Article Applies To:
Affected SonicWALL Security Appliance Platforms:
Gen5: NSA E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 240
Gen5 TZ Series: TZ 100, TZ 100 Wireless, TZ 200, TZ 200 W, TZ 210, TZ 210 Wireless,
Gen4: PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040, PRO 1260
Gen4: TZ series: TZ 190, TZ 190 W, TZ 180, TZ 180 W, TZ 170, TZ 170 W, TZ 170 SP, TZ 170 SP Wireless.
Firmware/Software Version: All SonicOS Enhanced versions.
Services: Firewall Access Rules
This technote will show users how to block specific ports with the SonicWALL. A lot of traffic on the Internet operates on well-known or static ports. Well-known ports are ports which have numbers that are pre-assigned (http://www.iana.org/assignments/port-numbers) to them by the Internet Assigned Numbers Authority (IANA). Some examples would be SSH (TCP port 22), tftp (UDP port 69), and http (TCP port 80). Ports are blocked to stop certain types of traffic (e.g. SSH, http, or tftp) from passing though the firewall.
This is useful to network administrators who want to disallow specific types of traffic on their network such as Secure Shell (SSH) TCP port 22. Also, the ability to block ports is important to help stop the spread of viruses if your network is infected. Users can block ports between any two interfaces. LAN to WAN, LAN to DMZ, and LAN to VPN are the most common interfaces to block ports between. Some traffic on the Internet can operate on dynamic ports (e.g. Instant Messaging Applications). In this case, SonicWALL offers the Intrusion Prevention Service (IPS), which can be used to detect or block many types of traffic that use dynamic ports.
All SonicOS Enhanced versions
Customers with current service/software support contracts can obtain updated versions of SonicWALL firmware from the MySonicWALL customer portal at https://www.mysonicwall.com. Updated firmware is also freely available to customers who have registered the SonicWALL device on MySonicWALL for the first 90 days.
- SonicWALL blocks all ports/traffic from WAN to LAN, and DMZ to LAN by default. Note, this applies to traffic that is initiated from the WAN or DMZ. Traffic that is initiated from the LAN will be validated and allowed by the stateful inspection engine.
SonicWALL allows all ports/traffic from LAN to WAN, LAN to VPN, and LAN to DMZ by default
- User Datagram Protocol (UDP) - a connectionless protocol that, like TCP, runs on top of IP networks. Unlike TCP, UDP provides very few error recovery services, offering instead a direct way to send and receive datagrams over an IP network. UDP is used primarily for multimedia and streaming applications, and broadcasting messages over a network.
- Transport Control Protocol (TCP) - enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent.
- Deny vs. Discard – When creating a rule SonicWALL gives you the option to allow, deny, or discard the packet. Denying packets blocks the packet from going through the firewall, but also sends a packet back to the sending device notifying the sender that the packet was not allowed access through the SonicWALL. Discarding packets, blackholes the packet. This means the packet is silently discarded by the firewall, and a notification message is not sent.
Before You Begin
- Assuming the service you are blocking is not one of the predefined SonicWALL services, you will need to know the following:
1. Protocol Type (UDP or TCP) of the traffic you want to block. (e.g. http traffic would be TCP)
2. Port Number of the traffic you want to block. (e.g. http traffic would be port 80)
- You need to determine the interfaces you want to block the traffic between. (e.g. LAN to WAN)
Example #1: Configure Port Blocking from LAN to WAN with a predefined service (FTP).
TIP: The following procedure also applies to blocking traffic from LAN zone to any other zone (e.g. LAN to VPN, LAN to DMZ, etc).
Step 1: Login to the SonicWALL Management Interface
Step 2: Select Firewall > Access Rules.
Step 3: Select the LAN to WAN (or LAN to VPN) edit icon. See below
Step 4: Click Add
Step 5: Select Deny as the Action.
Step 6: Select FTP as the Service
Step 7: Select Source (e.g. LAN Subnets or any LAN address object of your choice)
Step 8: Select Destination (Select Any or create an Address Object if you want to specify a Server's address)
See Also: Refere KBID 7486 for more information about Address Objects.
Step 9: Click Add and close the window.
Step 10: Verify that the rule just created has a higher priority than the default rule for LAN to WAN.
See Also: Refere KBID 3716 for more information about Priority settings.
Example #2: Configure Port Blocking from LAN to WAN with an undefined service: This example will show how to block the W32.Blaster Worm http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html from spreading. Ports UDP 69(TFTP), TCP 135(DCOM RPC) and TCP 4444 will be blocked.
Step 1: Login to SonicWALL Management Interface
Step 2: Select Firewall > Services
Step 3: Scroll to the bottom and Click Add in the Services Section
- Enter Name (e.g. DCOM RPC)
- Enter Port Range (e.g. 135 -135)
- Enter Protocol (e.g. TCP(6))
- Click OK
Step 4: Click Add and create a similar Service for TCP port 4444.
|- Enter Name (e.g. Blaster)
- Enter Port Range (e.g. 4444 - 4444)
- Enter Protocol (e.g. TCP(6))
- Click OK
Step 5: Click Add Group on the Access Rules Screen
|- Enter Name: (e.g. Blaster Virus)
- Select Blaster from the list on the left, Click the right arrow
- Select DCOM RPC from the list on the left, Click the right arrow
- Select TFTP from the list on the left, Click the right arrow
- Click OK
Step 6: Select Firewall > Access Rules
Step 7: Select the LAN to WAN edit icon. See below
|- Click Add
- Select Action (e.g. Deny)
- Select Service (e.g. Blaster Virus)
- Select Source (e.g. LAN Subnets)
- Select Destination (e.g. Any)
- Click OK
Step 8: Verify that the rule just created has a higher priority than the default rule for LAN to WAN
- Try to initiate traffic on the port you blocked to the interface (WAN, DMZ, LAN, VPN) where it is blocked.
- To test Example #1, try to initiate an ftp session from the LAN side of the firewall over the VPN tunnel. It should fail. Disable the ftp rule; you should now be able to initiate an ftp session to the ftp server.
- Verify you have the correct type of traffic blocked
- Verify you are blocking it between the right interfaces
- If you have problems with self created services, verify that you have the correct type of traffic (TCP/UDP), and that you have the correct port number.