Source Interface matchers

[SirBC]

I have been using Source Interace as matchers in most of my port forwards. It was mentioned that we should not be using these going forward.

I would like to use a port forward rule that locks down an open port to one external IP and was wondering how to set that rule up without using Source Interface.

My rule is currently:

Destination Port: 443
Protocl: TCP
Source Address: x.xx.xx.xx
Source Interface: External

Should I just remove the Source Interface and the rule would still work correctly?

[hlarsen]

that rule should work without source interface.

[SirBC]

Great, I'll give that a shot.

[dwasserman]

The destination address is missing in the rule if it is for port forwarding, where you like to forward?

[sky-knight]

I have used, and continue to use source interface. It isn't that you shouldn't use it, it's that you need to be aware that use of that match makes port forwards behave in a specific way. That is, they don't work unless the session starts on the listed interface. This can make troubleshooting things annoying as users use that flag, and then wonder why the port forward doesn't work from inside the network.

I also suggest you add a destination address to that rule, as it will match all traffic sourced from the address in question, and happens to be terminating on TCP 443.

The three matches that are present in each of my port forward rules:

1.) Destination Address (Or Destined Local)
2.) Protocol
3.) Destination Port

I can't see a port forward rule being complete without those three directives. Other directives can be added, but these three are where you start.

[SirBC]

Thanks guys. I do have a destination address, but not as one of the dropdown selections. It's at the bottom in the field, "Forward traffic to the following location".

[sky-knight]

Destination Address is not the same thing as the new destination.

[dwasserman]

Yours are right, my mismatch.