Unable to block Layer 7

Forums Network Management ZeroShell Unable to block Layer 7

  • This topic is empty.
Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
  • #41536

    I tried blocking Cisco Client VPN and SSH using the Firewall.
    But each time I used the Cisco VPN and the SSH Client, I was able to connect to the external server.

    I tried adding an IP Address and even my subnet, the Cisco VPN & SSH Client still connected.

    I do not currently have a log at this time.

    Any IDEAS.


    As I understand the default policy for FORWARD chain is ACCEPT and you want to block certain traffic. Try to put blocking rules closer to the top of the FORWARD chain. For example first rule for ssh and second for cisco VPN:

    DROP tcp opt — in ETH00 out ETH01 -> state NEW,ESTABLISHED tcp dpt:22

    DROP udp opt — in ETH00 out ETH01 -> state NEW,ESTABLISHED udp dpt:500


    Question: Do I have to enter the port number, because I thought just selected the Layer 7 type would be enough.

    I will try the position on the list before entering the port number.

    Thank You Again.


    Currently I don’t use L7 on my router and have nothing to say, sorry.


    Could you please post the IPTABLES ruleset?


    No need to because it worked.

    In the Firewall rules I added a rule that DROP layer7 protocol.
    I placed all of my DROP rules at the top (1+) of the list and the ACCEPT rules at the bottom of the list.

    I was able to DROP certain protocol standards from going through my router, standards like SSH, CISCO VPN Client, SKYPE, and so on; without having to enter Port Numbers.

    Thank You YUM.

Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.