RVS4000 Firewall ACL Question

Answered Question
Apr 20th, 2010

I'm working to setup and configure an RVS4000 for a friend and wanted to verify my understanding of the firewall section.  It <seems> by default the firewall allows traffic from any source to any destination, including from the WAN.  I realize with NAT this isn't a huge concern / shouldn't be the case... however I tend to prefer tighter standards rather than looser.

I wanted to ensure that it allowed internally initiated traffic outbound, and external traffic inbound dropped so I created the rules as shown attached file.  Am I looking at this correctly?  Is the Firewall ACL section for setting up a stateful firewall or is it just pure ACL's and the last rule from the WAN is required for returning traffic back in which has already been through the NAT engine?

If someone could please help me clear this one little detail up I would be greatly appreciative.

Thanks in advance.

I have this problem too.
0 votes
Correct Answer by Alejandro Gallego about 6 years 9 months ago

The ACL is just that ACLs. The rules you made are fine, the difference with your set up and the default is that you are explicitly denying the traffic; which is not a bed idea. On that note, that does not mean that the traffic was explicitly allowed before (default config).

Before any rules are created a "deny any any" is already in place but not displayed. This is typical of the small business and consumer routers. The only thing I would change is instead of suplying the subnet, just set it to "any".

Hope this helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Alejandro Gallego Fri, 04/23/2010 - 11:39

The ACL is just that ACLs. The rules you made are fine, the difference with your set up and the default is that you are explicitly denying the traffic; which is not a bed idea. On that note, that does not mean that the traffic was explicitly allowed before (default config).

Before any rules are created a "deny any any" is already in place but not displayed. This is typical of the small business and consumer routers. The only thing I would change is instead of suplying the subnet, just set it to "any".

Hope this helps.

bmurray2_home Mon, 04/26/2010 - 19:16

Thank you, that's essentially what I found.  I ended up trying it both with and without the "catch all rule / cleanup rule" with similar results however a few protocols didn't seem as happy with it configured that way.  I did verify that in both cases traffic IS blocked to non-allowed ports using nmap, so either configuration seems ok.

Thanks again