DG834g outgoing rules

Discussion in 'Home Networking' started by simon, Nov 10, 2008.

  1. simon

    simon Guest

    Since getting a nasty virus that sent out hundreds of email from my PC
    I have been trying to get a set of outgoing rules to work on my
    Netgear ADSL router/ firewall.
    I set up a rule to deny ALL TCP/UDP outgoing connections. I though
    the router would be clever enough and should still allow incoming
    connections from my work computer to my vncserver on my PC.

    Why does it only work if I set up a specific rule in the outgoing
    connections, or remove the Deny ALL outgoing rule?
    Is this how it's meant to work ?

    I thought the idea was that the router realised that the outgoing
    packets were a result of the incoming connection request and so it
    should allow a remotely initiated VNC connection shouldn't it ?
     
    simon, Nov 10, 2008
    #1
    1. Advertisements

  2. simon

    Rob Morley Guest

    The default is to allow all outgoing connections and deny all incoming,
    then the router keeps track of which incoming traffic is a response to
    an outgoing request and lets it through. You have to add specific
    rules for the services[1] you want to allow and put them above the
    deny-all rule in the list so they are found and allowed - everything
    that doesn't match one of these rules falls through to the default
    deny. As far as outgoing rules, if you wanted to block mailer malware
    from sending mail you could block all outgoing SMTP connections then
    allow connections only to your ISP's SMTP server (the malware usually
    does its own SMTP rather than using your ISP).


    [1] A service is a program that listens for requests on a port, e.g.
    a home web server waiting for a browser to connect or a VNC server
    waiting for a client connection. In order for the router to let a
    client request through to the server it needs to know not only that the
    connection is allowed, but also which device to forward it to, because
    as far as the WAN is concerned your LAN has only one IP address
    regardless of the number of devices you actually have connected with
    private addresses. On top of that, some services (e.g. some types of
    FTP) respond to a request by saying "go connect to port XYZ and I'll
    deal with you there" in which case the router also needs to know that
    this new connection is allowed and where to forward it.
     
    Rob Morley, Nov 10, 2008
    #2
    1. Advertisements

  3. simon

    simon Guest

    thanks for the reply, I think you missed my point though. I wanted to
    specifically allow outgoing services as required, but was not
    expecting that I would have to enable an outgoing rule to get an
    incoming VNC connection to work. I can see from the log that once
    vncserver receives a request, it connects back from the listening port
    to the remote address, which gets caught by the 'deny all ' rule
    unless I put another rule in above it, to 'Allow all' for my works IP
    address. So I guess this is how it'll have to be..
     
    simon, Nov 10, 2008
    #3
  4. simon

    Rob Morley Guest

    A service is listening for /incoming/ connections, so it's the incoming
    rules you need to modify.
    You don't - all outgoing connections are allowed by default.
    Are you sure the server isn't just listening on a different port once
    it's received a session request, and you need an additional incoming
    rule to forward that?
     
    Rob Morley, Nov 10, 2008
    #4
  5. simon

    simon Guest

    yes... the log tells me that the reply from vncserver matches my
    'Deny any ( all ) ' rule
     
    simon, Nov 11, 2008
    #5
  6. simon

    simon Guest

    I decided just to put in a global 'allow all to this IP' I will have
    to add in all the IP's for my companies various internet connections,
    as required I guess.
    So you agree with me that the Netgear is apparently not doing `proper`
    Stateful Packet Inspection ? I might try the latest firmware, perhaps
    this will fix it ?
     
    simon, Nov 11, 2008
    #6
  7. simon

    Rob Morley Guest

    On which port?
     
    Rob Morley, Nov 11, 2008
    #7
  8. simon

    simon Guest

    ( the same as the one it's listening on ) and the destination port
    seems to change
     
    simon, Nov 11, 2008
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.