ACL on inside LAN - to allow only reply to outside interface request

Unanswered Question
May 21st, 2012
User Badges:

dear friends..

i want suggestions on best practice... i am doubting that my internal network has some virus or trozen .. and from my router all traffic is allowed from inside to outside .. and from outside only couple of ports and established connections ..

my requirement is .. i want to take out the possibility of my router sending the garbage out to wan link which is actually blocking my link .. what is the best way to do the same... plz advise.. how you guys do in your environment... can we only allow the reply to my ports which i have allowed on my outside wan port.. so at least i will be sure that no etra traffic is going out. please advise.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Nandan Mathure Mon, 05/21/2012 - 09:51
User Badges:
  • Bronze, 100 points or more

I am not too sure if it is really scalable to keep blocking ports. I would recommend a filter device inline with the router which could be scanning the traffic all the time or some inline cards.  You can also check open source solutions like untangle.

Also lets see what other think..



JATINDER KUMAR Mon, 05/21/2012 - 10:07
User Badges:

hey nandan now sure if u understood my requirement .. i know this is possible with router.. not getting idea how .. any idea from team ..../

plz advise

Dan-Ciprian Cicioiu Mon, 05/21/2012 - 10:43
User Badges:
  • Gold, 750 points or more


The thing is that the trojan is initiating the traffic from inside , so there is no real use to filter the traffic from the outside to inside. A good think will be to restrict the users to some well known destination ports to the internet : tcp 80 , tcp 443 , tcp 21/20. A better way to offer internet access to the users is Proxy -  you can inspect and restrict the user access.


JATINDER KUMAR Mon, 05/21/2012 - 11:14
User Badges:

hi DAN .. as such i dont have much frm inside to send to outside ... the way my setup is .. i have two rewuirements..

1. exchage .. so ppl connect from outside ... so on, outside port i allowed 443/25 and dns

2. ppl RDP to public ip which are on inside LAN ..

now my requiremnt is no to allow any thing from inside interface to send to outside WAN .. so doing this .. will atleast give me some confidence that the traffic which is gooing out is correct .. any suggestions


This Discussion

Related Content