OPEN Just one port

firewall

#1

Hi all,

i’m trying to open a web services trought firewall but prot stay always blocked with the rule 4
for the moment firewall is bypassed.

set firewall name FROM-INTERNET default-action 'accept’
set firewall name FROM-INTERNET description ‘TRAFIC-FROM-INTERNET’
set firewall name FROM-INTERNET ‘enable-default-log’
set firewall name FROM-INTERNET rule 1 action ‘accept’
set firewall name FROM-INTERNET rule 1 description ‘AUTHORIZED-IP’
set firewall name FROM-INTERNET rule 1 log ‘disable’
set firewall name FROM-INTERNET rule 1 source group address-group ‘VIAPASS-ADDRESS’
set firewall name FROM-INTERNET rule 2 action ‘drop’
set firewall name FROM-INTERNET rule 2 description ‘BLOCK-SCAN-PORT’
set firewall name FROM-INTERNET rule 2 ‘destination’
set firewall name FROM-INTERNET rule 2 ‘disable’
set firewall name FROM-INTERNET rule 2 protocol ‘tcp_udp’
set firewall name FROM-INTERNET rule 2 ‘source’
set firewall name FROM-INTERNET rule 2 ‘state’
set firewall name FROM-INTERNET rule 2 ‘tcp’
set firewall name FROM-INTERNET rule 3 action ‘accept’
set firewall name FROM-INTERNET rule 3 state established ‘enable’
set firewall name FROM-INTERNET rule 3 state invalid ‘enable’
set firewall name FROM-INTERNET rule 3 state related ‘enable’
set firewall name FROM-INTERNET rule 4 action ‘accept’
set firewall name FROM-INTERNET rule 4 description ‘OPEN-8088-FOR-EVERYBODY’
set firewall name FROM-INTERNET rule 4 destination address ‘PUBLIC IP VIRTUAL ROUTER’
set firewall name FROM-INTERNET rule 4 destination port ‘8088’
set firewall name FROM-INTERNET rule 4 protocol ‘tcp_udp’
set firewall name FROM-INTERNET rule 4 source address ‘0.0.0.0/0’
set firewall name FROM-INTERNET rule 4 state new ‘enable’

Who can help me ?

Thanks in advance.


#2

For your firewall rule, you need to reference the destination as the PRIVATE IP of the server. Not the public IP on the router.


#3

Gret i will modify my configuration
Thanks


#4

The new configuration
same problem :

Like this

set firewall name FROM-INTERNET rule 4 action ‘accept’
set firewall name FROM-INTERNET rule 4 description ‘OPEN-8088-FOR-EVERYBODY’
set firewall name FROM-INTERNET rule 4 destination address ‘192.168.156.14’
set firewall name FROM-INTERNET rule 4 destination port ‘8088’
set firewall name FROM-INTERNET rule 4 protocol ‘tcp_udp’

And second test with source address

set firewall name FROM-INTERNET rule 4 action ‘accept’
set firewall name FROM-INTERNET rule 4 description ‘OPEN-8088-FOR-EVERYBODY’
set firewall name FROM-INTERNET rule 4 destination address ‘192.168.156.14’
set firewall name FROM-INTERNET rule 4 destination port ‘8088’
set firewall name FROM-INTERNET rule 4 protocol ‘tcp_udp’
set firewall name FROM-INTERNET rule 4 source address ‘0.0.0.0/0’

And same with the state “new”


#5

Oh, have you created the required NAT rules?


#6

Yes the web services on 8088 is available for the authorized IP, but cannt authorized for evereyony just this port


#7

Really strange did you have make a similar config ?


#8

Sorry. Im really confused now. Can you please re-explain what your wanting to do?

Do you want to open port 8088 to everyone? Or do you have a list of IP addresses that you want to have allowed access to it? If it is this, then you’ll simply need to maintain a list of IP addresses, and then add them to your firewall as a address group.

You can PM me if you like.


#9

Behind my router i have some vm which provide web services all access web, ssh,… are filtered by public ip thanks to firewall, in this vms i ve one vm where i forward port 80 with port 8088 and this one need to be available for everybody.


#10

Seriously i’m really stupid, it’s logical :

If i have to configure destination address with LAN IP, i need to put the local port and not the forwarded port.

So now the good configuration which works :slightly_smiling_face:

set firewall name FROM-INTERNET rule 4 action ‘accept’
set firewall name FROM-INTERNET rule 4 description ‘OPEN-8088-FOR-EVERYBODY’
set firewall name FROM-INTERNET rule 4 destination address ‘LAN IP SERVER’
set firewall name FROM-INTERNET rule 4 destination port ‘80’
set firewall name FROM-INTERNET rule 4 protocol ‘tcp’
set firewall name FROM-INTERNET rule 4 state new ‘enable’

Thanks for your help dtakeshi


#11

Shucks! Im glad it all worked out! And yeap. It is.

I was assuming your internal server was running in 8088 as well.

Yup, key thing to remember is that inbound firewall rules need to be in relation to your NAT destination.


#12

Maybe you can help me on my other sercuirty questions,…


#13

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.