Unable to block Layer 7

Home Page Forums Network Management ZeroShell Unable to block Layer 7

This topic contains 4 replies, has 0 voices, and was last updated by  matthew.a.squires 10 years, 3 months ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #41536

    I tried blocking Cisco Client VPN and SSH using the Firewall.
    But each time I used the Cisco VPN and the SSH Client, I was able to connect to the external server.

    I tried adding an IP Address and even my subnet, the Cisco VPN & SSH Client still connected.

    I do not currently have a log at this time.

    Any IDEAS.

    #47778

    yum
    Member

    As I understand the default policy for FORWARD chain is ACCEPT and you want to block certain traffic. Try to put blocking rules closer to the top of the FORWARD chain. For example first rule for ssh and second for cisco VPN:

    1.
    DROP tcp opt — in ETH00 out ETH01 192.168.0.0/24 -> 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:22

    2.
    DROP udp opt — in ETH00 out ETH01 192.168.0.0/24 -> 0.0.0.0/0 state NEW,ESTABLISHED udp dpt:500

    #47779

    Question: Do I have to enter the port number, because I thought just selected the Layer 7 type would be enough.

    I will try the position on the list before entering the port number.

    Thank You Again.

    #47780

    yum
    Member

    Currently I don’t use L7 on my router and have nothing to say, sorry.

    #47781

    ppalias
    Member

    Could you please post the IPTABLES ruleset?

    #47782

    No need to because it worked.

    In the Firewall rules I added a rule that DROP layer7 protocol.
    I placed all of my DROP rules at the top (1+) of the list and the ACCEPT rules at the bottom of the list.

    I was able to DROP certain protocol standards from going through my router, standards like SSH, CISCO VPN Client, SKYPE, and so on; without having to enter Port Numbers.

    Thank You YUM.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.