SonicOS

How to Block Ports

Introduction
This technote will show users how to block specific ports with the SonicWALL. A lot of traffic on the Internet operates on well-known or static ports. Well-known ports are ports which have numbers that are pre-assigned (http://www.iana.org/assignments/port-numbers) to them by the Internet Assigned Numbers Authority (IANA). Some examples would be SSH (TCP port 22), tftp (UDP port 69), and http (TCP port 80). Ports are blocked to stop certain types of traffic (e.g. SSH, http, or tftp) from passing though the firewall. This is useful to network administrators who want to disallow specific types of traffic on their network such as Secure Shell (SSH) TCP port 22. Also, the ability to block ports is important to help stop the spread of viruses if your network is infected. Users can block ports between any two interfaces. LAN to WAN, LAN to DMZ, and LAN to VPN are the most common interfaces to block ports between. Some traffic on the Internet can operate on dynamic ports (e.g. Instant Messaging Applications). In this case, SonicWALL offers the Intrusion Prevention Service (IPS) in SonicOS 2.2 and above, which can be used to detect or block many types of traffic that use dynamic ports.

Recommended Versions
SonicOS Enhanced 2.0.1.5 or newer Customers with current service/software support contracts can obtain updated versions of SonicWALL firmware from the MySonicWALL customer portal at https://www.mysonicwall.com. Updated firmware is also freely available to customers who have registered the SonicWALL device on MySonicWALL for the first 90 days.

Caveats
SonicWALL blocks all ports/traffic from WAN to LAN, and DMZ to LAN by default. Note, this applies to traffic that is initiated from the WAN or DMZ. Traffic that is initiated from the LAN will be validated and allowed by the stateful inspection engine. SonicWALL allows all ports/traffic from LAN to WAN, LAN to VPN, and LAN to DMZ by default

Sample Diagram

Definitions
User Datagram Protocol (UDP) - a connectionless protocol that, like TCP, runs on top of IP networks. Unlike TCP, UDP provides very few error recovery services, offering instead a direct way to send and receive datagrams over an IP network. UDP is used primarily for multimedia and streaming applications, and broadcasting messages over a network. Transport Control Protocol (TCP) - enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent. Deny vs. Discard When creating a rule SonicWALL gives you the option to allow, deny, or discard the packet. Denying packets blocks the packet from going through the firewall, but also sends a packet back to the sending device notifying the sender that the packet was not allowed access through the SonicWALL. Discarding packets, blackholes the packet. This means the packet is silently discarded by the firewall, and a notification message is not sent.

Before You Begin

Assuming the service you are blocking is not one of the predefined SonicWALL services, you will need to know the following: 1. Protocol Type (UDP or TCP) of the traffic you want to block. (e.g. http traffic would be TCP) 2. Port Number of the traffic you want to block. (e.g. http traffic would be port 80) You need to determine the interfaces you want to block the traffic between. (e.g. LAN to WAN)

Setup Steps
Example #1: Configure Port Blocking from LAN to VPN tunnel with a predefined service (FTP) Select Firewall Access Rules Select the LAN to VPN edit icon. See below

Click Add

Select Deny as the Action Select FTP as the Service Select Source (e.g. LAN Subnets or any LAN address object of your choice) Select Destination (e.g. tz170lan. The destination network of the other side of the VPN tunnel) Click OK

Verify that the rule just created has a higher priority than the default rule for the LAN to VPN tunnel

Example #2: Configure Port Blocking from LAN to WAN with an undefined service: This example will show how to block the W32.Blaster Worm http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html from spreading. Ports UDP 69(TFTP), TCP 135(DCOM RPC) and TCP 4444 will be blocked. Select Firewall Services Scroll to the bottom and Click Add in the Services Section

Enter Name (e.g. DCOM RPC) Enter Port Range (e.g. 135 -135) Enter Protocol (e.g. TCP(6)) Click OK

Click Add in the Services Section (See Page 5) Enter Name (e.g. Blaster) Enter Port Range (e.g. 4444 - 4444) Enter Protocol (e.g. TCP(6)) Click OK

Click Add Group on the Access Rules Screen

Enter Name: (e.g. Blaster Virus) Select Blaster from the list on the left, Click the right arrow Select DCOM RPC from the list on the left, Click the right arrow Select TFTP from the list on the left, Click the right arrow Click OK

Select Firewall Access Rules Select the LAN to WAN edit icon. See below

Click Add

Select Action (e.g. Deny) Select Service (e.g. Blaster Virus) Select Source (e.g. LAN Subnets) Select Destination (e.g. Any) Click OK

Verify that the rule just created has a higher priority than the default rule for LAN to WAN

Testing/Troubleshooting
Try to initiate traffic on the port you blocked to the interface (WAN, DMZ, LAN, VPN) where it is blocked. To test Example #1, try to initiate an ftp session from the LAN side of the firewall over the VPN tunnel. It should fail. Disable the ftp rule; you should now be able to initiate an ftp session to the ftp server. Verify you have the correct type of traffic blocked Verify you are blocking it between the right interfaces If you have problems with self created services, verify that you have the correct type of traffic (TCP/UDP), and that you have the correct port number.

Created: 04/19/2004 Updated: 06/16/2008 Version 1.1