A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.comp.home-networking (UK home networking)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.comp.home-networking (UK home networking) (uk.comp.home-networking) Discussion of all aspects of computer networking in the home, regardless of the platforms, software, topologies and protocols used. Examples of topics include recommendations for hardware or suppliers (e.g. NICs and cabling), protocols, servers, and specific network software. Advertising is not allowed.

DG834g outgoing rules



 
 
Thread Tools Display Modes
  #1  
Old November 10th 08, 03:36 PM posted to uk.comp.home-networking
simon
external usenet poster
 
Posts: 5
Default DG834g outgoing rules

Since getting a nasty virus that sent out hundreds of email from my PC
I have been trying to get a set of outgoing rules to work on my
Netgear ADSL router/ firewall.
I set up a rule to deny ALL TCP/UDP outgoing connections. I though
the router would be clever enough and should still allow incoming
connections from my work computer to my vncserver on my PC.

Why does it only work if I set up a specific rule in the outgoing
connections, or remove the Deny ALL outgoing rule?
Is this how it's meant to work ?

I thought the idea was that the router realised that the outgoing
packets were a result of the incoming connection request and so it
should allow a remotely initiated VNC connection shouldn't it ?
  #2  
Old November 10th 08, 04:35 PM posted to uk.comp.home-networking
Rob Morley
external usenet poster
 
Posts: 1,379
Default DG834g outgoing rules

On Mon, 10 Nov 2008 07:36:45 -0800 (PST)
simon wrote:

Since getting a nasty virus that sent out hundreds of email from my PC
I have been trying to get a set of outgoing rules to work on my
Netgear ADSL router/ firewall.
I set up a rule to deny ALL TCP/UDP outgoing connections. I though
the router would be clever enough and should still allow incoming
connections from my work computer to my vncserver on my PC.

Why does it only work if I set up a specific rule in the outgoing
connections, or remove the Deny ALL outgoing rule?
Is this how it's meant to work ?

I thought the idea was that the router realised that the outgoing
packets were a result of the incoming connection request and so it
should allow a remotely initiated VNC connection shouldn't it ?


The default is to allow all outgoing connections and deny all incoming,
then the router keeps track of which incoming traffic is a response to
an outgoing request and lets it through. You have to add specific
rules for the services[1] you want to allow and put them above the
deny-all rule in the list so they are found and allowed - everything
that doesn't match one of these rules falls through to the default
deny. As far as outgoing rules, if you wanted to block mailer malware
from sending mail you could block all outgoing SMTP connections then
allow connections only to your ISP's SMTP server (the malware usually
does its own SMTP rather than using your ISP).


[1] A service is a program that listens for requests on a port, e.g.
a home web server waiting for a browser to connect or a VNC server
waiting for a client connection. In order for the router to let a
client request through to the server it needs to know not only that the
connection is allowed, but also which device to forward it to, because
as far as the WAN is concerned your LAN has only one IP address
regardless of the number of devices you actually have connected with
private addresses. On top of that, some services (e.g. some types of
FTP) respond to a request by saying "go connect to port XYZ and I'll
deal with you there" in which case the router also needs to know that
this new connection is allowed and where to forward it.


  #3  
Old November 10th 08, 05:33 PM posted to uk.comp.home-networking
simon
external usenet poster
 
Posts: 5
Default DG834g outgoing rules

On 10 Nov, 16:35, Rob Morley wrote:
On Mon, 10 Nov 2008 07:36:45 -0800 (PST)

simon wrote:
Since getting a nasty virus that sent out hundreds of email from my PC
I have been trying to get a set of outgoing rules to work on my
Netgear ADSL router/ firewall.
I set up a rule to deny ALL TCP/UDP outgoing connections. I though
the router would be clever enough and should still allow incoming
connections from my work computer to my vncserver on my PC.


Why does it only work if I set up a specific rule in the outgoing
connections, or remove the Deny ALL outgoing rule?
Is this how it's meant to work ?


I thought the idea was that the router realised that the outgoing
packets were a result of the incoming connection request and so it
should allow a remotely initiated VNC connection shouldn't it ?


The default is to allow all outgoing connections and deny all incoming,
then the router keeps track of which incoming traffic is a response to
an outgoing request and lets it through. You have to add specific
rules for the services[1] you want to allow and put them above the
deny-all rule in the list so they are found and allowed - everything
that doesn't match one of these rules falls through to the default
deny. As far as outgoing rules, if you wanted to block mailer malware
from sending mail you could block all outgoing SMTP connections then
allow connections only to your ISP's SMTP server (the malware usually
does its own SMTP rather than using your ISP).

[1] A service is a program that listens for requests on a port, e.g.
a home web server waiting for a browser to connect or a VNC server
waiting for a client connection. In order for the router to let a
client request through to the server it needs to know not only that the
connection is allowed, but also which device to forward it to, because
as far as the WAN is concerned your LAN has only one IP address
regardless of the number of devices you actually have connected with
private addresses. On top of that, some services (e.g. some types of
FTP) respond to a request by saying "go connect to port XYZ and I'll
deal with you there" in which case the router also needs to know that
this new connection is allowed and where to forward it.


thanks for the reply, I think you missed my point though. I wanted to
specifically allow outgoing services as required, but was not
expecting that I would have to enable an outgoing rule to get an
incoming VNC connection to work. I can see from the log that once
vncserver receives a request, it connects back from the listening port
to the remote address, which gets caught by the 'deny all ' rule
unless I put another rule in above it, to 'Allow all' for my works IP
address. So I guess this is how it'll have to be..
  #4  
Old November 10th 08, 05:57 PM posted to uk.comp.home-networking
Rob Morley
external usenet poster
 
Posts: 1,379
Default DG834g outgoing rules

On Mon, 10 Nov 2008 09:33:37 -0800 (PST)
simon wrote:

On 10 Nov, 16:35, Rob Morley wrote:
On Mon, 10 Nov 2008 07:36:45 -0800 (PST)

simon wrote:
Since getting a nasty virus that sent out hundreds of email from
my PC I have been trying to get a set of outgoing rules to work
on my Netgear ADSL router/ firewall.
I set up a rule to deny ALL TCP/UDP outgoing connections. I
though the router would be clever enough and should still allow
incoming connections from my work computer to my vncserver on my
PC.


Why does it only work if I set up a specific rule in the outgoing
connections, or remove the Deny ALL outgoing rule?
Is this how it's meant to work ?


I thought the idea was that the router realised that the outgoing
packets were a result of the incoming connection request and so it
should allow a remotely initiated VNC connection shouldn't it ?


The default is to allow all outgoing connections and deny all
incoming, then the router keeps track of which incoming traffic is
a response to an outgoing request and lets it through. You have to
add specific rules for the services[1] you want to allow and put
them above the deny-all rule in the list so they are found and
allowed - everything that doesn't match one of these rules falls
through to the default deny. As far as outgoing rules, if you
wanted to block mailer malware from sending mail you could block
all outgoing SMTP connections then allow connections only to your
ISP's SMTP server (the malware usually does its own SMTP rather
than using your ISP).

[1] A service is a program that listens for requests on a port, e.g.
a home web server waiting for a browser to connect or a VNC server
waiting for a client connection. In order for the router to let a
client request through to the server it needs to know not only that
the connection is allowed, but also which device to forward it to,
because as far as the WAN is concerned your LAN has only one IP
address regardless of the number of devices you actually have
connected with private addresses. On top of that, some services
(e.g. some types of FTP) respond to a request by saying "go connect
to port XYZ and I'll deal with you there" in which case the router
also needs to know that this new connection is allowed and where to
forward it.


thanks for the reply, I think you missed my point though. I wanted to
specifically allow outgoing services as required,


A service is listening for /incoming/ connections, so it's the incoming
rules you need to modify.

but was not
expecting that I would have to enable an outgoing rule to get an
incoming VNC connection to work.


You don't - all outgoing connections are allowed by default.

I can see from the log that once
vncserver receives a request, it connects back from the listening port
to the remote address, which gets caught by the 'deny all ' rule
unless I put another rule in above it, to 'Allow all' for my works IP
address. So I guess this is how it'll have to be..


Are you sure the server isn't just listening on a different port once
it's received a session request, and you need an additional incoming
rule to forward that?

  #5  
Old November 11th 08, 08:02 AM posted to uk.comp.home-networking
Alex Fraser
external usenet poster
 
Posts: 553
Default DG834g outgoing rules

simon wrote:
[snip]
Why does it only work if I set up a specific rule in the outgoing
connections, or remove the Deny ALL outgoing rule?
Is this how it's meant to work ?

I thought the idea was that the router realised that the outgoing
packets were a result of the incoming connection request and so it
should allow a remotely initiated VNC connection shouldn't it ?


That idea is part of stateful packet inspection (SPI). I would expect
the intended behaviour to be that related packets are allowed regardless
of any "deny" rules you set up.

It is not clear whether setting up an outbound "allow" rule specifying
the service will match based on the source port, destination port or
either. It's likely it will only match the destination port, however if
it (also) matches on the source port, this should get it working.

"Allow incoming packets with this destination address/port, and allow
outbound packets with this source address/port" is basically how you
would configure a stateless firewall to allow a "simple" service (most
common protocols except FTP) behind it to work.

Alex
  #6  
Old November 11th 08, 09:23 AM posted to uk.comp.home-networking
simon
external usenet poster
 
Posts: 5
Default DG834g outgoing rules

On 10 Nov, 17:57, Rob Morley wrote:
On Mon, 10 Nov 2008 09:33:37 -0800 (PST)



simon wrote:
On 10 Nov, 16:35, Rob Morley wrote:
On Mon, 10 Nov 2008 07:36:45 -0800 (PST)


simon wrote:
Since getting a nasty virus that sent out hundreds of email from
my PC I have been trying to get a set of outgoing rules to work
on my Netgear ADSL router/ firewall.
I set up a rule to deny ALL TCP/UDP outgoing connections. I
though the router would be clever enough and should still allow
incoming connections from my work computer to my vncserver on my
PC.


Why does it only work if I set up a specific rule in the outgoing
connections, or remove the Deny ALL outgoing rule?
Is this how it's meant to work ?


I thought the idea was that the router realised that the outgoing
packets were a result of the incoming connection request and so it
should allow a remotely initiated VNC connection shouldn't it ?


The default is to allow all outgoing connections and deny all
incoming, then the router keeps track of which incoming traffic is
a response to an outgoing request and lets it through. You have to
add specific rules for the services[1] you want to allow and put
them above the deny-all rule in the list so they are found and
allowed - everything that doesn't match one of these rules falls
through to the default deny. As far as outgoing rules, if you
wanted to block mailer malware from sending mail you could block
all outgoing SMTP connections then allow connections only to your
ISP's SMTP server (the malware usually does its own SMTP rather
than using your ISP).


[1] A service is a program that listens for requests on a port, e.g.
a home web server waiting for a browser to connect or a VNC server
waiting for a client connection. In order for the router to let a
client request through to the server it needs to know not only that
the connection is allowed, but also which device to forward it to,
because as far as the WAN is concerned your LAN has only one IP
address regardless of the number of devices you actually have
connected with private addresses. On top of that, some services
(e.g. some types of FTP) respond to a request by saying "go connect
to port XYZ and I'll deal with you there" in which case the router
also needs to know that this new connection is allowed and where to
forward it.


thanks for the reply, I think you missed my point though. I wanted to
specifically allow outgoing services as required,


A service is listening for /incoming/ connections, so it's the incoming
rules you need to modify.

but was not
expecting that I would have to enable an outgoing rule to get an
incoming VNC connection to work.


You don't - all outgoing connections are allowed by default.

I can see from the log that once
vncserver receives a request, it connects back from the listening port
to the remote address, which gets caught by the 'deny all ' rule
unless I put another rule in above it, to 'Allow all' for my works IP
address. So I guess this is how it'll have to be..


Are you sure the server isn't just listening on a different port once
it's received a session request, and you need an additional incoming
rule to forward that?


yes... the log tells me that the reply from vncserver matches my
'Deny any ( all ) ' rule
  #7  
Old November 11th 08, 09:27 AM posted to uk.comp.home-networking
simon
external usenet poster
 
Posts: 5
Default DG834g outgoing rules

On 11 Nov, 08:02, Alex Fraser wrote:
simon wrote:

[snip]

Why does it only work if I set up a specific rule in the outgoing
connections, or remove the Deny ALL outgoing rule?
Is this how it's meant to work ?


I thought the idea was that the router realised that the outgoing
packets were a result of the incoming connection request and so it
should allow a remotely initiated VNC connection shouldn't it ?


That idea is part of stateful packet inspection (SPI). I would expect
the intended behaviour to be that related packets are allowed regardless
of any "deny" rules you set up.

It is not clear whether setting up an outbound "allow" rule specifying
the service will match based on the source port, destination port or
either. It's likely it will only match the destination port, however if
it (also) matches on the source port, this should get it working.

"Allow incoming packets with this destination address/port, and allow
outbound packets with this source address/port" is basically how you
would configure a stateless firewall to allow a "simple" service (most
common protocols except FTP) behind it to work.

Alex


I decided just to put in a global 'allow all to this IP' I will have
to add in all the IP's for my companies various internet connections,
as required I guess.
So you agree with me that the Netgear is apparently not doing `proper`
Stateful Packet Inspection ? I might try the latest firmware, perhaps
this will fix it ?
  #8  
Old November 11th 08, 11:35 AM posted to uk.comp.home-networking
Rob Morley
external usenet poster
 
Posts: 1,379
Default DG834g outgoing rules

On Tue, 11 Nov 2008 01:23:37 -0800 (PST)
simon wrote:

On 10 Nov, 17:57, Rob Morley wrote:
On Mon, 10 Nov 2008 09:33:37 -0800 (PST)


Are you sure the server isn't just listening on a different port
once it's received a session request, and you need an additional
incoming rule to forward that?


yes... the log tells me that the reply from vncserver matches my
'Deny any ( all ) ' rule


On which port?

  #9  
Old November 11th 08, 11:48 AM posted to uk.comp.home-networking
simon
external usenet poster
 
Posts: 5
Default DG834g outgoing rules

On 11 Nov, 11:35, Rob Morley wrote:
On Tue, 11 Nov 2008 01:23:37 -0800 (PST)

simon wrote:
On 10 Nov, 17:57, Rob Morley wrote:
On Mon, 10 Nov 2008 09:33:37 -0800 (PST)
Are you sure the server isn't just listening on a different port
once it's received a session request, and you need an additional
incoming rule to forward that?


yes... the log tells me that the reply from vncserver matches my
'Deny any ( all ) ' rule


On which port?


( the same as the one it's listening on ) and the destination port
seems to change
  #10  
Old November 14th 08, 07:59 AM posted to uk.comp.home-networking
Alex Fraser
external usenet poster
 
Posts: 553
Default DG834g outgoing rules

simon wrote:
On 11 Nov, 08:02, Alex Fraser wrote:
simon wrote:
[snip]
Why does it only work if I set up a specific rule in the outgoing
connections, or remove the Deny ALL outgoing rule?
Is this how it's meant to work ?
I thought the idea was that the router realised that the outgoing
packets were a result of the incoming connection request and so it
should allow a remotely initiated VNC connection shouldn't it ?


That idea is part of stateful packet inspection (SPI). I would expect
the intended behaviour to be that related packets are allowed regardless
of any "deny" rules you set up.

[snip]
So you agree with me that the Netgear is apparently not doing `proper`
Stateful Packet Inspection ?


No - it's Linux-based, so it will do "proper" SPI. But the configuration
may prevent it working as you expect.

I have a DG834G myself; I've had a quick look at the way it sets up the
rules. It would appear to include the outbound rules (as configured
through the web interface) before a rule that says "allow packets for
established/related connections", but I'll need to refresh my memory on
exactly how it works and study the setup in more detail to be certain of
the effects.

I might try the latest firmware, perhaps this will fix it ?


Maybe.

Alex
 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
[email protected] TRUNKS AND OUTGOING RULES PROBLEM !! (((VOLUME 2))) phpguy uk.telecom.voip (UK VOIP) 13 November 15th 07 10:45 PM
[email protected] TRUNKS AND OUTGOING RULES PROBLEM !! phpguy uk.telecom.voip (UK VOIP) 4 November 12th 07 10:03 AM
Outgoing Dial Rules in [email protected] Jono uk.telecom.voip (UK VOIP) 19 October 9th 05 09:50 AM
Netgear DG834G v1.05 Firewall Rules Bug? David uk.telecom.broadband (UK broadband) 4 September 11th 04 10:38 AM
DG834G schedule rules 1.04.01 Filthy Rich uk.telecom.broadband (UK broadband) 0 April 28th 04 12:33 PM


All times are GMT +1. The time now is 03:50 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2019 BroadbanterBanter.
The comments are property of their posters.