Netgear DG834 Firewall setup confusion

[stduc]

I am trying to block 1 PC from using anything but HTTP.

So I set up 2 services

S1 TCP/UDP ports 1 to 79

S2 TCP/UDP ports 81 to 65535

and 2 outbound rules

Outbound service S1 block always LAN 192.168.0.4 WAN Any
and
Outbound service S2 block always LAN 192.168.0.4 WAN Any

It blocked that PC from any internet usage and inspection of the logs revealed that the reason was the packets coming in from the lan were destined for a port 80 but were not coming from port 80!

So is what I am trying to do possible?

At the same time I noticed netbios traffic from that PC was being blocked. Port 137. I have a general rule that blocks port 137 outbound on all PC's - so I checked the logs and noticed that only one PC was being reported as blocked. It was not this PC! Is this a logging problem?

That rule is

Service NB TCP/UDP ports 137 to 139

Firewall rule is

Outbound Service NB Lan Any WAN Any

I checked back in the logs and noticed that only 1 PC is ever reported as being blocked!

Very strange I thought.

Any and all thoughts welcomed. I'm confused now!

 

[KiscoKid]

Bear in mind that when a PC initiates a HTTP connection, it's source port is random and can be anything greater than 1023. The destination port is predictable and will always be 80.

So ideally you want to allow pretty much any source port (due their randomness) but block instead on the destination port.

I don't have a Netgear firewall but I'm sure this is possible as it's a fairly standard access control feature.

Regarding the Netbios thing, maybe the other PC's don't have file sharing and/or Netbios over TCPIP enabled. Check on their Network Neighbourhood settings to see. Compare these settings with the PC that shows in the logs.

 

[stduc]

I think you put your finger on the problem. I don't think the DG834 has any way of defining destination ports.

The netbios blocks only appeared in the log after I added that extra rule. So the packets are still arriving from that PC - but the question is - is the general All rule just not logging them - or possibly not blocking them? I suspect its just not logging them.

 

[KiscoKid]

Hmm can you perhaps then block the returning (inbound) traffic on the firewall instead?

The returning traffic will always have a source port of 80 but a random destination port (i.e. the random port the PC chose originally)

 

[KiscoKid]

I took a moment to look at the following Neatgear manual:

ftp://downloads.netgear.com/files/DG834v3_RM01_27Oct06.pdf

Netgear seem to use the word "service" to indicate destination port number (page 34) for the application in question.

You've probably already seen this but take a look at pages 31-35. It certainly looks like you "should" be able to block based on destination port numbers (aka services).

Note this manual is for the DG834v3 so I don't know if it's compatible with your router.

 

[stduc]

Yep - that's what I thought. It was certainly the way I set it up. I assumed that a "service" referred to destination ports, but it appears to refers to just "ports" So it doesn't seem to work the way you would expect.

I'll take another look - it's always possible I did something daft.

 

[stduc]

Nope - I can't see anything I could be doing wrong. I even tried adding a "permit" for port 80 but it wouldn't let me - said that service was already defined!