Results 1 to 8 of 8
  1. #1
    Master Untangler SirBC's Avatar
    Join Date
    May 2008
    Location
    San Carlos, CA
    Posts
    115

    Default Source Interface matchers

    I have been using Source Interace as matchers in most of my port forwards. It was mentioned that we should not be using these going forward.

    I would like to use a port forward rule that locks down an open port to one external IP and was wondering how to set that rule up without using Source Interface.

    My rule is currently:

    Destination Port: 443
    Protocl: TCP
    Source Address: x.xx.xx.xx
    Source Interface: External

    Should I just remove the Source Interface and the rule would still work correctly?

  2. #2
    some dude hlarsen's Avatar
    Join Date
    Jul 2010
    Location
    sfba
    Posts
    1,384

    Default

    that rule should work without source interface.

  3. #3
    Master Untangler SirBC's Avatar
    Join Date
    May 2008
    Location
    San Carlos, CA
    Posts
    115

    Default

    Great, I'll give that a shot.

  4. #4
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,371

    Default

    The destination address is missing in the rule if it is for port forwarding, where you like to forward?
    The world is divided into 10 kinds of people, who know binary and those not

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,488

    Default

    I have used, and continue to use source interface. It isn't that you shouldn't use it, it's that you need to be aware that use of that match makes port forwards behave in a specific way. That is, they don't work unless the session starts on the listed interface. This can make troubleshooting things annoying as users use that flag, and then wonder why the port forward doesn't work from inside the network.

    I also suggest you add a destination address to that rule, as it will match all traffic sourced from the address in question, and happens to be terminating on TCP 443.

    The three matches that are present in each of my port forward rules:

    1.) Destination Address (Or Destined Local)
    2.) Protocol
    3.) Destination Port

    I can't see a port forward rule being complete without those three directives. Other directives can be added, but these three are where you start.
    Last edited by sky-knight; 06-12-2012 at 04:14 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Master Untangler SirBC's Avatar
    Join Date
    May 2008
    Location
    San Carlos, CA
    Posts
    115

    Default

    Thanks guys. I do have a destination address, but not as one of the dropdown selections. It's at the bottom in the field, "Forward traffic to the following location".

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,488

    Default

    Destination Address is not the same thing as the new destination.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,371

    Default

    Yours are right, my mismatch.
    The world is divided into 10 kinds of people, who know binary and those not

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2