hello. I have a router (BEFW11S4) that I allow guests to connect to. It is plugged into one of the LAN ports of my main router which in turn goes to the internet. I want to restrict people who connect to the BEFW11S4 to only accessing the internet. I plan on doing this by blocking all ports except those needed for internet access. So my 2 questions are, will this method work successfully to prevent the guests from accessing anything other than an internet connection? and what ports should i leave open for internet access?

-Ryan Adams
http://members.cox.net/rtadams89/

If you want to block access to your LAN yet retain access to the Internet then you need a properly configured firewall to block access to the LAN from the BEFW11S4.

Just blocking ports will be a hit and a miss as there are just to many ports that may be needed. There are over 64,000 ports and any one of them might be needed for Internet access depending on what the user is doing.

Stuart

I realize that. Basically I just want them to be able to use internet explorer to browse the web. So far this is the list I have come up with that should be open:

53, 80, 443, 631, and 8080

Those 5 ports should let the users access web pages and SSL sites and nothing else. Do I need any other ports open? Should i close any of those ports I listed?

(PS The port 8080 is open as the web configuration for the router is sent over port 8080)

-Ryan Adams
http://members.cox.net/rtadams89/

Dude, the only thing consistant about ports is the receiving end.

For example, if you're surfing this website right now, I KNOW you're connecting to the destination port of 80. However, what port your computer is using to connect to this site (source port) could be ANYTHING! This is how you can surf multiple websites at the same time. Your computer knows which data goes to which window by the differing source ports. For some fun, download ethereal and capture traffic as you surf multiple websites simultaneously.

In other words, your router to do this MUST support blocking connections by source port of the client machines, not destination port. I don't believe your router supports that.

Hint: This is NOT port forwarding!!!

"Republicans in Congress are moving to ratify a constitutional amendment to ban flag burning, thus ending the Iraq insurgency."

Sorry, that was a brain fart.

Your router must support blocking connections by the destination port to the internet, NOT source port of your client machines, since that could be anything.

"Republicans in Congress are moving to ratify a constitutional amendment to ban flag burning, thus ending the Iraq insurgency."

Just to test your idea I am responding to this post from behind the router with only those ports listed above open. I was able to load this page, load up google news and yahoo mail and ru na downlaod bandwidth test all at the same time.

And btw, only one port is used on the client end for viewing web pages.

-Ryan Adams
http://members.cox.net/rtadams89/

Ryan:
In concept the ports you listed will work for just web pages. But there are some sites on the Internet (yes for just web pages) that will use a totally different port. The default for http is 80 but sometimes another port is used for various reasons. The by far greater majority of sites will use 80 though.
In my experience you will find some users complain about loading certain sites. The choice is that acceptable?
ALso i take it that you will not allow to download files via ftp? Otherwise port 21 will need to be open. The majority of file downloads is ftp. There are also some other Internet services (pop3 & ldap for email) that require other ports open.
If you (or the users) do not mind the limited access then they will work.

You're not following me.

When a computer connects to a website to surf the website, it connects to the server's port 80 by default. However, the client computer DOES NOT necessarily use it's own port 80 to make the connection. It could use any of its 65,000 ports. It could use any port it wants to initiate the connection, and it is randomly chosen. Here's how it works...

Client machine:Random port number let's say 2310 connects to webserver's port 80.

SOHO routers are configured to allow everything out of the network, and nothing in unless the connection was initiated from the inside, in which case it allows it in, regardless of port forwarding rules.

Ex. I try to connect to your machine right now on port 80. Router checks port forwarding rules and sees no rule to forward the request, so BAM, connection denied.

However, you connect to my website, and my webserver then sends your computer HTML content, router allows it because your computer connected to my webserver first. Your port forwarding rules were irrelevant in that case!

In this case, you are trying to prevent users from connecting to any computer outside on the internet except for surfing the net.

Here's are the facts about the traffic you want to allow:

The DESTINATION port of this traffic will be 80 for standard HTTP and 443 for HTTPS (SSL encrypted). However, YOUR CLIENTS will use random source ports. IE...

Client computer:random source port to webserver's destination port of 80 or 443.

Your router(s) will allow all outgoing connections so they will be able to do virtually ANYTHING if they initiate the connection, whether it be surf the net, run Kazaa, chat, play games, etc. However, if you set up port forwarding for port 80 and 443, now you're allowing outside computers to initiate connections to your internal computers on those ports. You didn't want that either.

Most SOHO routers will regulate only connections initiated from the outside in, not the inside out. You are trying to regulate connections from the inside to the outside, which your router probably doesn't do. Port forwarding IS NOT regulating from the inside out, only the outside in.

Again, a port forwarding rule for 80 means ONLY that an outside machine to connect to an inside machine via port 80, which is used to allow an outside machine to connect to an internal web server on your network. That's not what you wanted, is it?

"Republicans in Congress are moving to ratify a constitutional amendment to ban flag burning, thus ending the Iraq insurgency."

Paracomp: Yes I realize that. I don't want people downloading a bunch of crap over my network, so port 21 is staying closed. Same goes for POP3 etc. Besides they can usually use web access for mail. And i forgot to mention i have port 80, 81, and 8080 open for http traffic. So i think i should be ok with those.

And as for this other person, i see waht you are saying, sort of, but trust me blocking ports at the router level does work.

-Ryan Adams
http://members.cox.net/rtadams89/

Hero:
Not trying to flame but he said earlier:
"Basically I just want them to be able to use internet explorer to browse the web"
He did not mention anything about protecting his inside network or setting a firewall, just limiting outgoing access, presumably to limit bandwidth usage. (Ryan???) In that case what he is doing will work.

How are you doing it in the router?

I'm not saying you can't. I'm only saying if your router only has port forwarding features, then what you are doing isn't doing what you want to accomplish.

"Republicans in Congress are moving to ratify a constitutional amendment to ban flag burning, thus ending the Iraq insurgency."

Well bandwidth and security. See what happens is, a friend or relative comes over and says "Oh, can I use your network to check my mail?" My network has mac filtering, static IPs, encryption and custom routing tables. Trying to add another computer to that set up temporarily so the ycan check their mail is a hug pain in the a$$. So, this way, I can have a second router which is easy to connect to (no encryption, no mac filtering, DHCP, etc.) but dosn't allow any on to just drive by my house and get into all my files and computers.

-Ryan Adams
http://members.cox.net/rtadams89/

I meant where in the router setup are you filtering the traffic?

"Barbara Streisand hasn't ruined the culture since Yentl."

There is a port filtering feature on the BEFW11S4. It lets me select port ranges to block.

-Ryan Adams
http://members.cox.net/rtadams89/