DG834g outgoing rules

Since getting a nasty virus that sent out hundreds of email from my PC
I have been trying to get a set of outgoing rules to work on my
Netgear ADSL router/ firewall.
I set up a rule to deny ALL TCP/UDP outgoing connections. I though
the router would be clever enough and should still allow incoming
connections from my work computer to my vncserver on my PC.

Why does it only work if I set up a specific rule in the outgoing
connections, or remove the Deny ALL outgoing rule?
Is this how it's meant to work ?

I thought the idea was that the router realised that the outgoing
packets were a result of the incoming connection request and so it
should allow a remotely initiated VNC connection shouldn't it ?

On Mon, 10 Nov 2008 07:36:45 -0800 (PST)
simon <(E-Mail Removed)> wrote:

> Since getting a nasty virus that sent out hundreds of email from my PC
> I have been trying to get a set of outgoing rules to work on my
> Netgear ADSL router/ firewall.
> I set up a rule to deny ALL TCP/UDP outgoing connections. I though
> the router would be clever enough and should still allow incoming
> connections from my work computer to my vncserver on my PC.
>
> Why does it only work if I set up a specific rule in the outgoing
> connections, or remove the Deny ALL outgoing rule?
> Is this how it's meant to work ?
>
> I thought the idea was that the router realised that the outgoing
> packets were a result of the incoming connection request and so it
> should allow a remotely initiated VNC connection shouldn't it ?

The default is to allow all outgoing connections and deny all incoming,
then the router keeps track of which incoming traffic is a response to
an outgoing request and lets it through. You have to add specific
rules for the services[1] you want to allow and put them above the
deny-all rule in the list so they are found and allowed - everything
that doesn't match one of these rules falls through to the default
deny. As far as outgoing rules, if you wanted to block mailer malware
from sending mail you could block all outgoing SMTP connections then
allow connections only to your ISP's SMTP server (the malware usually
does its own SMTP rather than using your ISP).


[1] A service is a program that listens for requests on a port, e.g.
a home web server waiting for a browser to connect or a VNC server
waiting for a client connection. In order for the router to let a
client request through to the server it needs to know not only that the
connection is allowed, but also which device to forward it to, because
as far as the WAN is concerned your LAN has only one IP address
regardless of the number of devices you actually have connected with
private addresses. On top of that, some services (e.g. some types of
FTP) respond to a request by saying "go connect to port XYZ and I'll
deal with you there" in which case the router also needs to know that
this new connection is allowed and where to forward it.

On 10 Nov, 16:35, Rob Morley <nos...@ntlworld.com> wrote:
> On Mon, 10 Nov 2008 07:36:45 -0800 (PST)
>
> simon <s...@lycos.co.uk> wrote:
> > Since getting a nasty virus that sent out hundreds of email from my PC
> > I have been trying to get a set of outgoing rules to work on my
> > Netgear ADSL router/ firewall.
> > I set up a rule to deny ALL TCP/UDP outgoing connections. I though
> > the router would be clever enough and should still allow incoming
> > connections from my work computer to my vncserver on my PC.
>
> > Why does it only work if I set up a specific rule in the outgoing
> > connections, or remove the Deny ALL outgoing rule?
> > Is this how it's meant to work ?
>
> > I thought the idea was that the router realised that the outgoing
> > packets were a result of the incoming connection request and so it
> > should allow a remotely initiated VNC connection shouldn't it ?
>
> The default is to allow all outgoing connections and deny all incoming,
> then the router keeps track of which incoming traffic is a response to
> an outgoing request and lets it through. You have to add specific
> rules for the services[1] you want to allow and put them above the
> deny-all rule in the list so they are found and allowed - everything
> that doesn't match one of these rules falls through to the default
> deny. As far as outgoing rules, if you wanted to block mailer malware
> from sending mail you could block all outgoing SMTP connections then
> allow connections only to your ISP's SMTP server (the malware usually
> does its own SMTP rather than using your ISP).
>
> [1] A service is a program that listens for requests on a port, e.g.
> a home web server waiting for a browser to connect or a VNC server
> waiting for a client connection. In order for the router to let a
> client request through to the server it needs to know not only that the
> connection is allowed, but also which device to forward it to, because
> as far as the WAN is concerned your LAN has only one IP address
> regardless of the number of devices you actually have connected with
> private addresses. On top of that, some services (e.g. some types of
> FTP) respond to a request by saying "go connect to port XYZ and I'll
> deal with you there" in which case the router also needs to know that
> this new connection is allowed and where to forward it.

thanks for the reply, I think you missed my point though. I wanted to
specifically allow outgoing services as required, but was not
expecting that I would have to enable an outgoing rule to get an
incoming VNC connection to work. I can see from the log that once
vncserver receives a request, it connects back from the listening port
to the remote address, which gets caught by the 'deny all ' rule
unless I put another rule in above it, to 'Allow all' for my works IP
address. So I guess this is how it'll have to be..

On Mon, 10 Nov 2008 09:33:37 -0800 (PST)
simon <(E-Mail Removed)> wrote:

> On 10 Nov, 16:35, Rob Morley <nos...@ntlworld.com> wrote:
> > On Mon, 10 Nov 2008 07:36:45 -0800 (PST)
> >
> > simon <s...@lycos.co.uk> wrote:
> > > Since getting a nasty virus that sent out hundreds of email from
> > > my PC I have been trying to get a set of outgoing rules to work
> > > on my Netgear ADSL router/ firewall.
> > > I set up a rule to deny ALL TCP/UDP outgoing connections. I
> > > though the router would be clever enough and should still allow
> > > incoming connections from my work computer to my vncserver on my
> > > PC.
> >
> > > Why does it only work if I set up a specific rule in the outgoing
> > > connections, or remove the Deny ALL outgoing rule?
> > > Is this how it's meant to work ?
> >
> > > I thought the idea was that the router realised that the outgoing
> > > packets were a result of the incoming connection request and so it
> > > should allow a remotely initiated VNC connection shouldn't it ?
> >
> > The default is to allow all outgoing connections and deny all
> > incoming, then the router keeps track of which incoming traffic is
> > a response to an outgoing request and lets it through. You have to
> > add specific rules for the services[1] you want to allow and put
> > them above the deny-all rule in the list so they are found and
> > allowed - everything that doesn't match one of these rules falls
> > through to the default deny. As far as outgoing rules, if you
> > wanted to block mailer malware from sending mail you could block
> > all outgoing SMTP connections then allow connections only to your
> > ISP's SMTP server (the malware usually does its own SMTP rather
> > than using your ISP).
> >
> > [1] A service is a program that listens for requests on a port, e.g.
> > a home web server waiting for a browser to connect or a VNC server
> > waiting for a client connection. In order for the router to let a
> > client request through to the server it needs to know not only that
> > the connection is allowed, but also which device to forward it to,
> > because as far as the WAN is concerned your LAN has only one IP
> > address regardless of the number of devices you actually have
> > connected with private addresses. On top of that, some services
> > (e.g. some types of FTP) respond to a request by saying "go connect
> > to port XYZ and I'll deal with you there" in which case the router
> > also needs to know that this new connection is allowed and where to
> > forward it.
>
> thanks for the reply, I think you missed my point though. I wanted to
> specifically allow outgoing services as required,

A service is listening for /incoming/ connections, so it's the incoming
rules you need to modify.

> but was not
> expecting that I would have to enable an outgoing rule to get an
> incoming VNC connection to work.

You don't - all outgoing connections are allowed by default.

> I can see from the log that once
> vncserver receives a request, it connects back from the listening port
> to the remote address, which gets caught by the 'deny all ' rule
> unless I put another rule in above it, to 'Allow all' for my works IP
> address. So I guess this is how it'll have to be..

Are you sure the server isn't just listening on a different port once
it's received a session request, and you need an additional incoming
rule to forward that?

On 10 Nov, 17:57, Rob Morley <nos...@ntlworld.com> wrote:
> On Mon, 10 Nov 2008 09:33:37 -0800 (PST)
>
>
>
> simon <s...@lycos.co.uk> wrote:
> > On 10 Nov, 16:35, Rob Morley <nos...@ntlworld.com> wrote:
> > > On Mon, 10 Nov 2008 07:36:45 -0800 (PST)
>
> > > simon <s...@lycos.co.uk> wrote:
> > > > Since getting a nasty virus that sent out hundreds of email from
> > > > my PC I have been trying to get a set of outgoing rules to work
> > > > on my Netgear ADSL router/ firewall.
> > > > I set up a rule to deny ALL TCP/UDP outgoing connections. I
> > > > though the router would be clever enough and should still allow
> > > > incoming connections from my work computer to my vncserver on my
> > > > PC.
>
> > > > Why does it only work if I set up a specific rule in the outgoing
> > > > connections, or remove the Deny ALL outgoing rule?
> > > > Is this how it's meant to work ?
>
> > > > I thought the idea was that the router realised that the outgoing
> > > > packets were a result of the incoming connection request and so it
> > > > should allow a remotely initiated VNC connection shouldn't it ?
>
> > > The default is to allow all outgoing connections and deny all
> > > incoming, then the router keeps track of which incoming traffic is
> > > a response to an outgoing request and lets it through. You have to
> > > add specific rules for the services[1] you want to allow and put
> > > them above the deny-all rule in the list so they are found and
> > > allowed - everything that doesn't match one of these rules falls
> > > through to the default deny. As far as outgoing rules, if you
> > > wanted to block mailer malware from sending mail you could block
> > > all outgoing SMTP connections then allow connections only to your
> > > ISP's SMTP server (the malware usually does its own SMTP rather
> > > than using your ISP).
>
> > > [1] A service is a program that listens for requests on a port, e.g.
> > > a home web server waiting for a browser to connect or a VNC server
> > > waiting for a client connection. In order for the router to let a
> > > client request through to the server it needs to know not only that
> > > the connection is allowed, but also which device to forward it to,
> > > because as far as the WAN is concerned your LAN has only one IP
> > > address regardless of the number of devices you actually have
> > > connected with private addresses. On top of that, some services
> > > (e.g. some types of FTP) respond to a request by saying "go connect
> > > to port XYZ and I'll deal with you there" in which case the router
> > > also needs to know that this new connection is allowed and where to
> > > forward it.
>
> > thanks for the reply, I think you missed my point though. I wanted to
> > specifically allow outgoing services as required,
>
> A service is listening for /incoming/ connections, so it's the incoming
> rules you need to modify.
>
> > but was not
> > expecting that I would have to enable an outgoing rule to get an
> > incoming VNC connection to work.
>
> You don't - all outgoing connections are allowed by default.
>
> > I can see from the log that once
> > vncserver receives a request, it connects back from the listening port
> > to the remote address, which gets caught by the 'deny all ' rule
> > unless I put another rule in above it, to 'Allow all' for my works IP
> > address. So I guess this is how it'll have to be..
>
> Are you sure the server isn't just listening on a different port once
> it's received a session request, and you need an additional incoming
> rule to forward that?

yes... the log tells me that the reply from vncserver matches my
'Deny any ( all ) ' rule

On 11 Nov, 08:02, Alex Fraser <m...@privacy.net> wrote:
> simon wrote:
>
> [snip]
>
> > Why does it only work if I set up a specific rule in the outgoing
> > connections, or remove the Deny ALL outgoing rule?
> > Is this how it's meant to work ?
>
> > I thought the idea was that the router realised that the outgoing
> > packets were a result of the incoming connection request and so it
> > should allow a remotely initiated VNC connection shouldn't it ?
>
> That idea is part of stateful packet inspection (SPI). I would expect
> the intended behaviour to be that related packets are allowed regardless
> of any "deny" rules you set up.
>
> It is not clear whether setting up an outbound "allow" rule specifying
> the service will match based on the source port, destination port or
> either. It's likely it will only match the destination port, however if
> it (also) matches on the source port, this should get it working.
>
> "Allow incoming packets with this destination address/port, and allow
> outbound packets with this source address/port" is basically how you
> would configure a stateless firewall to allow a "simple" service (most
> common protocols except FTP) behind it to work.
>
> Alex

I decided just to put in a global 'allow all to this IP' I will have
to add in all the IP's for my companies various internet connections,
as required I guess.
So you agree with me that the Netgear is apparently not doing `proper`
Stateful Packet Inspection ? I might try the latest firmware, perhaps
this will fix it ?

On Tue, 11 Nov 2008 01:23:37 -0800 (PST)
simon <(E-Mail Removed)> wrote:

> On 10 Nov, 17:57, Rob Morley <nos...@ntlworld.com> wrote:
> > On Mon, 10 Nov 2008 09:33:37 -0800 (PST)

> > Are you sure the server isn't just listening on a different port
> > once it's received a session request, and you need an additional
> > incoming rule to forward that?
>
> yes... the log tells me that the reply from vncserver matches my
> 'Deny any ( all ) ' rule

On which port?

On 11 Nov, 11:35, Rob Morley <nos...@ntlworld.com> wrote:
> On Tue, 11 Nov 2008 01:23:37 -0800 (PST)
>
> simon <s...@lycos.co.uk> wrote:
> > On 10 Nov, 17:57, Rob Morley <nos...@ntlworld.com> wrote:
> > > On Mon, 10 Nov 2008 09:33:37 -0800 (PST)
> > > Are you sure the server isn't just listening on a different port
> > > once it's received a session request, and you need an additional
> > > incoming rule to forward that?
>
> > yes... the log tells me that the reply from vncserver matches my
> > 'Deny any ( all ) ' rule
>
> On which port?

( the same as the one it's listening on ) and the destination port
seems to change