Fusionhub solo firewall default inbound rule "allow all" vs. "deny all".

I wish there had been another reply in this thread https://forum.peplink.com/t/balance-one-default-inbound-firewall-rule-allow-any as I also find thinking about the default inbound rule being “allow all” (but noting that it’s not used except in the three cases [quote]The inbound firewall rules only apply to the following types of traffic:

  • Inbound WAN 1 traffic where the WAN 1 is in drop-in mode
  • Inbound traffic that is defined in Inbound Services
  • Inbound traffic that is defined in Inbound NAT Mappings[/quote]
    to be a bit confusing to my mind tonight.

Thinking about this tonight in regard to a fusionhub solo.

If the fusionhub solo is installed in a cloud instance and has no individual specific port forwarding rules enabled, then the default incoming rule “allow all” won’t leave it unprotected and will function the same as if it was set to “deny all”, is that correct?

Is there any benefit to setting the default incoming rule to “deny all” on a fusionhub solo?

Can someone give some examples of when you would want to set the default inbound rule to “deny all” instead of “allow all” for a fusionhub solo.

Would you only change the default inbound “allow all” to “deny all” if you wanted to specifically port forward and then wanted to limit access using a firewall rule to a specific client IP for example?

Do the inbound rule come into play before the speedfusion handshake also? (would the speedfusion handshake or gui access be under one of the three above items? Are there any other items to consider when choosing the default inbound rule to be allow all or deny all?)

Many thanks.

If I ever had a day without complications to think about this, it would probably be clearer. As it is, is there anything I can look at quickly to come to terms with either leaving the default rule “allow all” or changing it to “deny all” on a Fusionhub where the setup is Internet - Fusion Hub - One Balance

Short answer… use Deny ALL for inbound and don’t change it.
Long answer…
Here’s my FusionHub rules which provides internet to the house and has one inbound rule for access to my Xbox, which I redacted from the image for security reasons.

To allow something inbound, you need both a port forward (NAT), and a firewall rule allowing it. You don’t want to allow anything inbound in the firewall, even if you haven’t setup a port forward, because then you are relying on NAT to protect you rather than a firewall. A hacker can defeat NAT protection by piggybacking on a port you are currently using.

Your SpeedFusion handshake uses the local service rules and not the inbound rules.


Thanks very much! Perfect.

Final question (I think) – if I want to allow access to the fusionhub web admin from the internet so I don’t lock myself out if something were to go wrong with the speedfusion connection, do I need a specific inbound allow rule for port 443 on the fusionhub itself? Or is the web admin accessible despite the inbound firewall rule settings like the speedfusion handshake?

The 443 is included in the Local Service Firewall Rules. Somewhere in this forum is a complete list of whats in the local service rules, but you can think of it as anything hosted by the OS itself. IE, 4500 for SpeedFusion Data, 32015 for handshake, 443 for SSL Web Admin.


1 Like