Blocking Inbound Traffic on MX Security Appliances

Overview

When configuring a firewall for a network, it's crucial to consider the direction of traffic. Certain traffic, such as users browsing the internet, is initiated outbound. On the other hand, access to a publicly-facing server initiates with an inbound connection. These situations are handled differently because generally, you can trust your users more than connections from the internet.

Details

Controlling outbound traffic is an easy process: create an allow rule using the Layer 3 Firewall. This will affect 1:1 NAT, Port Forwarding, and standard WAN traffic. More information about the outbound firewall feature is available in MX Firewall Settings. The inbound firewall is controlled a little bit differently.

The inbound firewall will deny any traffic that does not have a session initiated by a client behind the MX. This allows internal client machines to connect with any resources needed but does not let outside devices initiate connections with inside client machines. The exception is if a Port Forwarding or 1:1 NAT is created. More information on Port Forwarding and 1:1 NAT can be found in Port Forwarding and NAT Rules on the MX.

Both Port Forwarding and 1:1 NAT have a section for Allowed remote IPs. This governs which outside addresses are allowed to initiate connections. Addresses specified here will be able to connect through the specified public ports. The Any keyword can be used to grant access to any address, or multiple addresses can be entered if they are separated by a comma. By specifying addresses that should be communicating with inside nodes, unsolicited connections will be prevented.

Below is an example of both Port Forwarding and 1:1 NAT rules:

Restricting inbound access is an important part of increasing security within a network. By either restricting inbound connections or limiting outbound replies, unwanted traffic can be minimized.