How to block RDP access in 1:1 NAT setup
-
Why are you doing 1:1 nat if you want to do port forwarding? Just not understanding what your freaking trying to accomplish exactly to be honest. Not understanding the use case at all..
-
@johnpoz 1:1 NAT is for my web-server and I needs to access it by RDP, so direct RDP should be blocked and port forwarding allowed
-
Why do you think you need 1:1 nat? Just do the port forwarding for the ports you need.. There is almost zero reason to do 1:1 nat unless your hosting someone else's server on an RFC1918.. 1:1 nat is for when you have so many ports you need to forward that is easier to just do 1:1. Or you have a whole block of public IPs and you want to do a range of 1:1 nat for a range of public to a range of rfc1918.
If all you want is rdp, then just forward that... How many other ports do you need open on this box that you want to do 1:1?
-
I thought 1:1 NAT is easier to setup and also I can remember the setup later easily.
Secondly, outgoing traffic to the Internet originates from the associated external IP, helps for my reporting.
I only need HTTP & HTTPS on the box.
-
Well if you only need http and https, just forward those.. If your forward it on a VIP the return traffic will use that VIP to return the traffic.
If you want originating traffic from this box to use your vip - just do that with a outbound nat.
BTW opening up RDP, even if you change the port is a HORRIBLE idea.. Unless you can lock it to a specific source IP
-
johnpoz said in How to block RDP access in 1:1 NAT setup:
if you only need http and https, just forward those
Or at least block all the other ports on the 1:1 NAT, because otherwise you're opening up file sharing, RPC, whatever else is listening on Windows on a LAN. Probably easiest to add a rule to allow HTTP/HTTPS and block the rest.
-
@teamits Yes however "1:1 NAT maps all the external ports on that IP to the internal IP but you must still have firewall rules to allow the traffic to reach the local server."
https://forum.netgate.com/topic/75917/1-1-nat-vs-port-forwarding-when-to-use-each/3
-
Hello!
Port 6665 for remote access to your network seems odd, not because IRC is odd, but because that port has been so badly abused.
https://www.speedguide.net/port.php?port=6665
You might want to pick a "safer" port, unless that is not your intent...
John
-
@serbus Thank you, very good point!
-
Security though obscurity is not security... Opening up rdp to the public internet no matter what port is a BAD idea!!! If you want to rdp to this box, then vpn in and then do it.