Technical Tip: How to block specific ports

nnair · ‎08-30-2024

Description

This article describes how to block specific ports.

Scope

FortiGate.

Solution

In this scenario, the configuration has been setup to block the TCP port 4433 for outgoing traffic. A new service object is created followed by the outbound firewall policy that references the specific service to block.

Access the FortiGate web interface:

Go to Policy & Objects -> IPv4 Policy.
Select Create New to set up a new firewall policy.

Adjust the following settings:

Source Interface: Choose the interface where the traffic originates.
Destination Interface: Pick the interface where the traffic is intended to go.
Source Address: Enter the source IP address or range.
Destination Address: Specify the destination IP address or range.
Service: Select the particular service or port you want to restrict.

It is possible to customize the port by creating a new service as below:

Go to Policy & Object -> Services -> Create New.

Action: Set the action to Deny to block the traffic.

Save the new firewall policy.

In the CLI:

config firewall service custom
       edit "custome-port"
            set tcp-portrange 4433
        next
end

config firewall policy
       edit 4
            set name "block_4433"
            set srcintf "port3" <- LAN interface.
            set dstintf "port1" <- WAN interface.
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "custome-port"

            set action deny
            set logtraffic all
      next
end

In this example, policy is configured from LAN (port3) to WAN (port1).

Once the traffic reaches the FortiGate, it will be dropped by the policy. The debug and sniffer outputs for port 4433 are shown below.

Debug:

FGT-GRG # id=65308 trace_id=1 func=print_pkt_detail line=5942 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:55925->142.250.203.238:4433) tun_id=0.0.0.0 from port3. flag [S], seq 568628668, ack 0, win 64240"
id=65308 trace_id=1 func=init_ip_session_common line=6127 msg="allocate a new session-00006729"
id=65308 trace_id=1 func=__vf_ip_route_input_rcu line=1988 msg="find a route: flag=00000000 gw-10.5.31.254 via port1"
id=65308 trace_id=1 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=3"
id=65308 trace_id=1 func=fw_forward_handler line=839 msg="Denied by forward policy check (policy 4)"

id=65308 trace_id=2 func=print_pkt_detail line=5942 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:55925->142.250.203.238:4433) tun_id=0.0.0.0 from port3. flag [S], seq 568628668, ack 0, win 64240"
id=65308 trace_id=2 func=init_ip_session_common line=6127 msg="allocate a new session-00006739"
id=65308 trace_id=2 func=__vf_ip_route_input_rcu line=1988 msg="find a route: flag=00000000 gw-10.5.31.254 via port1"
id=65308 trace_id=2 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=3"
id=65308 trace_id=2 func=fw_forward_handler line=839 msg="Denied by forward policy check (policy 4)"

Sniffer:

FGT-GRG # diagnose sniffer packet any "port 4433" 4 0 l

Using Original Sniffing Mode:

interfaces=[any]
filters=[port 4433]
2024-08-31 16:33:13.155302 port3 in 10.10.10.2.55925 -> 142.250.203.238.4433: syn 568628668
2024-08-31 16:33:14.170127 port3 in 10.10.10.2.55925 -> 142.250.203.238.4433: syn 568628668
2024-08-31 16:33:16.185680 port3 in 10.10.10.2.55925 -> 142.250.203.238.4433: syn 568628668
2024-08-31 16:33:20.185948 port3 in 10.10.10.2.55925 -> 142.250.203.238.4433: syn 568628668
2024-08-31 16:33:28.217697 port3 in 10.10.10.2.55925 -> 142.250.203.238.4433: syn 568628668
^C
5 packets received by filter
0 packets dropped by kernel

The syn packet is not being sent out.