Blocking Inbound Traffic on MX Security Appliances
When configuring a firewall for a network, direction of traffic must be taken into account. Some traffic, like users browsing to the internet, will be initiated outbound. Other traffic, like access to a publicly facing server, initiates with an inbound connection. These situations are handled differently, since you can generally trust your users more then connections from the internet.
For outbound traffic, controlling this is an easy process: create an allow rule using the Layer 3 Firewall. This will affect 1:1 NATs, Port Forwards and standard WAN traffic. More information about the outbound firewall feature is available here. The inbound firewall is controlled a little bit differently.
The inbound firewall will deny any traffic that does not have a session initiated by a client behind the MX. This allows internal client machines to connect with any resources they need, but does not let outside devices initiate connections with inside client machines. The exception to this is if a Port Forward or 1:1 NAT is created. More information on Port Forwarding and 1:1 NAT can be found here.
Both Port Forwards and 1:1 NATs have a section for 'Allowed remote IPs'. This governs which outside addresses are allowed to initiate connections. Addresses specified here will be able to connect through the specified public ports. The 'ANY' keyword can be used to grant access to any address, or multiple address can be entered if they are separated by a comma. By specifying addresses that should be communicating with inside nodes, unsolicited connections will be prevented.
Below is an example of both Port Forwarding and 1-1 NAT rules
Restricting inbound access is an important part of increasing security within a network. By either restricting inbound connections or limiting outbound replies, unwanted traffic can be minimized.