Basic Firewall Help
Posted: Thu Jun 14, 2012 5:47 pm
I'm struggling with even the most basic firewall stuff here 
7800N (firmware 1.06g) connected to the Internet via Ethernet to a FTTC modem.
I have 2 computers inside my network
192.168.1.10 which runs a ftp server
192.168.1.11 this laptop
I have a Virtual Server defined that allows incoming FTP access to the .10 machine. This all works fine except I want to limit the external IP's that can connect to the ftp server. So on the face of it that's 2 firewall rules. One to allow the specified external IPs in and a 2nd rule to drop all other port 21 traffic.
Trouble is I can still access the ftp server from other IP address, i.e. the drop rule does not appear to stop an incoming connection, or the allow rule allows all IP address through still 
If I disable the time schedule for my first rule (FTP2) I'd expect all incoming FTP packets to get dropped. This is not the case for the server (.10 address) as an external connection can still be made. But worse still is the .11 laptop can no longer ftp out, as the drop rule kills all the returning packets.
So how does one allow a virtual server but restrict the IP addresses allowed to connect to it?
And why does the FTP rule not respect the replies from an outgoing ftp connection?
Thanks in advance
picnic
7800N (firmware 1.06g) connected to the Internet via Ethernet to a FTTC modem.I have 2 computers inside my network
192.168.1.10 which runs a ftp server
192.168.1.11 this laptop
I have a Virtual Server defined that allows incoming FTP access to the .10 machine. This all works fine except I want to limit the external IP's that can connect to the ftp server. So on the face of it that's 2 firewall rules. One to allow the specified external IPs in and a 2nd rule to drop all other port 21 traffic.
Code: Select all
Rule Name IP Version Internal IP Address Protocol Internal Port Direction Action Time Schedule Delete
External IP Address External Port
FTP2 4 Any TCP Any incoming forward Always On
xx.xxx.xx.245 ~ xx.xxx.xx.246 21 ~ 21
FTP 4 Any TCP Any incoming drop Always On
Any 21 ~ 21
If I disable the time schedule for my first rule (FTP2) I'd expect all incoming FTP packets to get dropped. This is not the case for the server (.10 address) as an external connection can still be made. But worse still is the .11 laptop can no longer ftp out, as the drop rule kills all the returning packets.
So how does one allow a virtual server but restrict the IP addresses allowed to connect to it?
And why does the FTP rule not respect the replies from an outgoing ftp connection?
Thanks in advance
picnic