Firewall rule question

[Jan Janowski]

Regarding RT2600ac firewall:
Say the rule I want to make involves allowing (or denying) IP of 192.168.1.100, and Wan IP of 8.8.8.8 (for this discussion).

My question is: do I need to make 1 or 2 rules to cover both inbound and outbound directions?
One 192.168.1.100 to 8.8.8.8 to cover outbound

And one 8.8.8.8 to 192.168.1.100 to cover inbound

I’m not clear on this… to cover both directions, 1 or 2 rules?

Thank you

 

[itsjasper]

Are you wanting to ban traffic between the internal IP and the external? or ban both traffic outbound from the internal IP, and inbound from the external (i.e.: two separate items)?

 

[Jan Janowski]

Both. I want to isolate that LAN device from inbound or outbound WAN connections. LAN to LAN connections are fine.

 

[fredbert]

Firewall rules work on connections (sessions). The initial packet will determine the source IP and destination IP, after this the rule is applied to packets in both directions. You have to create the firewall rule for those source and destination IPs.

If the reverse connection initiation is to be handled then you'll have to create a second rule. So to answer your question: to stop outbound connections from the LAN device will be one rule (LAN IP as source) and to stop inbound connections to the LAN device is a second rule (LAN IP as destination). In the latter situation you could just not have a port forwarding (NAT) rule instead. Inbound to private IPs are blocked by default due to no NAT.

If this was a packet filter router then you'd have to create two rules per firewall rule anyway, as packet filters don't link packets into sessions.

 

[Jan Janowski]

Very through answer. Thanks