NAT with IP Filters

Hi!

I have a dedicated server on which I cannot install a custom firewall
(dedicated server, no KVM) and the windows firewall is disabled when
Routing and Remote Access is enabled.

So I use inbound filters instead of a firewall. But I have an interface
(OpenVPN) which is NAT'd. Those connected to this interface need access
to the Internet.

I have found that creating a rule to allow "Any" traffic (practically
disabling the firewall) will grant access to this interface.

I have a rule to allow all "TCP [established]" traffic, so I don't see
why I have to disable the entire firewall for that interface to gain
outward TCP access. I have no Outbound filters on the external
interface and no filters at all on the mentioned internal interface.

I would be thankful for any help!

-jerome

If the connection is NATed, then you have a firewall already. NAT does not
allow anything inbound, ever,...unless you go out of your way to configure
Static NAT (inbound) connection on purpose. You don't have to actively
"block" what isn't going to happen in the first place. It does not mean
you have disabled the firewall if you aren't filtering specific ports. But
on the outbound direction NAT lets it all flow unless you "overcome" that
with outbound filtering.

As far as OpenVPN,...never heard of it,..have no idea if it is a hardware
device or software or how you deployed it, or even if you deployed it
properly. So I can't really comment on that at this point.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------



"Jerome Baum" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Hi!
>
> I have a dedicated server on which I cannot install a custom firewall
> (dedicated server, no KVM) and the windows firewall is disabled when
> Routing and Remote Access is enabled.
>
> So I use inbound filters instead of a firewall. But I have an interface
> (OpenVPN) which is NAT'd. Those connected to this interface need access
> to the Internet.
>
> I have found that creating a rule to allow "Any" traffic (practically
> disabling the firewall) will grant access to this interface.
>
> I have a rule to allow all "TCP [established]" traffic, so I don't see
> why I have to disable the entire firewall for that interface to gain
> outward TCP access. I have no Outbound filters on the external
> interface and no filters at all on the mentioned internal interface.
>
> I would be thankful for any help!
>
> -jerome
>

inline

Phillip Windell wrote:

> If the connection is NATed, then you have a firewall already. NAT does not
> allow anything inbound, ever,...unless you go out of your way to configure
> Static NAT (inbound) connection on purpose. You don't have to actively
> "block" what isn't going to happen in the first place. It does not mean
> you have disabled the firewall if you aren't filtering specific ports. But
> on the outbound direction NAT lets it all flow unless you "overcome" that
> with outbound filtering.

I was not clear with what I meant. The NAT server itself runs services
such as IIS and those. I need ports such as 3389 for RDP open since I
have no local KVM. The point is, I would like to block all connections
but those established by clients on the virtual interfaces (there are
more than just that one) and those to specific ports (e.g. 3389, 80,
443).

Of course, I could ensure that no programs are listening on the public
interface, but this is far more tedious than simply telling the routing
service to only allow certain ports to be connected to.

The point is, the "firewall" (inbound filters) of the routing service
are fine except that they don't allow outgoing connections via e.g. TCP
from the internal interfaces.

Thanks again!

>
> As far as OpenVPN,...never heard of it,..have no idea if it is a hardware
> device or software or how you deployed it, or even if you deployed it
> properly. So I can't really comment on that at this point.

OpenVPN: I have worked with it for quite a while and am sure that it is
configured correctly. I only mentioned it in case.

>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> The views expressed are my own (as annoying as they are), and not those of
> my employer or anyone else associated with me.
> -----------------------------------------------------
>
>
>
> "Jerome Baum" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) ups.com...
> > Hi!
> >
> > I have a dedicated server on which I cannot install a custom firewall
> > (dedicated server, no KVM) and the windows firewall is disabled when
> > Routing and Remote Access is enabled.
> >
> > So I use inbound filters instead of a firewall. But I have an interface
> > (OpenVPN) which is NAT'd. Those connected to this interface need access
> > to the Internet.
> >
> > I have found that creating a rule to allow "Any" traffic (practically
> > disabling the firewall) will grant access to this interface.
> >
> > I have a rule to allow all "TCP [established]" traffic, so I don't see
> > why I have to disable the entire firewall for that interface to gain
> > outward TCP access. I have no Outbound filters on the external
> > interface and no filters at all on the mentioned internal interface.
> >
> > I would be thankful for any help!
> >
> > -jerome
> >

I just noticed that the "NAT Session Mappings" table shows nothing
about the made connections - is it supposed to? (these are outwards
connections which I mean, from a private interface).

Thanks!

Jerome Baum wrote:

> inline
>
> Phillip Windell wrote:
>
> > If the connection is NATed, then you have a firewall already. NAT does not
> > allow anything inbound, ever,...unless you go out of your way to configure
> > Static NAT (inbound) connection on purpose. You don't have to actively
> > "block" what isn't going to happen in the first place. It does not mean
> > you have disabled the firewall if you aren't filtering specific ports. But
> > on the outbound direction NAT lets it all flow unless you "overcome" that
> > with outbound filtering.
>
> I was not clear with what I meant. The NAT server itself runs services
> such as IIS and those. I need ports such as 3389 for RDP open since I
> have no local KVM. The point is, I would like to block all connections
> but those established by clients on the virtual interfaces (there are
> more than just that one) and those to specific ports (e.g. 3389, 80,
> 443).
>
> Of course, I could ensure that no programs are listening on the public
> interface, but this is far more tedious than simply telling the routing
> service to only allow certain ports to be connected to.
>
> The point is, the "firewall" (inbound filters) of the routing service
> are fine except that they don't allow outgoing connections via e.g. TCP
> from the internal interfaces.
>
> Thanks again!
>
> >
> > As far as OpenVPN,...never heard of it,..have no idea if it is a hardware
> > device or software or how you deployed it, or even if you deployed it
> > properly. So I can't really comment on that at this point.
>
> OpenVPN: I have worked with it for quite a while and am sure that it is
> configured correctly. I only mentioned it in case.
>
> >
> > --
> > Phillip Windell [MCP, MVP, CCNA]
> > www.wandtv.com
> >
> > The views expressed are my own (as annoying as they are), and not those of
> > my employer or anyone else associated with me.
> > -----------------------------------------------------
> >
> >
> >
> > "Jerome Baum" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed) ups.com...
> > > Hi!
> > >
> > > I have a dedicated server on which I cannot install a custom firewall
> > > (dedicated server, no KVM) and the windows firewall is disabled when
> > > Routing and Remote Access is enabled.
> > >
> > > So I use inbound filters instead of a firewall. But I have an interface
> > > (OpenVPN) which is NAT'd. Those connected to this interface need access
> > > to the Internet.
> > >
> > > I have found that creating a rule to allow "Any" traffic (practically
> > > disabling the firewall) will grant access to this interface.
> > >
> > > I have a rule to allow all "TCP [established]" traffic, so I don't see
> > > why I have to disable the entire firewall for that interface to gain
> > > outward TCP access. I have no Outbound filters on the external
> > > interface and no filters at all on the mentioned internal interface.
> > >
> > > I would be thankful for any help!
> > >
> > > -jerome
> > >

"Jerome Baum" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
>I just noticed that the "NAT Session Mappings" table shows nothing
> about the made connections - is it supposed to? (these are outwards
> connections which I mean, from a private interface).

I think that is only for inbound connections (Static NAT aka, Reverse NAT).
Nothing

I don't know what to tell you about the RDP. I think without a real
firewall product beng in use it is going to be "all or nothing". I think
your only option is to control *who* can connect based on their user account
and not be concerned with where they came from.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------

Phillip Windell wrote:

> "Jerome Baum" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) ups.com...
> >I just noticed that the "NAT Session Mappings" table shows nothing
> > about the made connections - is it supposed to? (these are outwards
> > connections which I mean, from a private interface).
>
> I think that is only for inbound connections (Static NAT aka, Reverse NAT).
> Nothing
>
> I don't know what to tell you about the RDP. I think without a real
> firewall product beng in use it is going to be "all or nothing". I think
> your only option is to control *who* can connect based on their user account
> and not be concerned with where they came from.

That policy is already in place. My plan is that everybody who is
connected via the VPN (i.e. any of the internal interfaces) can connect
via NAT to the outside world, but the outside world can only access
certain ports on the router. The problem is that I cannot set the
inbound filters to allow only certain ports without blocking the
internal interfaces off for outbound connections.

Thx again

>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> The views expressed are my own (as annoying as they are), and not those of
> my employer or anyone else associated with me.
> -----------------------------------------------------

Have you added the internal interfaces to NAT as private interfaces?

"Jerome Baum" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
>
> Phillip Windell wrote:
>
>> "Jerome Baum" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed) ups.com...
>> >I just noticed that the "NAT Session Mappings" table shows nothing
>> > about the made connections - is it supposed to? (these are outwards
>> > connections which I mean, from a private interface).
>>
>> I think that is only for inbound connections (Static NAT aka, Reverse
>> NAT).
>> Nothing
>>
>> I don't know what to tell you about the RDP. I think without a real
>> firewall product beng in use it is going to be "all or nothing". I think
>> your only option is to control *who* can connect based on their user
>> account
>> and not be concerned with where they came from.
>
> That policy is already in place. My plan is that everybody who is
> connected via the VPN (i.e. any of the internal interfaces) can connect
> via NAT to the outside world, but the outside world can only access
> certain ports on the router. The problem is that I cannot set the
> inbound filters to allow only certain ports without blocking the
> internal interfaces off for outbound connections.
>
> Thx again
>
>>
>> --
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>>
>> The views expressed are my own (as annoying as they are), and not those
>> of
>> my employer or anyone else associated with me.
>> -----------------------------------------------------
>

Yes

Bill Grant wrote:

> Have you added the internal interfaces to NAT as private interfaces?
>
> "Jerome Baum" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) ups.com...
> >
> > Phillip Windell wrote:
> >
> >> "Jerome Baum" <(E-Mail Removed)> wrote in message
> >> news:(E-Mail Removed) ups.com...
> >> >I just noticed that the "NAT Session Mappings" table shows nothing
> >> > about the made connections - is it supposed to? (these are outwards
> >> > connections which I mean, from a private interface).
> >>
> >> I think that is only for inbound connections (Static NAT aka, Reverse
> >> NAT).
> >> Nothing
> >>
> >> I don't know what to tell you about the RDP. I think without a real
> >> firewall product beng in use it is going to be "all or nothing". I think
> >> your only option is to control *who* can connect based on their user
> >> account
> >> and not be concerned with where they came from.
> >
> > That policy is already in place. My plan is that everybody who is
> > connected via the VPN (i.e. any of the internal interfaces) can connect
> > via NAT to the outside world, but the outside world can only access
> > certain ports on the router. The problem is that I cannot set the
> > inbound filters to allow only certain ports without blocking the
> > internal interfaces off for outbound connections.
> >
> > Thx again
> >
> >>
> >> --
> >> Phillip Windell [MCP, MVP, CCNA]
> >> www.wandtv.com
> >>
> >> The views expressed are my own (as annoying as they are), and not those
> >> of
> >> my employer or anyone else associated with me.
> >> -----------------------------------------------------
> >