cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3408
Views
0
Helpful
11
Replies

RVS4000 PASV/Ephemeral Ports

capaho896
Level 1
Level 1

If I have the IP ACL firewall enabled in my RVS4000 I have trouble connecting to specific websites and also connecting to Apple's update servers.  The problem appears to be that the firewall is blocking incoming data to the ephemeral ports even when they are allowed in the firewall rules.  I've also tried port forwarding rules but the only thing that resolves the problem is to disable the firewall entirely, which is not the desired resolution.  The firmware version is 2.0.27.  Any ideas on how to resolve this problem?

11 Replies 11

rmanthey
Level 4
Level 4

Hello capaho896,

You might have to do a packet capture to see exacly the ports that are needed with the firewall off. Then setup the port forward and it should work. If that dosn't help you might need to call into the support line at 1866-606-1866

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

Replies to outgoing HTTP requests are coming back in to the 51000-53999 port range generally, but allowing that port range in the IP ACL firewall and using port forwarding has not resolved the problem.  State filtering would probably resolve the problem but there is no way to set a rule for that using the web admin utility.

Interestingly enough, if I allow that port range in the first rule of the IP ACL list, it seems to work, but if I put it farther down the list it doesn't.  That might indicate a bug or other problem with the ACL configuration in the RVS4000 that would need to be fixed with a firmware update.

The order of the ACL may have everything to do with your issue but may not be a bug in the software. You will not be able to create a rule for your Ephemeral ports as they are used dynamically. The rule to allow Ephemeral ports would basically be "Firewall off". If possible post your ACL (protecting your real IPs) as the problem may be there. Need to take a good look at your "Deny" rules to make sure you are not denying more than you intended. Also note that destination port never changes but source will. In other words if you are trying to access a website from your computer, the destination will always be port 80. But the source port will be an Ephemeral port as you noted. The range can be typically anywhere between 1025 - 65535. Depending on the OS, the range can vary a bit, which is why it would not be possible to effectively create a rule using those ports.

Your rules should look something like this:

allow destination port <80>

allow destination port <5900>

allow destination port <53>

....

deny

The above example will lock down your network to only the services you specified and everything else will be denied. Note that this denies YOUR hosts from accessing services, this will not prevent an OUTSIDE host accessing a mail server INSIDE your network; for example. That rule would be created as a port forward rule and you should never try to duplicate port forward rules with firewall rules. The RVS4000 does not like that.

Hope that helps

You can add active state rules to iptables in Linux and ipfw in UNIX/OS X, but there is no provision for this in the RVS4000.  Ephermal ports should not normally be left open by default, and the firewall should allow them dynamically when the outgoing packet specifies an epehemeral port for the response.  Might it be possible to add an active state rule via a terminal command?  It isn't using the web admin interface.  This router is not worth the money I spent on it if I have to disable the firewall to get it to work the way I need it to.

Sounds like you are trying to block inbound traffic as well as outbound traffic. If that is the case are you not able to deny services all together, such ssh on 22, telnet on 23 and so on? Keep in mind that this is a Small Business router and the granularity you may be looking for is just not there. All the Ephemeral ports are closed from the WAN by default which has no bearing on an internal host accessing Apple Update servers. This is because the router is doing both PAT and NAT which keeps track of all the conversations.

Hopefully someone else more intimate with the RVS will join in. Sorry I was not able to assit.

< clarified="" wording="">

Message was edited by: Alejandro Gallego

I have the firewall set to allow inbound traffic on ports where services are running and block all other inbound traffic.  I'm not filtering outbound traffic.  It seems to be working as expected except for outbound requests initiated by the server to some specific sites, like apple.com, ripe.net and a few others.  Apple uses a large colocation network provided by Akamai, so the IP addresses vary.

The strange thing is, if I allow traffic on the ephemeral ports or even set the first rule in the IP ACL list to allow all traffic, the problem continues.  The only thing that resolves the problem is to disable the firewall entirely.  The problem seems to occur if the firewall is enabled regardless of the actual rules in the list.

One thing to make sure on the RVS, is to not set a port foward rule and then set and "allow" rule for the same port. The software gets confused and the behavior you are describing is not uncommon.

So if you have port 80 forwarded to a server, there is no need to set an allow rule for port 80. If you only want to allow a single or range of IPs to access your web server then create two rules. One should be your "allow port 80 " the very next one should be the "deny port 80 any any". Aside from this, I do not know what else to try.

Using port forwarding rather than the firewall is an alternative that seems to be working.  It appears to restrict traffic to only the ports that are forwarded.  Forwarding the ephemeral ports works whereas allowing them in the firewall doesn't.  Even the DMZ doesn't work if the firewall is enabled.  I'll leave it like this for the next 24 hours or so and see how it goes.

After much time, effort and frustration I can only conclude that the RVS4000 firmware is AFU.  Disabling the firewall in the Basic Settings does not disable it.  The only thing that disables it is to select Disable All Rules in the IP ACL list.  When the rules are enabled, the firewall doesn't filter as expected.  Attempting to edit a rule always results in an "illegal character" error message when no illegal characters are present. 

Using port forwarding rather than the firewall doesn't appear to have any actual usefulness, either.  All traffic gets passed to the downstream device regardless of the settings.

This router simply doesn't perform as I expect a Cisco router to perform.  It looks like I have no option other than to replace it with a router that can actually do what I need.  It's a pity that I wasted my money on this one.

Hello,

When the Apple/Ripe server sends traffic towards the RVS, is it a TCP SYN packet or is it just a response/data with PSH flag set?

Regards,

Nagaraja

I'm not sure what's happening exactly.  I see established tcp connections to the remote host I originally connect to when I run netstat on the server, but nothing reaches the server if the remote host responds from a different host name or responds from port 443 to a request that was sent to port 80.  If I check IP Conntrak or the firewall log on the RVS4000 I don't see anything that indicates what is getting dropped or where.

I should note that the server has four IP addresses.  I didn't realize that the RVS4000 couldn't do NAT when I bought it (surprising for a Cisco router), so I have it configured like this:

Internet <--> RVS4000 <--> NAT router <--> server

I don't think it's a NAT problem, though, because the problem only occurs if the RVS4000 firewall rules are enabled.  If the RVS4000 firewall rules are disabled the problem does not occur.  If it were a NAT problem I would expect the problem to occur in any case.

I've also tried disabling DoS protection and IPS on the RVS 4000, but those settings have no effect on the problem.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: