Block port 80 to specific IP



  • What is the best way to write a rule to block port 80 & 443 to a specific IP address?



  • One way: Create a port alias containing ports 80 and 443 and call it 'WebPorts' for instance. Then write your rule thus:

    Proto(IPv4) | Source (LAN) | Port (*) | Destination (Specific-IP) | Port (WebPorts) | Gateway (GW-WAN) | Queue (None).



  • Wrote the rule as specified but the server at the specified IP still has access to the Internet.


  • Banned

    Post the screenshots of your WAN rules. (Note: You need to reset states - Diagnostics => States => Reset states after restricting access.)



  • @crispycritter:

    Wrote the rule as specified but the server at the specified IP still has access to the Internet.

    Maybe I misread your post, but I thought you were trying to stop your LAN users from accessing a remote host on ports 80 and 443. Not prevent the host from accessing the internet.

    Perhaps you should post a diagram of what you're trying to do. Please clearly indicate your firewall, the internal hosts and any external targets involved. And show the traffic direction - the source and target(s).



  • @crispycritter:

    What is the best way to write a rule to block port 80 & 443 to a specific IP address?

    It sounds like you really mean:

    What is the best way to write a rule to block access to destination port 80 & 443 from a specific IP address?



  • Sorry - I'll provide the complete detail for this project. I have multiple servers on the network. One of these servers is an RDP server hosting multiple user logins. Just for this one server only I need to block access to the Internet. I need the result to be that anyone using this server, logging in as a remote session, will not have access to the Internet. I would like to do this at the router level, blocking ports 80 and 443 to this servers specific IP address only. Per previous instructions I built the Aliases for 80 & 443 and built the rule but it did not block the Internet for this server.



  • OK, to block access from LAN to Internet, you need a rule on LAN that blocks the specific source IP address to the ports defined by your alias.  It's pretty easy.



  • Just a bit of modification on the previous LAN block rule should do it:

    Proto(IPv4) | Source (Specific-IP) | Port () | Destination () | Port (WebPorts) | Gateway (GW-WAN) | Queue (None).



  • Thanks for your help! The last rule given works perfectly for this need.