I'm trying to set up a server listening on the intranet on 80 that can't connect to the internet (inbound or outbound). I've got the outbound part covered using editing of the routing table but I'm not sure this will prevent the server from receiving packets if an attacker know my router's IP address. Instead of a firewall, I would like a lower level solution to the inbound problem.

  • 1
    Why are you declining to use the correct hardware? It is so easy to block all inbound and outbound traffic, from any ip address, that is not implicitly allowed with a firewall.
    – Ramhound
    Commented Apr 13, 2016 at 20:22

1 Answer 1


Without a firewall or changes to the routing table on the router you can't prevent the packets from being delivered. That said, the TCP handshake won't complete, so you are pretty safe.

Depending on your web server, you could also prevent it from communicating with IP addresses it doesn't know - can't advise how to do this unless we know the http server. This also acts after the machine has received the packet so its less secure then using a firewall.

That said, I put to you that doing things this way is a mistake. It makes life more complicated for anyone else who might have to work on the system in the future (and makes OS updates and security patching a nightmare) - using a firewall local to the server is a standard, tried-and-true approach.

  • Why won't the TCP handshake complete? Commented Apr 14, 2016 at 0:45
  • Traffic can't get from the web server back to the sending host, as it does not have a route back to it. (For anyone that may not yet be aware, a TCP connection starts with the sender sending a "SYN" packet. The receiver needs to respond with a SYN+ACK packet - which won't arrive back at the sender meaning the TCP connection will not complete - but if it did the sender would need to send back an ACK packet to establish a connection )
    – davidgo
    Commented Apr 14, 2016 at 1:43
  • thanks for the info. your answer helped inform my design. Commented Apr 14, 2016 at 4:14
  • While my previous answer is still valid, on rereading the question I suspect you are using a home/nat setup - in which case the web server is protected from WAN access without any routing changes because your web servers ip address is not world routable and you would need to add a specific port mapping in the router to get it to work. (this assumes you do not have ipv6 working, and are using rfc1918 space - ie 10.x.x.x, 192.168.x.x or 172.?.x.x for your lan.)
    – davidgo
    Commented Apr 14, 2016 at 19:45

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .