Port Forward Access Control



  • Hello ! Sorry and excuse me if I am hijacking this thread / post. I need to understand the statement of jiimp better

    "With pass, the traffic will pass that matches the NAT rule exactly. Some people prefer to have more fine-grained control over who/what is allowed to reach systems to which ports are forwarded.

    If it's a web server that the world can access, then pass may be OK. If it's a private system locked down to only a few remote IPs, then someone might want to add the nat and firewall rules separately and come up with a more complex set of rules to control access.
    "

    He has mentioned that some people need nore control on who or what is allowed to reach systems. How can this control be achieved. I have already made a post seeking support on port forwarding to a cctv dvr "POST FORWARD TO CCTV DVR". I am using dynamic dns to access the network from outside. Then I am using port forward to redirect the external access to the cctv dvr (this dvr listens on 80 and 8000. 80 is for login and 8000 is audio and video data).  After a long try with help of metu69salemi i could get the port forwarding to work. Now I want to set some sort of security in place. It can any of the following:
    1. Remote System's  MAC id based access
    2. User name password based access (CAPTIVE PORTAL or similar)

    So how can this be achieved.
    thanks



  • @sriraminfotec:

    Hello ! Sorry and excuse me if I am hijacking this thread / post. I need to understand the statement of jiimp better

    "With pass, the traffic will pass that matches the NAT rule exactly. Some people prefer to have more fine-grained control over who/what is allowed to reach systems to which ports are forwarded.

    If it's a web server that the world can access, then pass may be OK. If it's a private system locked down to only a few remote IPs, then someone might want to add the nat and firewall rules separately and come up with a more complex set of rules to control access.
    "

    He has mentioned that some people need nore control on who or what is allowed to reach systems. How can this control be achieved. I have already made a post seeking support on port forwarding to a cctv dvr "POST FORWARD TO CCTV DVR". I am using dynamic dns to access the network from outside. Then I am using port forward to redirect the external access to the cctv dvr (this dvr listens on 80 and 8000. 80 is for login and 8000 is audio and video data).   After a long try with help of metu69salemi i could get the port forwarding to work. Now I want to set some sort of security in place. It can any of the following:
    1. Remote System's  MAC id based access
    2. User name password based access (CAPTIVE PORTAL or similar)

    So how can this be achieved.
    thanks

    Hi,

    1. Remote MAC Id is no good, because if the IP goes thro any layer 3 devices then it will be that device MAC id  and not the source MAC.
    2. Username/password access would be functionality that your DVR provides and not from the firewall.  As I am not sure that is possible with inbound traffic.  The authetication via CAPTIVE portal, Radius or the like are as far as I know only applies to outbound traffic.

    Note: When I mention inbound and outbound, it means the initiator of the traffic. In layman's term who started the traffic flow.

    Regards,



  • thanks for the response.
    Now is there no other way of getting authentication ? The DVR does not have much security and the password can also be easily changed.
    When you mention outbound traffic, does not CP treat the traffic moving out of the DVR as outbound ?



  • @sriraminfotec:

    thanks for the response.
    Now is there no other way of getting authentication ? The DVR does not have much security and the password can also be easily changed.
    When you mention outbound traffic, does not CP treat the traffic moving out of the DVR as outbound ?

    Well for authentication or restricted access you have a few options

    1. Get a new DVR that supports better Access Control List (ACL).
    2. Use VPN in conjunction with pfsense.
    3. Restrict inbound traffic to the DVR to a few known fixed/statics IP addresses.

    It may not be ideal but a workable solution.

    The DVR will not initiate outbound traffic on its own unless it is going out to get software update checks or some function like alert notification, etc.  All firewall/proxy knows or keep tracks of who starts the traffic (this is why they maintain state).  In your example, the outbound traffic from the DVR was initiated by someone from the inbound (outside the WAN link), so the initiator is from the inbound side.  To help you understand more of the inbound/outbound traffic, think of it as who started the request for the traffic, is the request started by someone/devices from the WAN (that would mean inbound) or someone/devices from the LAN (outbound).

    Hope this helps.


Log in to reply