8/13/2019 How to Block Ports(1)

1/8

SonicOS How to Block Ports

IntroductionThis technote will show users how to block specific ports with the SonicWALL. A lot of traffic on the Internetoperates on well-known or static ports. Well-known ports are ports which have numbers that are pre-assigned(http://www.iana.org/assignments/port-numbers ) to them by the Internet Assigned Numbers Authority (IANA).Some examples would be SSH (TCP port 22), tftp (UDP port 69), and http (TCP port 80). Ports are blocked tostop certain types of traffic (e.g. SSH, http, or tftp) from passing though the firewall. This is useful to networkadministrators who want to disallow specific types of traffic on their network such as Secure Shell (SSH) TCPport 22. Also, the ability to block ports is important to help stop the spread of viruses if your network isinfected. Users can block ports between any two interfaces. LAN to WAN, LAN to DMZ, and LAN to VPN arethe most common interfaces to block ports between. Some traffic on the Internet can operate on dynamicports (e.g. Instant Messaging Applications). In this case, SonicWALL offers the Intrusion Prevention Service(IPS) in SonicOS 2.2 and above, which can be used to detect or block many types of traffic that use dynamicports.

Recommended Versions SonicOS Enhanced 2.0.1.5 or newer

Customers with current service/software support contracts can obtain updated versions of SonicWALLfirmware from the MySonicWALL customer portal at https://www.mysonicwall.com . Updated firmware is alsofreely available to customers who have registered the SonicWALL device on MySonicWALL for the first 90days.

Caveats SonicWALL blocks all ports/traffic from WAN to LAN, and DMZ to LAN by default. Note, this appliesto traffic that is initiated from the WAN or DMZ. Traffic that is initiated from the LAN will be validated

and allowed by the stateful inspection engine. SonicWALL allows all ports/traffic from LAN to WAN, LAN to VPN, and LAN to DMZ by default

Sample Diagram

8/13/2019 How to Block Ports(1)

2/8

2

Definitions User Datagram Protoco l (UDP ) - a connectionless protocol that, like TCP, runs on top of IP

networks. Unlike TCP, UDP provides very few error recovery services, offering instead a direct wayto send and receive datagrams over an IP network. UDP is used primarily for multimedia andstreaming applications, and broadcasting messages over a network.

Transport Control Protocol (TCP) - enables two hosts to establish a connection and exchangestreams of data. TCP guarantees delivery of data and also guarantees that packets will be deliveredin the same order in which they were sent.

Deny vs. Discard When creating a rule SonicWALL gives you the option to allow, deny, ordiscard the packet. Denying packets blocks the packet from going through the firewall, but alsosends a packet back to the sending device notifying the sender that the packet was not allowedaccess through the SonicWALL. Discarding packets, blackholes the packet. This means the packetis silently discarded by the firewall, and a notification message is not sent.

Before You Begin Assuming the service you are blocking is not one of the predefined SonicWALL services, you willneed to know the following:

1. Protocol Type (UDP or TCP) of the traffic you want to block. (e.g. http traffic would be TCP)2. Port Number of the traffic you want to block. (e.g. http traffic would be port 80)

You need to determine the interfaces you want to block the traffic between. (e.g. LAN to WAN)

Setup StepsExample #1: Configure Port Blocking from LAN to VPN tunnel with a predefined service (FTP)

Select Firewall Access Rules

Select the LAN to VPN edit icon. See below

8/13/2019 How to Block Ports(1)

3/8

3

Click Add

Select Deny as the Action Select FTP as the Service Select Source (e.g. LAN Subnets or any LAN address object of your choice) Select Destination (e.g. tz170lan. The destination network of the other side of the VPN tunnel) Click OK

8/13/2019 How to Block Ports(1)

4/8

8/13/2019 How to Block Ports(1)

5/8

5

Enter Name (e.g. DCOM RPC) Enter Port Range (e.g. 135 -135) Enter Protocol (e.g. TCP(6)) Click OK

Click Add in the Services Section (See Page 5) Enter Name (e.g. Blaster) Enter Port Range (e.g. 4444 - 4444) Enter Protocol (e.g. TCP(6)) Click OK

Click Add Group on the Access Rules Screen

Enter Name: (e.g. Blaster Virus) Select Blaster from the list on the left, Click the right arrow Select DCOM RPC from the list on the left, Click the right arrow Select TFTP from the list on the left, Click the right arrow Click OK

8/13/2019 How to Block Ports(1)

6/8

6

Select Firewall Access Rules Select the LAN to WAN edit icon. See below

8/13/2019 How to Block Ports(1)

7/8

7

Click Add

Select Action (e.g. Deny) Select Service (e.g. Blaster Virus) Select Source (e.g. LAN Subnets) Select Destination (e.g. Any) Click OK

8/13/2019 How to Block Ports(1)

8/8

8

Verify that the rule just created has a higher priority than the default rule for LAN to WAN

Testing/Troubleshooting Try to initiate traffic on the port you blocked to the interface (WAN, DMZ, LAN, VPN) where it isblocked.

To test Example #1, try to initiate an ftp session from the LAN side of the firewall over the VPNtunnel. It should fail. Disable the ftp rule; you should now be able to initiate an ftp session to the ftpserver.

Verify you have the correct type of traffic blocked Verify you are blocking it between the right interfaces If you have problems with self created services, verify that you have the correct type of traffic(TCP/UDP), and that you have the correct port number.

Created: 04/19/2004Updated: 06/16/2008Version 1.1