Balance One - Default Inbound Firewall Rule - Allow Any


#1

Trying to understand why Default Inbound Firewall Rule is Allow Any.
Normally routers have Default Inbound Firewall Rule of Deny Any. With Admin/User setting up exceptions to Allow specific Traffic from IP / Port to IP / Port.

Searches of PepLink FAQ turn up information on Outbound Firewall Rules, with little of anything covering Inbound Firewall Rules.
Searches of PepLink Forum turns up users having problems setting Inbound Firewall Rule to Deny Any, with exceptions to Allow specific Traffic.

Testing via Online Port Scanners show Balance One’s Ports to be Stealth, other than responding to ICMP Ping. *Despite Default Inbound Firewall Rule set to Allow.
*
Can someone please Elaborate on:
Why Default Inbound Firewall Rule is Allow Any?
Why changing Inbound Firewall Rule to Deny Any and adding Exceptions above Deny Rule fails to work?

Can someone please point to Documentation on properly configuring PepLink’s Inbound Firewall Rules to protect against Intrusion / Hacking?


#2

Hi,

The inbound firewall rules only apply to the following types of traffic:

  • Inbound WAN 1 traffic where the WAN 1 is in drop-in mode
  • Inbound traffic that is defined in Inbound Services
  • Inbound traffic that is defined in Inbound NAT Mappings

If you doesn’t had the above defined, basically the inbound rules will not be referred and you are safe for external access. In other word, if you doesn’t has the above types of traffics defined, all traffics will be denied/blocked.

For detail info how to define the inbound firewall rules, you refer to the user manual:

Thank You


#3

Thank you. That is piece that was missing.

Explaining why Online Port / Intrusion tests were not finding any security issues. The Balance One I setup was not running in drop-in mode, didn’t have any Inbound Services (only Port Forwarding), and there were no NAT Mappings.


#4

I had this same question, but I did notice the commentary in the help text about “this only applies to NAT mapping and Inbound services”. So whilst it’s reassuring to know that the thing isn’t basically open to the outside world by default, the question that still puzzles me is: why is it designed this way? If the firewall is really set to “deny all” other than those entries explicitly created in inbound services or NAT mappings, why bother with it at all? When would I ever want to deny something that would only be allowed by virtue of NAT mappings/Inbound services? Is it something to do with making “drop-in mode” workable? Or maybe a way to override NAT rules that software on client machines might create without specific human authorisation? Just asking out of curiosity.


#5

Drop-in mode is a common, easy way to deploy the Balance on the outside with a firewall on the inside doing access rules. With the Balance in NAT mode however, like with any NAT router you would first need to build an inbound path via port forwarding or a 1-1 NAT mapping.

Peplink has a stateful firewall for granular control of access rules once a path is built. For example, a 1-1 NAT mapping builds a path to open all ports. Now you can configure specific ports as needed to allow access to your internal devices. Typically once everything is working you would tighten things down but the default inbound firewall rule needs to be set to deny.


#6

Confused by your last statement about setting default rule to “deny”, since (if I’ve understood correctly) this will override any port forwarding rules defined (including UpnP/NAT-PMP).

May I ask a different question: what is the difference between a “Port Forwarding” entry and an inbound firewall allow rule? I can see that an inbound firewall rule allows you to specify a source IP or range as well as the destination host, but are they otherwise functionally the same? If the inbound rules offer a superset of functionality, why bother with the specific port forwarding entries at all? Or put differently: under what circumstances might I use one as opposed to the other? If I have a simple need to allow inbound access for a particular device (an alarm, in this case), is it better to use port forwarding or an inbound rule?