Results 1 to 7 of 7
  1. #1
    Newbie
    Join Date
    Apr 2017
    Posts
    12

    Default Open Port vs. Port Forward?

    In the firewall, what's the difference between opening a port to a specific IP and setting a port forward? What takes precedence if both rules are set?

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    5,652

    Default

    If you are using NAT, by default all incoming ports are closed. Port forward opens an outside port for incoming traffic to a specific device on the LAN.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Newbie
    Join Date
    Apr 2017
    Posts
    12

    Default

    Yes, I understand that part. But how does that differ from setting up a firewall that opens up the same port to a specific IP? And actually, to clarify, I'm coming from a slightly router environment. I just noticed that Untangle doesn't seem to have the exact same firewall setup. But in my previous environment, I could setup port forwards in the standard way of specifying an incoming port and then the destination IP. But in the firewall menu, I could do exactly that with a firewall rule. So as an example:

    Port Forward Menu: Port 80 Open to Destination IP 192.168.1.200

    Firewall Menu: Port 80 Open to Destination 192.168.1.200

    I just noticed that Untangle does not seem to let us specify a port and IP in the same firewall rule. Is this to prevent redundancy when creating a port forward from the port forward menu?

    Both menus look pretty much the same. I've seen this on a few different router configurations. I'm just curious as to what the difference is, if any?

  4. #4
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    15,775

    Default

    The "firewall" is rules for blocking or allowing sessions. When a session in created the firewall rules are evaluated and the session is allowed or blocked based on the result of the firewall rules. The same applies for the forward filter rules.

    "port forward rules" serve a totally different purpose. They rewrite the destination address to some other address. 99% of the time this is rewriting your public address to some internal address. If Untangle is doing NAT and because of the nature of NAT, inbound connections are blocked if they don't have a port forward because there is no where to send them. However, a port forward doesn't really "open" anything technically, its serves an entirely different purpose.

    Most people run as a router (with NAT) and only care about ingress filtering. Since NAT blocks all inbound sessions by its nature, usually the firewall is not necessary at all and is only used for egress filtering. However, you can use it for an extra layer of ingress filtering if desired.

    And yes, you can specify as many conditions as you want in a rule, including dest and port.
    Last edited by dmorris; 04-19-2017 at 08:15 AM.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Newbie
    Join Date
    Apr 2017
    Posts
    12

    Default

    Ah, thank you much for the explanation. Knowing the nature of the two functions helps me understand it better. So given that, say if I were to have a few port forward rules running, but my firewall explicitly blocked them, then the port forward would essentially fail, correct?

  6. #6
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    15,775

    Default

    Quote Originally Posted by htc4668 View Post
    Ah, thank you much for the explanation. Knowing the nature of the two functions helps me understand it better. So given that, say if I were to have a few port forward rules running, but my firewall explicitly blocked them, then the port forward would essentially fail, correct?
    Well, it will still show up in the port forward events because it was technically forwarded, its just the firewall then blocked it.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Newbie
    Join Date
    Apr 2017
    Posts
    12

    Default

    Got it, thank you! *thumbsup!*

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2