- Home »
- FAQ »
- Security »
- Firewall »
- How to block the service by using the firewall to block the certain port?
How to block the service by using the firewall to block the certain port?
To access the service on the internet, we will need to connect to the server IP address and the specific port, so the packets will be sent to the correct server, and the packets will be listened by the correct program. In some scenario, network administrator may not want to let the clients access some service; or, wants to enhance the security of the internal network, to prevent some malwares from access the resource, stole the information, and abuse the internet. Network administrator can set the firewall rule on Vigor Router to block the connection by certain port. The client will not be able to access such resource if the port is blocked, and the malware will not be able to access their own server.
This document will describe how to restrict the service that client or program are using by blocking the certain port, so they will not able to access the resource on the internet. Imagine that a company wants to prevent the confidential information leakage, the network administrator wants to block all the FTP transmission between the local network and the internet. Usually, the FTP service uses TCP port 21 as the major command port. The steps and details will be described in the following paragraphs.
Note: Except the ports you have set to be open and redirection to the internal IP addresses, Vigor Router will block all the transmissions which initiate from the internet to the local network by default. Therefore, we will focus on blocking the transmission from LAN to WAN in the following paragraphs.
(This setup applies to most of the models. For Vigor3900, Vigor2960 and Vigor300B, please refer to the article here.)
1. Go to Object Setting >> Services Type Object:
a. Create service object
b. Type the profile name
c. Set the destination TCP port 21 for FTP
2. Go to Firewall >> Filter Setup, click an available Filter Set:
a. Click an available Filter Rule
b. Tick Check to enable the Filter Rule
c. Input Comments
d. Select the source IP (Please set the source IP address here if you want to regulate the specific IP address only.)
e. Select the "FTP" as Service Type
f. Select Block Immediately as Filter, we could also enable the syslog to check the filter status
g. Save the profile
3. From the Diagnostics >> Syslog Explorer, we may see the attempt to connect TCP port 21 has been blocked.
If you want to apply the firewall rule to certain computer, you will need to set Bind IP to MAC for this computer, so the router will always assign the identical IP to it. Please refer to What is Bind IP to MAC? for further information.
You may also refer to How to use APP Enforcement? to use APP filter to block specific protocol.