Professional Documents
Culture Documents
Introduction
This technote will show users how to block specific ports with the SonicWALL. A lot of traffic on the Internet operates on well-known or static ports. Well-known ports are ports which have numbers that are pre-assigned (http://www.iana.org/assignments/port-numbers) to them by the Internet Assigned Numbers Authority (IANA). Some examples would be SSH (TCP port 22), tftp (UDP port 69), and http (TCP port 80). Ports are blocked to stop certain types of traffic (e.g. SSH, http, or tftp) from passing though the firewall. This is useful to network administrators who want to disallow specific types of traffic on their network such as Secure Shell (SSH) TCP port 22. Also, the ability to block ports is important to help stop the spread of viruses if your network is infected. Users can block ports between any two interfaces. LAN to WAN, LAN to DMZ, and LAN to VPN are the most common interfaces to block ports between. Some traffic on the Internet can operate on dynamic ports (e.g. Instant Messaging Applications). In this case, SonicWALL offers the Intrusion Prevention Service (IPS) in SonicOS 2.2 and above, which can be used to detect or block many types of traffic that use dynamic ports.
Recommended Versions
SonicOS Enhanced 2.0.1.5 or newer Customers with current service/software support contracts can obtain updated versions of SonicWALL firmware from the MySonicWALL customer portal at https://www.mysonicwall.com. Updated firmware is also freely available to customers who have registered the SonicWALL device on MySonicWALL for the first 90 days.
Caveats
SonicWALL blocks all ports/traffic from WAN to LAN, and DMZ to LAN by default. Note, this applies to traffic that is initiated from the WAN or DMZ. Traffic that is initiated from the LAN will be validated and allowed by the stateful inspection engine. SonicWALL allows all ports/traffic from LAN to WAN, LAN to VPN, and LAN to DMZ by default
Sample Diagram
Definitions
User Datagram Protocol (UDP) - a connectionless protocol that, like TCP, runs on top of IP networks. Unlike TCP, UDP provides very few error recovery services, offering instead a direct way to send and receive datagrams over an IP network. UDP is used primarily for multimedia and streaming applications, and broadcasting messages over a network. Transport Control Protocol (TCP) - enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent. Deny vs. Discard When creating a rule SonicWALL gives you the option to allow, deny, or discard the packet. Denying packets blocks the packet from going through the firewall, but also sends a packet back to the sending device notifying the sender that the packet was not allowed access through the SonicWALL. Discarding packets, blackholes the packet. This means the packet is silently discarded by the firewall, and a notification message is not sent.
Setup Steps
Example #1: Configure Port Blocking from LAN to VPN tunnel with a predefined service (FTP) Select Firewall Access Rules Select the LAN to VPN edit icon. See below
Click Add
Select Deny as the Action Select FTP as the Service Select Source (e.g. LAN Subnets or any LAN address object of your choice) Select Destination (e.g. tz170lan. The destination network of the other side of the VPN tunnel) Click OK
Verify that the rule just created has a higher priority than the default rule for the LAN to VPN tunnel
Example #2: Configure Port Blocking from LAN to WAN with an undefined service: This example will show how to block the W32.Blaster Worm http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html from spreading. Ports UDP 69(TFTP), TCP 135(DCOM RPC) and TCP 4444 will be blocked. Select Firewall Services Scroll to the bottom and Click Add in the Services Section
Enter Name (e.g. DCOM RPC) Enter Port Range (e.g. 135 -135) Enter Protocol (e.g. TCP(6)) Click OK
Click Add in the Services Section (See Page 5) Enter Name (e.g. Blaster) Enter Port Range (e.g. 4444 - 4444) Enter Protocol (e.g. TCP(6)) Click OK
Enter Name: (e.g. Blaster Virus) Select Blaster from the list on the left, Click the right arrow Select DCOM RPC from the list on the left, Click the right arrow Select TFTP from the list on the left, Click the right arrow Click OK
Select Firewall Access Rules Select the LAN to WAN edit icon. See below
Click Add
Select Action (e.g. Deny) Select Service (e.g. Blaster Virus) Select Source (e.g. LAN Subnets) Select Destination (e.g. Any) Click OK
Verify that the rule just created has a higher priority than the default rule for LAN to WAN
Testing/Troubleshooting
Try to initiate traffic on the port you blocked to the interface (WAN, DMZ, LAN, VPN) where it is blocked. To test Example #1, try to initiate an ftp session from the LAN side of the firewall over the VPN tunnel. It should fail. Disable the ftp rule; you should now be able to initiate an ftp session to the ftp server. Verify you have the correct type of traffic blocked Verify you are blocking it between the right interfaces If you have problems with self created services, verify that you have the correct type of traffic (TCP/UDP), and that you have the correct port number.