cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
732
Views
0
Helpful
4
Replies

ACL on inside LAN - to allow only reply to outside interface request

JATINDER KUMAR
Beginner
Beginner

dear friends..

i want suggestions on best practice... i am doubting that my internal network has some virus or trozen .. and from my router all traffic is allowed from inside to outside .. and from outside only couple of ports and established connections ..

my requirement is .. i want to take out the possibility of my router sending the garbage out to wan link which is actually blocking my link .. what is the best way to do the same... plz advise.. how you guys do in your environment... can we only allow the reply to my ports which i have allowed on my outside wan port.. so at least i will be sure that no etra traffic is going out. please advise.

4 Replies 4

Nandan Mathure
Beginner
Beginner

I am not too sure if it is really scalable to keep blocking ports. I would recommend a filter device inline with the router which could be scanning the traffic all the time or some inline cards.  You can also check open source solutions like untangle.

Also lets see what other think..

Thanks,

Nandan.

hey nandan now sure if u understood my requirement .. i know this is possible with router.. not getting idea how .. any idea from team ..../

plz advise

Hi,

The thing is that the trojan is initiating the traffic from inside , so there is no real use to filter the traffic from the outside to inside. A good think will be to restrict the users to some well known destination ports to the internet : tcp 80 , tcp 443 , tcp 21/20. A better way to offer internet access to the users is Proxy -  you can inspect and restrict the user access.

Dan

hi DAN .. as such i dont have much frm inside to send to outside ... the way my setup is .. i have two rewuirements..

1. exchage .. so ppl connect from outside ... so on, outside port i allowed 443/25 and dns

2. ppl RDP to public ip which are on inside LAN ..

now my requiremnt is no to allow any thing from inside interface to send to outside WAN .. so doing this .. will atleast give me some confidence that the traffic which is gooing out is correct .. any suggestions

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers