Ask the Expert

Configuring router ACLs and firewall policy

Unlike most Web servers, I need mine open to a select set of single and range IP addresses, on port 80 only. When these addresses are entered into the firewall and the IIS 5.0 IP address and domain name restrictions (where all ip's are DENIED ACCESS except those listed) then my users are not able to get to the Web site. However if the Web site is open to all traffic all ports at the firewall, and restricted at the IIS server in the same manner as above, then they are able to get to the Web site. Any thoughts as to why this could be happening?

The only conclusion that I can come to is that some sort of verification is taking place between my server and the requesting IP that is occurring on something other than port 80. Does this make sense?

    Requires Free Membership to View

First, if your Web servers are accessed by a "set of single and range IP addresses" only - then consider changing the default port of 80 to a unique port (see http://www.iana.org/assignments/port-numbers) at a minimum. Second, properly configure your router ACLs and firewall policy to only allow (above) IP's through. Your Web servers should not be running FTP server, Telnet server, SMTP server, etc. Third, make sure that TCP/IP filtering is properly set on your Web servers. The culprit exists in an improper 1) firewall rule, 2) Web server IP filtering, or 3) static translation statement.

This was first published in May 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: