DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

2860 Stateful Packet Inspection

  • hornbyp
  • Topic Author
  • Offline
  • Big Contributor
  • Big Contributor
More
12 Nov 2018 23:59 #93354 by hornbyp
2860 Stateful Packet Inspection was created by hornbyp
Why would I need to add a specific Firewall Rule, to allow a response in, from a connection that's still visible in the "NAT Active Sessions Table" :?:

If a device on my network sends data to a remote system and expects a reply, I would only expect the response to be seen as "unsolicited" (and subject to the Firewall Rules), if the connection had timed out.

The device in question is a Netatmo 'Smart' Thermostat, which is on my I.O.T. VLAN (heavily firewalled from the rest of my network :wink: ). It communicates with Netatmo H.Q. using TCP Port 25050.

My first Firewall Rule is "Block if no further match" - for all addresses, all protocols. Further Rules in that Filter Set allow in SMTP, (some) DNS, WEB etc (matching the NAT Open Port config.). Without an additional rule for the Netatmo, the first rule occasionally triggers. (The Netatmo thermostat doesn't seem to know/care about this - so I don't know how important this data is...)

You could argue that I don't need this D.I.Y. Default Rule (because NAT effectively does the same job), but I want to be quite selective about DNS - since I seem to have been unwittingly participating in DNS Reflection attacks :shock:

Code:
NAT Active Session Table (abbreviated!) 192.168.5.1 55530 55594 62.210.177.194 25050 WAN2


Adding a specific rule for this traffic, allows it in (and stops Rule 1 triggering instead) :-

Code:
[FILTER][Pass][WAN->LAN/RT/VPN, 99:11:45 ][@S:R=1:5, 62.210.177.194:25050->192.168.5.1:55530][TCP][HLen=20, TLen=40, Flag=A, Seq=846171384, Ack=469110721, Win=29200]


(Where 192.168.5.1 is the Netatmo Thermostat and 62.210.177.194 is Netatmo H.Q.)

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami