Close port 445

[PunchCardBoss]

You don't need to say "outbound" because all traffic is going to be outbound.

For your port 445 example: "Blocks TCP traffic to port 445 at any address on the WAN".

Your 192.168.100.200 example is ambiguous. If your LAN is 192.168.100.x then it's wrong, otherwise it's OK.

Your 93.158.145.28 example is invalid because it's not a local address.

YEAAAA. I cannot begin to describe how happy I am when I saw your reply. I think I've finally got it.

For the longest time, I have been looking at the NSF from purely a theoretical point of view. And (if I may presume), your comments are from a practical use-case point of view. And (I think) I now understand why beginners have so many problems understanding and asking for NSF help.

I don't claim to understand every comment you have made, but I now understand a bunch of them.

So, I have been writing and re-writing my document many times as I go through this learning curve. So, here is what I have written so far for a novice audience. It is still a work in progress. Please critique and comment.

=================================================

A Guide for Asus Router “Network Service Filter” Deny List​

General Description:
All communication packets entering a router contain Source and Destination information (https://www.techrepublic.com/article/exploring-the-anatomy-of-a-data-packet/) . Your router reads this information to know where a communication packet comes from (source or origin) and where it is to be “routed” (destination). The Network Service Filter (NSF) has the ability to block the routing of communication packets. Thus, it is often referred to as an “outbound” filter.

The Asus NSF found under the Firewall menu is one of the most powerful filters. Whereas the Firewall filter blocks inbound traffic by domain names or specific words, the NSF blocks outbound communication packets by IP address and/or port number.

It is important to note that the majority of communication packets originating from WAN will not have an IP address. Packets originating from a static WAN IP may be the only use-case exception. And even in this remote situation, an NSF record using just a Destination IP and/or Port Range will be effective.

Similarly, a WAN Destination IP field is equally rare. Thus, for the vast majority of use-cases, the NSF is used for LAN-to-LAN filtering. Destination IP and/or Port Range are the most common fields used for a filter.

The Filter
The Asus NSF has 4 fill-in-the-blank fields plus a Protocol drop-list field. In this document, one row of fields is referred to as a “record” and represents a filter criterion. From a logic perspective, each field operator is an “AND” (not “OR”) logic condition. In other words, every non-blank field must be found in a communication packet for a filter record to apply. Further, an NSF record may (indeed often) consist of a single field entry that adequately defines a unique deny condition.

Lastly, observe that the Asus NSF has two “Port Range” field labels. To differentiate them in this document, the term “External” and “Internal” have been added. The External Port Range is associated with a Source IP whereas the Internal Port Range is associated with a Destination IP.

------------------------------------------------------------------------

 

[ColinTaylor]

It is important to note that the majority of communication packets originating from WAN will not have an IP address. Packets originating from a static WAN IP may be the only use-case exception. And even in this remote situation, an NSF record using just a Destination IP and/or Port Range will be effective.

This is incorrect. All IP packets always contain both a source address and a destination address. Additionally, as we're only talking about TCP and UDP packets here there will also always be both a source port and a destination port.

Similarly, a WAN Destination IP field is equally rare.

Equally as rare as what?

Thus, for the vast majority of use-cases, the NSF is used for LAN-to-LAN filtering.

This is also incorrect. Repeat the following out loud 10 times: "The Network Services Filter only affects LAN to WAN traffic."

Lastly, observe that the Asus NSF has two “Port Range” field labels. To differentiate them in this document, the term “External” and “Internal” have been added. The External Port Range is associated with a Source IP whereas the Internal Port Range is associated with a Destination IP.

This is the wrong way around. Source addresses/ports are internal to your network. Destination addresses/ports are external to your network (e.g. the internet).

@PunchCardBoss I can't help but think that you're making this more complicated than it really is. Traffic goes from a source (on the LAN) IP:port to a destination (on the WAN) IP:port. That's it! It's really that simple. The NSF allows you to block traffic based on 1 or more of those 4 fields.

Note that I'm deliberately using the term WAN rather than internet. In most cases they will be the same thing.

 

[bennor]

Please critique and comment.

OK where to start. First as repeated stated Network Services Filter is LAN to WAN not LAN to LAN. Again LAN to WAN! One can easily test this for themselves by trying to block a destination on their local LAN.

You are making assumptions on use cases or general use when stating things like; "WAN Destination IP field is equally rare". And are wrong to state; "vast majority of use-cases, the NSF is used for LAN-to-LAN filtering". Again Network Services Filter is LAN to WAN.

You have added extra labeling to the Port Range fields in your graphic that will only serve to confuse people cause of the labels used. You use External Port Range for Source IP and Internal Port Range for Destination IP. General convention is inside the LAN is "internal" and for WAN it is "external" since it is outside the LAN. Really is no need for the extra labeling on those two fields anyway.

Having played with Network Services Filter for a few minutes, its easy to way overthink how it operates. The Network Services Filter is really a very basic and simple concept; block or allow port traffic from LAN to WAN. It doesn't help that Asus uses a WAN IP address as a Source IP address when in reality it should be a private space LAN IP address that gets input into the Source IP field. Not even sure how the Port Range field to the right of Source IP is supposed to work since in my quick testing only putting values in Port Range field to the right of Destination IP field seems to work for block access. (shrugs)

 

[criminala]

Important to keep in mind is indeed that this filter only affects LAN to WAN traffic .

To add to my initial question regarding port 445 :
you can test if the router properly blocks 445 requests with the use of http://portquiz.net:445/ .

Now I am sure no 445 requests are being made .
Also the Microsoft patch is out by now . It can be installed by opening word/excel , menu file - account - update button .

 

[PunchCardBoss]

@PunchCardBoss I can't help but think that you're making this more complicated than it really is.

Now that I have made a complete @ss of myself, I admit I have been looking at this upside-down and inside out. So, 2 steps backward -- unlearn wrong things -- one step forward.

Note that I'm deliberately using the term WAN rather than internet. In most cases they will be the same thing.

General convention is inside the LAN is "internal" and for WAN it is "external" since it is outside the LAN. Really is no need for the extra labeling on those two fields anyway.

It doesn't help that Asus uses a WAN IP address as a Source IP address when in reality it should be a private space LAN IP address that gets input into the Source IP field.

Yep - I trapped myself in a naïve understanding of LAN vs WAN. And, as a result, connected dots where there were none. - my bad.

Well, I am not giving up. So, new copy below - just a little at a time so I get things right before going on.

Critique and comments welcomed...
====================================
General Description:
All communication packets entering a router contain Source and Destination information (https://www.techrepublic.com/article/exploring-the-anatomy-of-a-data-packet/) . Your router reads this information to know where a communication packet (traffic) comes from (source or origin) and where it is to be “routed” (destination). The Network Service Filter (NSF) has the ability to block the routing of communication packets. Thus, it is often referred to as an “outbound” filter.

It is important to note that the NSF is ONLY designed to filter LAN (source) to WAN (destination) traffic. For many home users with a basic network, this statement may seem a bit odd because WAN often implies Internet addresses with domain names. More accurately, LAN IPs, are only those IPs defined by your router: “IP Address” and “Subnet Mask” on the LAN > LAN IP router GUI page. WAN is everything else, including other local or near-by networks [?is this correct? =>] such as VLANs and Asus Guest WiFi.
.....
[I tested this with my printer IP]
...Even though the Asus NSF will permit putting a LAN address into the Destination IP field, the underlying code of the NSF will ignore it. [?is this true for the ALLOW NSF filter too?].
=====================================

Not even sure how the Port Range field to the right of Source IP is supposed to work since in my quick testing only putting values in Port Range field to the right of Destination IP field seems to work for block access. (shrugs)

Hmmmm...
Been wondering about that myself and trying to imagine a use-case. But since I have bigger dragons to slay, I will put a pin in that one.