How to block ports?

  • 1
  • Question
  • Updated 1 year ago
I need to block some standard VPN ports on the Ruckus. I think blocking these ports will keep most of the VPN apps under control, and will give us a trail of breadcumbs to see who's trying to VPN. How do I do this? Step-by-step directions would be fantastic!

UDP/80
UDP/443
UDP/500
TCP/1723
UDP/4500
Photo of Andy Emerine

Andy Emerine

  • 2 Posts
  • 0 Reply Likes

Posted 1 year ago

  • 1
Photo of Max O'Driscoll

Max O'Driscoll, AlphaDog

  • 337 Posts
  • 83 Reply Likes
On ZD

configure
access control
L2-L7 Access control
L3/4IP address Access control

screenshot below
caveat: test, test again and beware of unintended consequences when you start denying things or rely on "deny" as a form of firewall security!



...you have to name the rule and then apply it to a WLAN (or several).

Edit WLAN and apply relevant rule in drop down of access control.
(Edited)
Photo of Andy Emerine

Andy Emerine

  • 2 Posts
  • 0 Reply Likes
How do I specify UDP or TCP?
Photo of Max O'Driscoll

Max O'Driscoll, AlphaDog

  • 337 Posts
  • 83 Reply Likes
That's why I suggested testing. The ZD is not that granular - it is not a firewall and is not intended as such. The protocol list is fairly limited and probably doesn't cover your needs.

Typing 80 into port and UDP into the protocol box produces this response...so if you know the correct numbering scheme then you might get further along. Have fun.

Photo of Max O'Driscoll

Max O'Driscoll, AlphaDog

  • 337 Posts
  • 83 Reply Likes
From the ruckus ZD help manual (4th bullet point is the one you need)

                   =======================
Define each access policy by configuring a combination of the following:
    • Type: The access privilege (allow or deny) that this policy grants.

    • Destination Address: Enter an IP subnet and netmask of the network target to which you want to allow or deny access. (IP address must be in the format A.B.C.D/M, where M is the subnet mask.) Otherwise, select Any. For example, if you enter 192.168.0.1/24, the rule would allow or deny the entire Class C subnet. To allow/deny a single host, use /32 as the netmask.

    • Application: If you select a specific application from the menu, the Protocol and Destination Port options are automatically filled with the relevant values and are not configurable.

    • Protocol: Enter a network protocol number (0-254), as defined by the IANA (http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) to allow or deny. Otherwise, select Any.

    • Destination Port: Enter a valid port number (1-65534) or port range (e.g., 80-443).

      ========================
      UDP is 17 on that (IANA) list. Perhaps you can make this work. I've learned something new - hooray!

    (Edited)
    Photo of Max O'Driscoll

    Max O'Driscoll, AlphaDog

    • 337 Posts
    • 83 Reply Likes
    This is why you test...because nothing is simple and simple things often take complex routes.