cancel
Showing results for 
Search instead for 
Did you mean: 

Help setting up firewall - SAR130 router

N/A

Help setting up firewall - SAR130 router

Got converted from Business Highway to ADSL yesterday - very efficient only 90mins downtime.

Now I need to lock the router down and I am having real problems getting my head around IP filters.

I want everyone on the LAN to have pretty much unrestricted access to the 'Net (HTTP, HTTPS, FTP, Instant Messenger etc)

Our server must accept VPN connections and I need pcAnywhere access to all PC's on the LAN.

Under IP filters I have removed all the default rules so I can build up from scratch. Then:
Sec.Level = Medium
Priv Default Action = Accept
Public Default Action = Deny
DMZ Default Action = Accept (dont think we have any DMZ devices anyway).

Then I create a rule, setting the following:
Enabled
Incoming
ppp-0 interface
sec. levels: low, medium
Protocol = TCP
"apply stateful inspection" = Yes
source TCP port = 80
destination TCP port = 80

Repeat the above for Outgoing packets.

And I thought I should have web access? But no, I am locked out!! I have to change the Default action on the Public interface to Accept to regain web access.

Can anyone explain?

Thanks

Keith P.
5 REPLIES
N/A

Help setting up firewall - SAR130 router

Can't say I know about the SAR130 or its packet filtering, but if I guessed correctly about what "Incoming / Public Default Action = Deny" means, then it doesn't surprise me that you lose access!

My guess is that, with that setting, then any packet arriving on your public interface is checked by the router's packet filtering system. It looks for a rule to see if it should accept or deny the packet. If there's no rule, or it's tried all the rules and not one applies to the packet it has, then it applies the default rule, which you've coded as "deny". So, if you've not coded any other rule, it means every single incoming packet arriving at your public interface will be denied. So don't expect to see any responses to anything you send -- you've told it to drop them!

If you're going to have a default action of deny (a strong security step), then you need some accept rules for stuff you know you want to allow. But if you use a default of deny, it means you have to know everything you want to allow, because you will have to do so explicitly, before it gets chopped by the default action.
N/A

Help setting up firewall - SAR130 router

You would need to port forward to your server,
I think your 'stealthing' the router by closing all
incoming and applying SPI to outgoing.
If you have a look at Chris Marsh Guide
particularly the sections on how to stealth the router and how to add
NAT rules for port forwarding, this may help.
Also you need to keep the default NAPT rule ID 1 unchanged.
Alec.
N/A

Help setting up firewall - SAR130 router

TaskForce9 -
Deny is the suggested setting for the public interface; as you say all traffic is denied UNLESS it matches a rule. In the last part of my post, I describe the two rules I have added for Incoming & Outgoing TCP:80 which I expected to allow HTTP access - but they don't.

aleca - I will look at that guide thx. I understood Port Forwarding was what I needed for VPN/pcAnywhere, but a search on either term turns up nothing in the manual for the SAR130 (but the translation is not great, so it could be described as something else).

thx

K
N/A

Help setting up firewall - SAR130 router

The manuals for 110/130 are the same the
130 I think is currently running 110 firmware,
until Solwise introduce the new features for
the 130's new chipset.
Unfortunately it's not listed as port forwarding
on either gude which is a bit confusing, but
if you look at how to 'add NAT rules' on the CM guide
it will give a couple of examples of port forwarding (RDR rules etc.)
which apply to you and similarly on the Solwise guide
it will be under NAT rules.
Regards.
Alec.
N/A

Help setting up firewall - SAR130 router

A very basic yet pretty good as a starting point is to set the following. how they are translated into SAR130 filters, I am unsure.

Rule: 1
Interface: PPP-0
Direction: inbound
Protocol: "eq" "any"
Destination port: "eq" "135"
Action: block

Rule: 2
Interface: PPP-0
Direction: outbound
Protocol: "eq" "any"
Destination port: "eq" "135"
Action: block

Rule: 3
Interface: PPP-0
Direction: Outbound
Protocol: "eq" "any"
Destination port: "range" "0" "65535"
Action: allow

Rule: 4
Interface: PPP-0
Direction: Inbound
Protocol: "eq" "50"
Action: allow

Rule: 5
Interface: PPP-0
Direction: Inbound
Protocol: "eq" "51"
Action: allow

Rule: 6
Interface: PPP-0
Direction: Inbound
Protocol: "eq" "47"
Action: allow

Rule: 7
Interface: PPP-0
Direction: Inbound
Protocol: "eq" "UDP"
Detination port: "eq" "500"
Action: allow

Rule: 8
Interface: PPP-0
Direction: Inbound
Protocol: "eq" "UDP"
Destination port: "eq" "1701"
Action: allow

Rule: 9
Interface: PPP-0
Direction: Inbound
Protocol: "eq" "TCP"
Destination port: "eq" "1723"
Action: allow

The above rules will allow all outgoing traffic, except to port 135. It will allows the needed ports and protocols for VPN.

This doesn't doeal with ping blocks though