Preventing Traffic From Outside From Reaching My WAN Interface

I got some problem here.
My WAN interface is given dhcp ip address by isp.
So the ip address of that interface is not constant.
I wish to prevent external people from pinging or reaching that WAN interface.
However, the ip address of wan interface is not constant.
How to solve this problem?

Also, is it possible to restrict traffic based on physical or virtual interfaces instead of ip addresses?

Comments

  • You can’t prevent packets being sent by your ISP to your firewall WAN interface.
    Packets not allowed by a firewall policy will be denied.

  • Just create a new Ping packet filter policy where Ping (or IMCP) requests are denied from > any external to > Firebox and place it at the top of the order.
    Since you are using the "Firebox" alias there is no need to specify an IP address.

    Yes, once again you can assign aliases to the interfaces and create policies based upon those aliases.

    It's usually something simple.

  • @shaazaminator said:
    Just create a new Ping packet filter policy where Ping (or IMCP) requests are denied from > any external to > Firebox and place it at the top of the order.
    Since you are using the "Firebox" alias there is no need to specify an IP address.

    Yes, once again you can assign aliases to the interfaces and create policies based upon those aliases.

    Q1 What happens if I want to restrict ping and ssh from external but allow ssl vpn policies in? It can be done right?

    Q2 For other cases, I can assign physical or virtual interfaces to aliases right?

  • 1) Ping & SSH are denied incoming by default, as are all other packet types.
    You would have to add or modify policies to allow these in.
    Reply packets are automatically allowed in/out.

    You can allow any specific port or application incoming.
    SSLVPN support exists in Fireware - just enable it in VPN settings.

    To allow incoming packets, such as to an intenral web server with a private internal IP addr, you need to use NAT - normally SNAT.

    2) yes

  • Ok I want
    "ssl vpn protocols" from any to external interface be allowed.
    "any" to "external" interface be denied.
    "internal" to "external" interface be allowed.
    "internal" to "internal" interface be allowed.
    So I have to create 4 separate rules huh.
    Thanks.

  • "ssl vpn protocols" from any to external interface be allowed.
    This is HTTPS.

    "any" to "external" interface be denied.
    If you mean from the Internet to external - the default is to deny all packet types to external, so nothing needs to be added for this

    "internal" to "external" interface be allowed.
    This is allowed in policies in the default config - all TCP & UDP packets (the Outgoing policy) and pings (the Ping policy) are allowed to the Internet

    "internal" to "internal" interface be allowed.
    All packets from devices on an internal firewall interface are allowed to other devices on that firewall interface by standard Ethernet. No firewall polieices are needed.
    To allow packets from 1 internal firewall interface to another internal firewall interface would require 1 or more policies.

  • "internal" to "external" interface be allowed.

    That rule lets any internal device go anywhere on the Internet unrestricted and is a horrible rule leave enabled. Say a user hits a bad web page and it tries to do a drive-by EXE file. That type of rule would ALLOW the malicious file download. You should look into egress filtering to allow outbound protocols and ports on as-needed basis.


    "internal" to "internal" interface be allowed.

    The way I set up my firewalls and networks, I set up all non-External interfaces as VLANs. Then I have one patch cable between the Trusted interface to a network switch, and all computers & devices are on the switch, so no local internal traffic flows through the firewall except desired VLAN-to-VLAN traffic.

    Gregg Hill

Sign In to comment.