Hello,

 

ZBF is a zone based concept. You assign a port or an IP address (or a VLAN) to a zone, that zone interacts with other zones and hence provides filtering and security. That is the most rudimentary explanation. I have added a simple ZBF to your configuration (ZBF related parts in bold), with just two zones, INSIDE (your LAN hosts) and OUTSIDE (the WAN facing dialer interface). All traffic from the inside zone to the outside zone is allowed, and ICMP to your inside is allowed from the outside. You can of course customize this as you wish. The entire concept is based on what CBAC formerly did, which is to only allow traffic that originated from inside your network, effectively blocking traffic (and threats) from the outside.

 

Current configuration : 2214 bytes
!
hostname Router
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
no aaa new-model
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
!
license udi pid C891F-K9 sn FGL212791GJ
!
zone security INSIDE
zone security OUTSIDE
!
zone-pair security IN_TO_OUT source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE_TO_OUTSIDE_POLICY
zone-pair security OUT_TO_IN source OUTSIDE destination INSIDE
 service-policy type inspect OUTSIDE_TO_INSIDE_POLICY
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
description TP-Link
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface Vlan1
ip address 192.168.x.x y.y.y.y
ip nat inside
zone-member security INSIDE
!
interface Async3
no ip address
encapsulation slip
!
interface Dialer1
ip address negotiated
ip mtu 1460
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname {username}
ppp chap password 0 {password}
ppp pap sent-username {username) password 0 {password}
ppp ipcp route default
zone-member security OUTSIDE
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!

ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
dialer-list 1 protocol ip permit
no cdp run
!
access-list 1 permit 192.168.x.x
!
ip access-list extended INSIDE_TO_OUTSIDE
 permit 192.168.x.x y.y.y.y any
!
ip access-list extended OUTSIDE_TO_INSIDE
 permit icmp any 192.168.x.x y.y.y.y

!
class-map type inspect match-all INSIDE_TO_OUTSIDE_CLASS
 match access-group name INSIDE_TO_OUTSIDE
!
class-map type inspect match-all OUTSIDE_TO_INSIDE_CLASS
 match access-group name OUTSIDE_TO_INSIDE
!
policy-map type inspect INSIDE_TO_OUTSIDE_POLICY
 class type inspect INSIDE_TO_OUTSIDE_CLASS
  inspect
 class class-default
  drop log
!
policy-map type inspect OUTSIDE_TO_INSIDE_POLICY
 class type inspect OUTSIDE_TO_INSIDE_CLASS
  pass
 class class-default
  drop log
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
no modem enable
line aux 0
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
!
end

Awesome. I can’t thank you enough... I will go over all of this tonight when I get off of work. As you said I can shuffle around the settings as needed and will also have to change the 192.168.x.x format to my Static configuration.
Can’t wait to go over this.

Before I get ahead of myself, I wanted to update what my Current Running Config was to make sure I was on the right path. For some reason I am confused/unsure about the lack of information my router has on my 5 [usable] IP Addresses outside of the 3 [Network/Internal] IP Addresses that are in the Router. Would it not be better to associate specific IP's from the Block to designated interfaces (GigabitEthernet 3-7).

I just don't want any loopholes in my config.

 

interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
description PPPoE xDSL WAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface Vlan1
ip address 207.108.121.182 255.255.255.248
ip nat inside
ip virtual-reassembly in
!
interface Async3
no ip address
encapsulation slip
!
interface Dialer1
description PPPoE xDSL WAN Dialer
ip address negotiated
no ip unreachables
ip mtu 1460
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname <username>
ppp chap password 0 <password>
ppp pap sent-username <username> password 0 <password>
ppp ipcp route default
no cdp enable
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
dialer-list 1 protocol ip permit
!
access-list 1 permit 207.101.121.182
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!

Also, I just got the CCP 2.8 but am so accustomed to terminal based.. Should I steer clear of CCP for now and just focus on manual config?

Hello,

 

CCP or CLI is a matter of personal preference, whatever you are comfortable with is what you should go with. 

 

That said, the block of IP addresses you have, 207.108.121.180/29, is I assume a block of public IP addresses. What IP address is your Dialer interface getting ? If all you use are the public IP addresses, you would in theory not even need any of the NAT stuff.

Ah so I suppose it’s like XWindows in Linux... Which I don’t use.

 

alright... so the Dialer..[router?] is indeed getting the first ip/ the designated Gateway IP from my ISP. Being that I am indeed not using a Dynamic system and am manually inputting the Static IP’s onto my 2 different Linux Box and 1 to my Wireless Router (for home and which hands out LAN ips 192.168.x.x) then I suppose it’s true that my 891 has no purpose beyond being the Gateway for my IP’s.

 

Which then again causes me to beat a dead horse... how does a firewall/ zoning workin in my situation where it [cisco] doesn’t know my IPs in order to protect me... or is that precisely what zoning is.. it’s based on the network/interfaces regardless of ips.

 

see the long story short as far as a firewall goes is, my 1 Linux Box is simply an email server to the world and uses imap (993) , and ssl and lets sayin incoming ssh 6634. But only to that ip.

then my other Linux will be ssh 6633 but also http for a web server. I have all of this enabled through my individual Linux up tables and I feel they suffice but I’m always questioning the greater scenario.

 

regardless, I am very interested in learning zoning. 

Hello,

 

in theory (I cannot test because I don't have a block of public IP addresses) you can still use zones, you just need to change the IP addresses in the access lists.

You need to assign the inside zone to the interfaces where your inside machines are connected to (such as GigabitEthernet4). So the entire thing should look like this:

 

Current configuration : 2214 bytes
!
hostname Router
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
no aaa new-model
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
!
license udi pid C891F-K9 sn FGL212791GJ
!
zone security INSIDE
zone security OUTSIDE
!
zone-pair security IN_TO_OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE_TO_OUTSIDE_POLICY
zone-pair security OUT_TO_IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE_TO_INSIDE_POLICY
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
description TP-Link
no ip address

zone-member security INSIDE
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface Vlan1
ip address 207.108.121.182 255.255.255.248
ip virtual-reassembly in
zone-member security INSIDE
!
interface Async3
no ip address
encapsulation slip
!
interface Dialer1
ip address negotiated
ip mtu 1460
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname {username}
ppp chap password 0 {password}
ppp pap sent-username {username) password 0 {password}
ppp ipcp route default
zone-member security OUTSIDE
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
dialer-list 1 protocol ip permit
no cdp run
!
ip access-list extended INSIDE_TO_OUTSIDE
permit ip host 207.108.121.176 any
permit ip host 207.108.121.177 any
permit ip host 207.108.121.178 any
permit ip host 207.108.121.179 any
permit ip host 207.108.121.180 any
permit ip host 207.108.121.181 any
permit ip host 207.108.121.182 any
!
ip access-list extended OUTSIDE_TO_INSIDE
permit icmp any host 207.108.121.176
permit icmp any host 207.108.121.177
permit icmp any host 207.108.121.178
permit icmp any host 207.108.121.179
permit icmp any host 207.108.121.180
permit icmp any host 207.108.121.181
permit icmp any host 207.108.121.182

!
class-map type inspect match-all INSIDE_TO_OUTSIDE_CLASS
match access-group name INSIDE_TO_OUTSIDE
!
class-map type inspect match-all OUTSIDE_TO_INSIDE_CLASS
match access-group name OUTSIDE_TO_INSIDE
!
policy-map type inspect INSIDE_TO_OUTSIDE_POLICY
class type inspect INSIDE_TO_OUTSIDE_CLASS
inspect
class class-default
drop log
!
policy-map type inspect OUTSIDE_TO_INSIDE_POLICY
class type inspect OUTSIDE_TO_INSIDE_CLASS
pass
class class-default
drop log
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
no modem enable
line aux 0
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
!
end

This is amazing, thank you so much. You are spot on with my IP Block..

 

From what I am gathering here, what you did was add my whole subnet to the possibility of INSIDE / OUTSIDE Zone as long as I were to add that specific Interface to the Zone rule.. You then added the Gigabit 4 as an example to which I can do for each of the Interfaces... At this moment (as long as the Interfaces are added to the Zone) will allow ALL Outgoing (to the Internet) but not IMCP Incoming (from the Internet) to my currently only added Gigabit 4 Interface?

 

Hypothetically speaking, if I physically had my Linux Email Server on Gigabit 5 I would then add that Interface to the OUTSIDE Zone to allow IMAP & SMTP to be able to receive Emails and INSIDE Zone to allow Emails to be sent (to the Internet ).

 

If this is correct then how would I associate specific OUTSIDE Rules? For example, I only want my Linux Email to have OUTSIDE (IMAP & SMTP) but let’s say I want my Linux Web Server to only have Web Hosting Access but not IMAP & SMTP. I assume I can create multiple rules for OUTSIDE?

 

[Quick question] Do the Interfaces also get OUTSIDE Zones inputted under them as you did with INSIDE. Meaning, did you intentionally not list OUTSIDE to Gigabit 4 or are OUTSIDE Zones not listed under the Ethernet (LAN) Interfaces but only the WAN. Which then would still go with my question of associating specific Zones (port access) to specific Interfaces. In retrospect with the IP’s you added to the Zone... Again., how would my Cisco know what those IP’s were unless they were manually associated to the specific Interfaces or even in the Router at all? I suppose that where “Zones” come from as they hard physically attached to the Interface and not any specific IP.. Which had me confused as to why they were added to the Zones (as IP’s) in the first place.

 

 

Matt

Hello,

 

--> At this moment (as long as the Interfaces are added to the Zone) will allow ALL Outgoing (to the Internet) but not IMCP Incoming (from the Internet) to my currently only added Gigabit 4 Interface? <--

 

Actually, the outside to inside rule only allows ICMP from the outside (Internet) to your inside. You might not even need this, it is just an example.

 

An interface can be a member of only one zone. With regard to your Email server, you might want to configure a DMZ zone. Have a look at the configuration linked below:

 

IOS Zone Based Firewall Step-by-Step Basic Configuration

 

https://supportforums.cisco.com/t5/security-documents/ios-zone-based-firewall-step-by-step-basic-configuration/ta-p/3142774

Interesting..

 

I hope I did not wrongfully respond in terms of ICMP. I do understand that it was an example and that ICMP is Outside (Internet) to Inside (My Network), I was just clarifying but I may have written it wrong.

 

How funny I actually found that web link yesterday on my own as well and began reading it over. I will indeed look into DMZ (I just thought it was meant for all open all access to an IP address).

 

Being that as you said you can only have one Zone then I can at least open the few ports manually and then have it Box [Linux] itself finish it off via IPTABLES for the ports I do not want opened on  that particular device.

 

The concept and basics at this point are quite clear to me and I am confident with the format and examples you have given, its just my inquisitive mind trying to piece the rest of it together.

It will be a journey and I am sure along the way I will look back at configurations I make and comments I have made and laugh at myself about how off I was.

 

I appreciate your time and assistance and I could not have done it without you.

Hello,

 

I guess once you grasp the concept, it is (supposed to be) fairly intuitive to configure the zones.

 

Let us know if you need any more help...

Good Morning

 

Before I continue researching this particular avenue, I want to make sure I am on the right path.

 

As we already know, I have 8 Static IP W/ 5 Usable;

 

1 - Email Server (Only)

1 - Web Site (Only)

1 - Home Router (for anything from surfing to torrent to streaming Netflix)

1 - Vacant

1 - Vacant

 

With this setup, am I abe to create, let’s say, 4 Zones.. INCOMING/OUTGOING with general purpose, a EMAIL Zone which allows only incoming/outgoing pertaining to Email Ports and then a WWW Zone which only allows incoming/outgoing for Web Server.

 

Zone INCOMING

Zone OUTGOING 

Zone EMAIL

Zone WEBSERVER 

 

Then associate the Interfaces accordingly...to the Zone.. and then associating each INTERFACES (Zone really, as I will treat the specific Interface as a Zone as they will be “hard wired” to their destination) for inter network traffic.

 

So very generically, being that x.x.121.182 is Router and x.x.121.180 is Email... And that my .176 Wireless Router will be using the basic Incoming/Outoung Zone.

 

#zone security INSIDE

#zone security OUTSIDE

#zone security EMAIL

 

#interface Vlan1

#zone-member security INSIDE

#interface Dialer1

#zone-member security OUTSIDE

#interface gigabitEthernet4

#zone-member security EMAIL

 

#zone-pair security IN-TO- OUT source INSIDE destination OUTSIDE

#zone-pair security OUT- TO-IN source OUTSIDE destination INSIDE

#zone-pair security OUT- TO-EMAIL source OUTSIDE destination EMAIL

#zone-pair security IN-TO- EMAIL source INSIDE destination EMAIL

   —- Would I even need this? Sending email from home to myself isn’t something I do.. 

 

#ip access-list extended INSIDE-TO-OUTSIDE

#permit tcp 207.108.121.0 0.0.0.255 any eq www

#permit icmp 207.108.121.0 0.0.0.255 any icmp 

#class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS

#match access-group name INSIDE-TO-OUTSIDE

———This means anyone on the block of IP’s 207.108.121.x will have said access out?

 

#ip access-list extended OUTSIDE-TO-INSIDE

#permit icmp any 207.108.121.0.0.0.255

#class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS

#match access-group name OUTSIDE-TO-INSIDE

——— This means any IP in the Block can get incoming ICMP Requests?

 

#ip access-list extended OUTSIDE-TO-EMAIL

#permit tcp any 207.108.121.180 0.0.0.0 eq imap

#class-map type inspect match-all OUTSIDE-TO-EMAIL-CLASS

#match access-group name OUTSIDE-TO-EMAIL

——— This mean that IP ending in .180 is the only recipient on the Block accepting incoming IMAP (993)?

——— or is the IP irrelevant because the Zone is going to be associated with the Interface, which only goes ——— to .180.

 

#ip access-list extended INSIDE-TO-EMAIL

#permit tcp 207.108.121.0 0.0.0.0 eq imap

#permit icmp 207.108.121.0 0.0.0.255

#class-map type inspect match-all INSIDE-TO-EMAIL-CLASS

#match access-group name INSIDE-TO-EMAIL

——— I assume the same concept as Outside to In?

 

#ip access-list extended EMAIL-TO-OUTSIDE
#permit tcp 207.108.121.180 0.0.0.0 eq smtp
#permit tcp 207.108.121.180 eq www
#permit icmp 207.108.121.0 0.0.0.255
#class-map type inspect match-all INSIDE-TO-EMAIL-CLASS
#match access-group name INSIDE-TO-EMAIL

——— I assume this allows me to send to the Internet using SMTP (25)

 

#policy-map type inspect INSIDE-TO-OUTSIDE-POLICY

#class type inspect INSIDE-TO-OUTSIDE-CLASS

#inspect

#class class-default

#drop log

 

#policy-map type inspect OUTSIDE-TO-INSIDE-POLICY

#class type inspect OUTSIDE-TO-INSIDE-CLASS

#pass

#class class-default

#drop log

 

#policy-map type inspect OUTSIDE-TO-EMAIL-POLICY

#class type inspect OUTSIDE-TO-EMAIL-CLASS

#inspect

#class class-default

#drop log

 

#policy-map type inspect INSIDE-TO-EMAIL-POLICY

#class type inspect INDISE-TO-EMAIL-CLASS

#Pass

#class class-default

#drop log

 

#zone-pair security IN-TO- OUT source INSIDE destination OUTSIDE

#service- policy type inspect INSIDE-TO-OUTSIDE- POLICY

#zone-pair security OUT- TO-IN source OUTSIDE destination INSIDE

#service- policy type inspect OUTSIDE-TO-INSIDE- POLICY

#zone-pair security OUT- TO-EMAIL source OUTSIDE destination EMAIL

#service- policy type inspect OUTSIDE-TO-EMAIL- POLICY

#zone-pair security IN-TO- EMAIL source INSIDE destination EMAIL

#service- policy type inspect INSIDE-TO-EMAIL- POLICY

 

Or did I just make this all out of control. 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Hello,

 

sorry for my late reply. You are on the right track. I have added some remarks (in bold):

 

#zone security INSIDE

#zone security OUTSIDE

#zone security EMAIL

 

#interface Vlan1

#zone-member security INSIDE

#interface Dialer1

#zone-member security OUTSIDE

#interface gigabitEthernet4

#zone-member security EMAIL

 

#zone-pair security IN-TO- OUT source INSIDE destination OUTSIDE

#zone-pair security OUT- TO-IN source OUTSIDE destination INSIDE

#zone-pair security OUT- TO-EMAIL source OUTSIDE destination EMAIL

#zone-pair security IN-TO- EMAIL source INSIDE destination EMAIL

—- Would I even need this? Sending email from home to myself isn’t something I do..

--> Depending on what your network looks like, I have seen many networks (and I usually do that myself) that are configured to send an email to you when there is some sort of error or failure. So, I would leave that as is, allowing email from home to yourself...

 

#ip access-list extended INSIDE-TO-OUTSIDE

#permit tcp 207.108.121.0 0.0.0.255 any eq www

#permit icmp 207.108.121.0 0.0.0.255 any icmp

#class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS

#match access-group name INSIDE-TO-OUTSIDE

———This means anyone on the block of IP’s 207.108.121.x will have said access out?

--> Yes, exactly.

 

#ip access-list extended OUTSIDE-TO-INSIDE

#permit icmp any 207.108.121.0.0.0.255

#class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS

#match access-group name OUTSIDE-TO-INSIDE

——— This means any IP in the Block can get incoming ICMP Requests?

--> Yes

 

#ip access-list extended OUTSIDE-TO-EMAIL

#permit tcp any 207.108.121.180 0.0.0.0 eq imap

#class-map type inspect match-all OUTSIDE-TO-EMAIL-CLASS

#match access-group name OUTSIDE-TO-EMAIL

——— This mean that IP ending in .180 is the only recipient on the Block accepting incoming IMAP (993)?

——— or is the IP irrelevant because the Zone is going to be associated with the Interface, which only goes ——— to .180.

--> I am not sure if you need to allow the return traffic as well. If it doesn't work, try and add:

#permit tcp 207.108.121.180 0.0.0.0 any eq imap

 

#ip access-list extended INSIDE-TO-EMAIL

#permit tcp 207.108.121.0 0.0.0.0 eq imap

#permit icmp 207.108.121.0 0.0.0.255

#class-map type inspect match-all INSIDE-TO-EMAIL-CLASS

#match access-group name INSIDE-TO-EMAIL

——— I assume the same concept as Outside to In?

--> Yes, exactly.

 

#ip access-list extended EMAIL-TO-OUTSIDE
#permit tcp 207.108.121.180 0.0.0.0 eq smtp
#permit tcp 207.108.121.180 eq www
#permit icmp 207.108.121.0 0.0.0.255
#class-map type inspect match-all INSIDE-TO-EMAIL-CLASS
#match access-group name INSIDE-TO-EMAIL

——— I assume this allows me to send to the Internet using SMTP (25)

--> Looking at your access list, I think you are missing the destination:

#ip access-list extended EMAIL-TO-OUTSIDE
#permit tcp 207.108.121.180 0.0.0.0 any eq smtp
#permit tcp 207.108.121.180 any eq www
#permit icmp 207.108.121.0 0.0.0.255 any

 

#policy-map type inspect INSIDE-TO-OUTSIDE-POLICY

#class type inspect INSIDE-TO-OUTSIDE-CLASS

#inspect

#class class-default

#drop log

 

#policy-map type inspect OUTSIDE-TO-INSIDE-POLICY

#class type inspect OUTSIDE-TO-INSIDE-CLASS

#pass

#class class-default

#drop log

 

#policy-map type inspect OUTSIDE-TO-EMAIL-POLICY

#class type inspect OUTSIDE-TO-EMAIL-CLASS

#inspect

#class class-default

#drop log

#policy-map type inspect INSIDE-TO-EMAIL-POLICY

#class type inspect INDISE-TO-EMAIL-CLASS

#Pass

#class class-default

#drop log

#zone-pair security IN-TO- OUT source INSIDE destination OUTSIDE

#service- policy type inspect INSIDE-TO-OUTSIDE- POLICY

#zone-pair security OUT- TO-IN source OUTSIDE destination INSIDE

#service- policy type inspect OUTSIDE-TO-INSIDE- POLICY

#zone-pair security OUT- TO-EMAIL source OUTSIDE destination EMAIL

#service- policy type inspect OUTSIDE-TO-EMAIL- POLICY

#zone-pair security IN-TO- EMAIL source INSIDE destination EMAIL

#service- policy type inspect INSIDE-TO-EMAIL- POLICY

Absolutely fantastic, thank you so much.. and I’d wait indefinitely for your response so thank YOU.

I will indeed run this through my setup and see where it leads. If it indeed works out fine (being that I correctly inputted it in) then I will incorporate my Wireless Router for its access as well.

As far as the changes us added, I see and understand why they were needed so that helps a lot.

From what I can gather, common protocols using standard Ports are what are added (imap, http, ftp and such) but what would consist of a protocol on an unconventional Port? I.E I would want to add Secure SSH but on Port 98.
Or let’s say, I play World Of Warcraft and it has varying Ports for the Downloader (1119, 1120, 3724, 400, 6112, 6113, 6114 ((based on Blizzards Port Guide) (which is used quite a bit)) to the Battle.net (80, 443, 1119) to WoW itself (3724,1119,6012).
From my Googleing I see a thread about “denying” said Ports but nothing about enabling.. Would it be true to simple reverse that configuration and add?

So under the Interface for my Wireless (and I assume I’d have to do this for IN / OUT (as I have no clue if these are for incoming or outgoing).

(Listing a few Ports as example)
#permit udp any eq 3724 any eq 3724
#permit tcp any eq 3724 any eq 3724
#permit udp any range 6112 6114 any range 6112 6114
#permit tcp any range 6112 6114 any range 6112 6114

Don’t misunderstand the above.. definitely not asking for a direct answer rather than “can I add Ports themselves when a standard protocol is not an option”?

My final question for the day! My current and saved configuration are of the working one... What’s the best route when making these changes and it all crashes? Being that I will NOT #write or save, will a simple #reboot revert to the working configuration?