jun 2013 at 22:04

I want to know what device he's using, that looks like a very confusing setup page

SaltandSauce · 24 Jun 2013 at 22:11

quackers said:
You shouldn't need to have any outbound rules, unless you're using some sort of Cisco device with access lists.

I'm a bit confused by the inbound rules, that looks to me (i could be wrong) that you are allowing all ports to 192.168.0.11 in the wan users section.

What router is it? If I port forward in on my netgear router, it's what ports I want forwarding to an IP, nice and simply that looks very confusing.

Thanks for the heads up man. I'll begin removing the outbound rules.

Unfortunately, I'm using this piece of crap (Sagemcom F@ST2504n) that Sky provided me. It's awfully limited with what you can do. It's that bad, you can't even rename the devices connected to your network to give you an idea of what's exactly connected.

I want to use the WebUI uTorrent service on my server and this the reason I've wanted to add firewall rules for my specific machine. I hope I'm doing it right? Do I specify the the one machine that I'm interested in? That being the server. And one more thing before I forget. When it comes to adding a specific port for my new VPN service, I intend on using it on three machines that have a static IP inbetween 192.168.0-5 to 15. For that, do I just add the range like I've done for the HTTP (80) outbound rule?

SaltandSauce · 24 Jun 2013 at 22:16

Here is a screenshot to clarify:

quackers · 24 Jun 2013 at 22:22

I've never heard of a sagemcom before

Looking at this guide, you only need one port forwarded and yes it should be to the server running the torrent software.

http://lifehacker.com/260393/remote-control-your-torrents-with-utorrents-webui

I'm not sure exactly what you mean regarding your vpn service, is this something your going to be running on a server on your home network?

SaltandSauce · 24 Jun 2013 at 22:33

Thanks for the link, I'll be sure to read through it and hopefully get myself sorted.

Believe me, you're not missing anything. I've been considering buying myself a Netgear ADSL/Router combo so I can get myself DD-WRT and have a lot more features and possibilities. The interface is shockingly bad on the sagecom.

About the VPN, I recently paid for its service that I'd like to run on the girlfriends desktop, my own PC and my server. The VPN will allow me to use its service on three machines so I've got that covered. Now rather than enabling a random port each time, I'd much rather specify a particular port. Does it make any odds if I have it enabled to a random port each time?

As you can see from the screenshot above, I've added the port 33200 but it seems to me that I can only allocate one specific LAN IP. In the instance above, I'm specifiying my server. Would I need to add two more ports and assign them to both the girlfriend and my own PC IPs?

I hope this all makes sense and I appreciate the helping hand you're giving me! Thanks again mate!

quackers · 24 Jun 2013 at 22:43

I'm still real confused with the vpn situation, any links to what you've bought so I can have a look?

My knowledge and understanding of a VPN is that you have it one machine/device and once connected can connect to other machines etc on the inside network.

SaltandSauce · 24 Jun 2013 at 22:50

Yeah certainly. I've recently purchased the following service: https://mullvad.net/en/

Anything else I can help you with, feel free to give me a shout.

SaltandSauce · 24 Jun 2013 at 22:59

Now IDEALLY, I'd like to have created a VPN connection using Windows, without having to rely on the software provided by the VPN for my own peace of mind and to help keep my server as lightweight as possible, but from what I can see, Mullvad does not specify the URL for their servers. Does this mean I've no other choice but to use the software provided?

Thanks again quackers, you really have been great!

quackers · 24 Jun 2013 at 22:59

Hmm, what I'm reading in the link below you shouldn't need any ports forwarding on your router as you're connecting to their service.

https://mullvad.net/en/openvpn_conf.php

"Mullvad simply bypasses everything between your computer and the real, unrestricted internet using an encrypted VPN tunnel. Anyone trying to monitor your internet connection will only see a strongly encrypted stream of data to one of the Mullvad servers. Anyone trying to trace the source of a communication will not see the true origin but only a Mullvad server."

quackers · 24 Jun 2013 at 23:02

I suppose the question is, what are you trying to do with this VPN service? Anonymous browsing type stuff or a remote connection/management of your pc/servers at home?

SaltandSauce · 24 Jun 2013 at 23:26

Thanks for the heads up. As it stands, I'm intending on using the service to protect my privacy. All this news about the NSA in recent weeks has got me placing my tinfoil hat back firmly on my head.

I'm guessing it's not too big a confirm having it setup as a random port for each client that it runs on then? I can't imagine it is. I usually just like having everything logged within the router so I can keep an eye on what ports I have both open and closed.

quackers · 24 Jun 2013 at 23:48

You could always try the Tor network as well

As far as I can tell with this, you don't need any firewall rules inbound or outbound for it, you'll only need one for the torrent stuff.

SaltandSauce · 25 Jun 2013 at 09:27

Thanks for the help last night quackers.

I ended up deleting all outbound firewall rules that you can see from the screenshot above. With regards to the VPN, if there isn't any issue keeping the ports set to random, I'll just stick with that.

Tor is a fantastic service but I don't need complete anonymity like some people do.

KIA · 25 Jun 2013 at 14:19

The connection to Mullvad VPN is outbound. There is no need for an inbound rule.

SaltandSauce · 25 Jun 2013 at 14:59

Thanks for the heads up! Would I be required to add a separate port for each machine since I can only specify one LAN IP at a time? Or should I just go ahead and keep it set to a random port for each?

quackers · 25 Jun 2013 at 19:36

Hi, no problems with the help. As Kia has said, you don't need any rules/random ports in or out. Install the software, connect and your web traffic should be all sent down the vpn.

no rules, no random ports