cancel
Showing results for 
Search instead for 
Did you mean: 

How to block ports?

andy_emerine
New Contributor
I need to block some standard VPN ports on the Ruckus. I think blocking these ports will keep most of the VPN apps under control, and will give us a trail of breadcumbs to see who's trying to VPN. How do I do this? Step-by-step directions would be fantastic!

UDP/80
UDP/443
UDP/500
TCP/1723
UDP/4500
5 REPLIES 5

max_o_driscoll
Valued Contributor
On ZD

configure
access control
L2-L7 Access control
L3/4IP address Access control

screenshot below
caveat: test, test again and beware of unintended consequences when you start denying things or rely on "deny" as a form of firewall security!

Image_ images_messages_5f91c42d135b77e2479a3906_25f6e5d89cf6968e4ac4e9c7dc86b0cd_RackMultipart20161107654171cjj-02786ad6-9492-4536-8c21-1240f7019307-1037994932.jpg1478536853

...you have to name the rule and then apply it to a WLAN (or several).

Edit WLAN and apply relevant rule in drop down of access control.

andy_emerine
New Contributor
How do I specify UDP or TCP?

max_o_driscoll
Valued Contributor
That's why I suggested testing. The ZD is not that granular - it is not a firewall and is not intended as such. The protocol list is fairly limited and probably doesn't cover your needs.

Typing 80 into port and UDP into the protocol box produces this response...so if you know the correct numbering scheme then you might get further along. Have fun.

Image_ images_messages_5f91c42e135b77e2479a476f_03212861865a98a82381bf5322afedef_RackMultipart2016110822809a930-f08d8c27-e914-4d81-8e54-8c947172bc77-276067469.jpg1478598961

max_o_driscoll
Valued Contributor
From the ruckus ZD help manual (4th bullet point is the one you need)

                   =======================
Define each access policy by configuring a combination of the following:
    • Type: The access privilege (allow or deny) that this policy grants.

    • Destination Address: Enter an IP subnet and netmask of the network target to which you want to allow or deny access. (IP address must be in the format A.B.C.D/M, where M is the subnet mask.) Otherwise, select Any. For example, if you enter 192.168.0.1/24, the rule would allow or deny the entire Class C subnet. To allow/deny a single host, use /32 as the netmask.

    • Application: If you select a specific application from the menu, the Protocol and Destination Port options are automatically filled with the relevant values and are not configurable.

    • Protocol: Enter a network protocol number (0-254), as defined by the IANA (http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) to allow or deny. Otherwise, select Any.

    • Destination Port: Enter a valid port number (1-65534) or port range (e.g., 80-443).

      ========================
      UDP is 17 on that (IANA) list. Perhaps you can make this work. I've learned something new - hooray!