Need Help setting up firewall rules

Soldato
Joined
18 Oct 2002
Posts
16,503
Location
Manchester
Hi, right I'm completely stuck with creating firewall rules.

Basically, I have a Draytek Vigor 2600 and I have created a firewall rule that blocks all outbound traffic TCP/UDP from a certain IP ... this works fine, as when that rule is active, the PC designated is no longer able to access the internet, ping anything.

Now what I am stuck on is allowing port 80 so as to allow internet access only. I have setup a rule that states Pass immediately any outbound traffic on port 80 from the certain IP, I have also redirected the port forwarding as per the NAT setup.

I've posted on the manufacturers forum, but no reples so far. I just can't seem to be able to get it to work.

Any help is much appreciated.

Cheers
 
make the first rule block if no further match, then allow port 80 from that ip address (pass immediately), id imagine you'd need UDP 53 for dns lookups as well, so create another two rules if you want to tighten it as much as possible to allow outgoing to both DNS servers :)

be sure to make a note of the next filter set on the bottom right of the firewall rules as if it takes more than a few pages to set your rules up you need to specify the next page it should look to

i remember when i did it i had to make 2 block all rules, one for TCP and another for UDP, then i did the allow rules on the following page
 
Last edited:
Cheers for the quick reply ... I'm still having trouble.

Ok ... on the main firewall screen, there are 12 filter sets ... the first one is the call filter the second is called data filter.

Shall I put the block all ruletset into the data filter (block number 2) or into its own set i.e block number 3?

firewall.jpg


For the block all rules, does the following look ok? Do I need to change the dubnet for the source/destination to that which the network is running? i.e. 255.255.255.0?

firewall2.jpg


And for allowing port 80

firewall3.jpg


Is that ok? bearing in mind I took the screenshot before I entered 80 in the start and end ports on the source?

Cheers
 
on protocol specify TCP for port 80, make sure UDP 53 is allowed also

yep i used to put the block rules on page 2, next filter set to page 3 and do the allow rules from there

for allowing seperate ports just put the port in the start port, that should be ok, on the source i used to allow out all ports > 1024 to prevent any service ports going out (though, they shouldn't be for port 80 as you are connecting to a service port)

edited to add you must add port 80 to destination port not source, same applies for UDP 53 (DNS Lookup)
 
Last edited:
Back
Top Bottom