> For the complete documentation index, see [llms.txt](https://doc.engenius.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://doc.engenius.ai/esg-application-guide/highlight-features/nat-and-port-forwarding/blocking-inbound-traffic.md).

# Blocking Inbound Traffic

When configuring a network firewall with EnGenius ESG Security Gateways, it's essential to consider the direction of traffic. Outbound traffic, such as users browsing the internet, is initiated by internal network users. Inbound traffic, on the other hand, involves external sources attempting to connect to the network. These scenarios are managed differently because, generally, internal users can be trusted more than external internet connections.

Controlling outbound traffic is straightforward: create an allow rule using the Layer 3 Firewall. This rule impacts 1:1 NAT, Port Forwarding, and standard WAN traffic. More details about the outbound firewall feature are available in the [Firewall Rules](/esg-application-guide/highlight-features/firewall-rules.md). Inbound firewall control, however, operates differently.

The inbound firewall denies any traffic that does not have a session initiated by a client behind the ESG. This setup allows internal client machines to connect with necessary resources but prevents external devices from initiating connections with internal client machines.

For instance, consider PC , located on the internet, and Server, located within the ESG's LAN. If PC  attempts to send traffic to Server, the ESG will check for an existing session/connection between PC and Server.

* **If an existing session is found,** the traffic is allowed through.

<figure><img src="/files/pGEVySijiRWMlPAG4Rsb" alt=""><figcaption></figcaption></figure>

* **If no existing session is found,** the traffic is dropped.

<figure><img src="/files/uOSWx3NzV6blJuSlF0vT" alt=""><figcaption></figcaption></figure>

The inbound firewall's ability to track existing connections makes it a stateful firewall. Both inbound and outbound firewalls on the ESG are stateful.

Both Port Forwarding and 1:1 NAT include a section for **Allowed remote IP**, which controls which external addresses can initiate connections. Addresses specified here can connect through the designated public ports. The **Any** keyword grants access to any address, or multiple addresses can be listed if separated by commas. By specifying which addresses should communicate with internal nodes, unsolicited connections are prevented.

## **Example: Port Forwarding and 1:1 NAT Rules**

Below is an example of both Port Forwarding and 1:1 NAT rules:

<figure><img src="/files/2IIoiDR5BTPxBaoDJZGM" alt=""><figcaption><p>Port Fowarding</p></figcaption></figure>

<figure><img src="/files/F1TuilyYKxnF0dksTjrM" alt=""><figcaption><p>1:1 NAT</p></figcaption></figure>

#### **Traffic Flow Using a Port Forwarding Rule**

Using the port forwarding rule above, suppose PC attempts to connect to the ESG's WAN IP on TCP port 50000.

<figure><img src="/files/bBAF6pffPpY61UjIj2BL" alt=""><figcaption></figcaption></figure>

1. **Traffic Initiation:** PC initiates traffic to ESG on TCP port 50000.
2. **Rule Check:** The ESG checks if the packet matches any forwarding rules. If no match is found, the traffic is dropped. If a match is found, it is allowed.

In this example, the inbound traffic is allowed because it meets the port forwarding rule criteria:

* Protocol is TCP
* Public port used is 50000
* Source IP is 100.1.1.1
* Traffic from this IP address is allowed due to the **Any** rule in the **Allowed remote IP** section.

It's recommended to restrict the IP addresses allowed to use a port forwarding and/or 1:1 NAT rule to prevent unsolicited connections.

#### Conclusion

Restricting inbound access is crucial for enhancing network security. By limiting inbound connections or controlling outbound replies, unwanted traffic can be minimized, thereby protecting the network from potential threats.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://doc.engenius.ai/esg-application-guide/highlight-features/nat-and-port-forwarding/blocking-inbound-traffic.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
