Search similar:
|
uniqs 25846 |
|
|
|
NOYBSt. John 3.16 Premium Member join:2005-12-15 Forest Grove, OR 4 edits |
NOYB
Premium Member
2006-Aug-12 4:44 pm
Harden Your Westell 327 FirewallSome custom settings to help harden your Westell 327 firewall. If you have others you think would make good addition to these please post and let us know. For Westell 327w firewall rules help and syntax, go to 'Configuration -> Firewall', and click the 'edit' button. Then in the 'Firewall Rules' windows that pops up click the 'help' button. » dslrouter/fwHelp.htm or » 192.168.1.1/fwHelp.htm ServicesThe most needed/common dynamic services highlighted in bold. DNS (required for name resolution, just about everything needs this service enabled) FTP (Uncheck "Use Passive FTP" in IE Advanced Options) World Wide Web (HTTP) (required for web browsing) HTTPS (secure browsing, encryption) ICMP (ping) MSN Messenger NNTP Client POP/IMAP (required for receiving email via POP email client such as OE) SMTP Client (required for sending email) Telnet * Skype (TCP/UDP - Tools Options Connection) * Windows Time (NTP) (TCP/UDP 123) (required for Windows XP time sync service) Inbound Rulestitle [ Security Level Custom (Medium) IN rules ]
begin
RulesDropTTL drop match 3 8 { 00:FF } >> done, alert 4 [TTL of 0] drop match 3 8 { 01:FF } >> done, alert 4 [TTL of 1]
RulesDropAddress drop from addr 0.0.0.0 >> done, alert 4 [0.0.0.0 Source IP Address]
# Pass and Log Specific Unsolicited ICMP RulesPassICMP #pass icmp-type reply >> done, alert 0 [ICMP Message To WAN IP - Echo Reply - Passed] # Type: 0 (allow ping reply) pass icmp-type exceeded >> done, alert 1 [ICMP Message To WAN IP - TTL Exceeded - Passed] # Type: 11 (allow tracert reply) #pass icmp-type unreachable >> done, alert 2 [ICMP Message To WAN IP - Dst Unreachable - Passed] # Type: 3 (allow unreachable reply)
# Drop and Log all Unsolicited ICMP RulesDropICMP #drop protocol icmp >> alert 4 [ICMP Message To WAN IP] drop icmp-type reply >> done, alert 3 [ICMP Message To WAN IP - Echo Reply - Dropped] # Type: 0 (block ping reply) drop icmp-type exceeded >> done, alert 3 [ICMP Message To WAN IP - TTL Exceeded - Dropped] # Type: 11 (block tracert reply) drop icmp-type unreachable >> done, alert 2 [ICMP Message To WAN IP - Dst Unreachable - Dropped] # Type: 3 (block unreachable reply) drop icmp-type request >> done, alert 2 [ICMP Message To WAN IP - Echo Request - Dropped] # Type: 8 (block ping requests) drop protocol icmp >> done, alert 3 [ICMP Message To WAN IP - Dropped] # Type: (block all others)
# Drop All Unsolicited Inbound RulesDrop drop all >> alert 3 [Drop All Unsolicited Inbound]
end Outbound Rulestitle [ Security Level Custom (Medium) OUT rules ]
begin
# Protocol Match conditions RulesPass #pass to port 80 >> state, done # HTTP #pass from port 80 >> state, done # HTTP #pass protocol udp, to port 53 >> state, done # DNS #pass to port 20 >> state, done # FTP #pass from port 20 >> state, done # FTP #pass to port 21 >> state, done # FTP #pass to port 23 >> state, done # Telnet #pass to port 110 >> state, done # POP #pass to port 119 >> state, done # NNTP ##pass to port 143 >> state, done ## USENET News Service ##pass to port 220 >> state, done ## IMAP v.3 #pass to port 25 >> state, done # SMTP #pass to port 443 >> state, done # HTTPS ##pass to port 500 >> state, done ## IPSEC ALG ##pass protocol 50 >> state, done ## IPSEC ESP
#pass to port >= 1024, to port <= 5000 >> state, done # WE/IE Passive FTP Ports #Uncheck "Use Passive FTP" in IE Advanced Options and enable the FTP firewall service or enable above statement
# Failed to match RulesDropNETBIOS drop to port >= 135, to port <= 139 >> done, alert 4 [Dropping NETBIOS Traffic]
# Pass and Log ICMP Echo Request RulesPassICMP pass icmp-type request >> done, state, alert 0 [ICMP - Echo Request - Pass] # Type: 8 (allow ping requests)
# Drop and Log all ICMP Except Echo Request RulesDropICMP drop icmp-type reply >> done, alert 3 [ICMP - Echo Reply - Drop] # Type: 0 (block ping reply) drop icmp-type exceeded >> done, alert 3 [ICMP - TTL Exceeded - Drop] # Type: 11 (block tracert reply) drop icmp-type unreachable >> done, alert 3 [ICMP - Dst Unreachable - Drop] # Type: 3 (block unreachable reply) #drop icmp-type request >> done, alert 0 [ICMP - Echo Request - Drop] # Type: 8 (block ping requests) drop protocol icmp >> done, alert 3 [ICMP - Unknown Reply - Drop] # Type: (block all others replies)
# Save Session State for Enabled Services RulesSaveState pass all >> state
# Drop All Unless Service is Enabled RulesDrop drop all >> alert 1 [Packet to be dropped unless Service enabled]
end | actions · 2006-Aug-12 4:44 pm · (locked) | |
NOYBNOYB -
Are you saying that you *should* enable these services in the Westell? | actions · 2006-Aug-16 10:34 am · (locked) | NOYBSt. John 3.16 Premium Member join:2005-12-15 Forest Grove, OR 4 edits |
NOYB
Premium Member
2006-Aug-16 1:03 pm
With these firewall rules it is necessary to enable the services one wants to use. Or pass them in the outbound firewall rules with a 'state' and 'done' action. I prefer enabling them in the "Services" rather than in the firewall rules for a few reasons.
1) Making changes to the firewall rules clears the log. 2) Better display of what is enabled. 3) Supposedly can switch connection profile between any number of custom services profiles. Though I've not been successful with that yet.
Theoretically one could end the outbound firewall rules with 'pass all >> state', i.e. remove the 'drop all' rule at end of the outbound firewall rules, to eliminate the need for specifying specific services to be enabled. That would allow all non-explicitly blocked outbound and their corresponding inbound (based on session sate table entries). Though I have not verified this as at the moment I want it locked down tight to only services that are explicitly enabled rather than all services allowed except those explicitly blocked.
This rule at the end of the inbound firewall rules blocks anything that has not been explicitly allowed, or is not in the session state table. If session for packets are found in the table then the firewall rules are not executed.
# Drop All Unsolicited Inbound RulesDrop drop all >> alert 3 [Drop All Unsolicited Inbound]
These two rules at the end of the outbound firewall rules saves the session state for outbound packets, then drops all outbound packets that have not been explicitly passed, or are not passed by an enabled service.
# Save Session State for Enabled Services RulesSaveState pass all >> state
# Drop All Unless Service is Enabled RulesDrop drop all >> alert 1 [Packet to be dropped unless Service enabled]
Saving the session state in this manner is necessary because not all the enabled services save the session state. The only service I've seen save the session state as one would expect is DNS. I believe this is a bug/flaw with the Westell VersaLink 327w. It may or may not be the same with other Westell modems/routers/firewalls. So basically this is a work around for the bug/flaw.
Clear as mud? It's sort of difficult to explain because there are so many interdependencies between inbound firewall rules, outbound firewall rules, services, session state table, what appears to be some hard coded inbound rules, and the apparent bug/flaw that enabled services don't seem to save session state as one would expect them to. | actions · 2006-Aug-16 1:03 pm · (locked) | |
to NOYB
Well, that makes sense. All my inbound rules do say "done"...except for the "pass all"...which I guess because it is at the end of the string, it is kinda moot to have a "done" there. Please explain your Inbound RulesDropTTL change. Thanks. | actions · 2006-Aug-16 1:14 pm · (locked) | NOYBSt. John 3.16 Premium Member join:2005-12-15 Forest Grove, OR |
NOYB
Premium Member
2006-Aug-16 1:23 pm
Just to log TTL 1 and TTL 0 separately so to be able to see which it was. | actions · 2006-Aug-16 1:23 pm · (locked) | |
to NOYB
Your rule is -
RulesDropTTL drop match 3 8 { 00:FF } >> done, alert 4 [TTL of 0] drop match 3 8 { 01:FF } >> done, alert 4 [TTL of 1]
The original rule is -
RulesDropTTL drop match 3 8 { 01:FE } >> done, alert 4 [TTL of 0 or 1]
What does the "FF" change do for you? Recall I haven't reviewed the "how to" in some time now.
Thanks.
(Note for everyone - the "alert #" just defines a color change in the Westell log file so that the [text] is highlighted.) | actions · 2006-Aug-17 4:07 pm · (locked) | NOYBSt. John 3.16 Premium Member join:2005-12-15 Forest Grove, OR 4 edits |
NOYB
Premium Member
2006-Aug-17 6:55 pm
FF is the mask. I would have to go back and figure the bits out again to give any details. Maybe I'll do that and add it here sometime. I created that several months ago. Are you thinking I flubbed it? Though with the 'drop all' rule at the end it wouldn't really matter, other than not being logged with it's own unique message. Added - 8/18/2006
Basically the FE (1111 1110) mask is just saying we don't care about the least significant bit (LSB). So regardless of whether the LSB is 1 or 0 we don't care. We only care if at least one of the other 7 bits is a 1, then TTL is not 0 nor 1. In my rules the bit string comparison to TTL of 0 and 1 are exact so there is no need to mask off any of the bits. Mask of FF (1111 1111) includes all 8 bits in the comparison. Original TTL = 0 or 1 Rule & Bit Logicdrop match 3 8 { 01:FE } >> done, alert 4 [TTL of 0 or 1] TTL Byte = 02 = 0000 0010 Bit String = 01 = 0000 0001 XOR Result = 03 = 0000 0011 Mask = FE = 1111 1110 AND Result = 02 = 0000 0010 = No Match for TTL of 2 or greater
TTL Byte = 01 = 0000 0001 Bit String = 01 = 0000 0001 XOR Result = 00 = 0000 0000 Mask = FE = 1111 1110 AND Result = 00 = 0000 0000 = Match for TTL of 1
TTL Byte = 00 = 0000 0000 Bit String = 01 = 0000 0001 XOR Result = 01 = 0000 0001 Mask = FE = 1111 1110 AND Result = 00 = 0000 0000 = Match for TTL of 0 My TTL = 0 Rule & Bit Logicdrop match 3 8 { 00:FF } >> done, alert 4 [TTL of 0] TTL Byte = 02 = 0000 0010 Bit String = 00 = 0000 0000 XOR Result = 02 = 0000 0010 Mask = FF = 1111 1111 AND Result = 02 = 0000 0010 = No Match for TTL of 2 or greater
TTL Byte = 01 = 0000 0001 Bit String = 00 = 0000 0000 XOR Result = 01 = 0000 0001 Mask = FF = 1111 1111 AND Result = 00 = 0000 0001 = No Match for TTL of 1 or greater
TTL Byte = 00 = 0000 0000 Bit String = 00 = 0000 0000 XOR Result = 00 = 0000 0000 Mask = FF = 1111 1111 AND Result = 00 = 0000 0000 = Match for TTL of 0 My TTL = 1 Rule & Bit Logicdrop match 3 8 { 01:FF } >> done, alert 4 [TTL of 1] TTL Byte = 02 = 0000 0010 Bit String = 01 = 0000 0001 XOR Result = 03 = 0000 0011 Mask = FF = 1111 1111 AND Result = 03 = 0000 0011 = No Match for TTL of 2 or greater
TTL Byte = 01 = 0000 0001 Bit String = 01 = 0000 0001 XOR Result = 00 = 0000 0000 Mask = FF = 1111 1111 AND Result = 00 = 0000 0000 = Match for TTL of 1
TTL Byte = 00 = 0000 0000 Bit String = 01 = 0000 0001 XOR Result = 01 = 0000 0001 Mask = FF = 1111 1111 AND Result = 01 = 0000 0001 = No Match for TTL of 0 Did I do that correct? Any errors? For Westell 327w firewall rules help and syntax, go to 'Configuration -> Firewall', and click the 'edit' button. Then in the 'Firewall Rules' windows that pops up click the 'help' button. http://dslrouter/fwHelp.htm or http://192.168.1.1/fwHelp.htm | actions · 2006-Aug-17 6:55 pm · (locked) | 1 edit |
Hi, This guide has been very interesting. I was having trouble downloading drivers from HP's website. The only way I could do it was to lower the 327W's firewall setting from "medium" to "low." Then I came across this thread. I've now enabled FTP service and unchecked "Use passive FTP" in IE. Now I can download drivers from HP's website just fine without having to feel like I'm lowering security. Thanks!
Now, I was wondering if you (or anyone else) could help with another problem. I can't access any Yahoo games unless I lower the firewall from "medium" to "low." Once on "low," the applet required to start the game works fine. Any ideas on how to either enable a custom service or reconfigure the "medium" settings?
Thanks! | actions · 2006-Aug-18 1:10 am · (locked) | NOYBSt. John 3.16 Premium Member join:2005-12-15 Forest Grove, OR 4 edits |
NOYB
Premium Member
2006-Aug-18 3:30 am
Here is another strong method without enabling services. If you have others you think would make good addition to these please post and let us know. For Westell 327w firewall rules help and syntax, go to 'Configuration -> Firewall', and click the 'edit' button. Then in the 'Firewall Rules' windows that pops up click the 'help' button. » dslrouter/fwHelp.htm or » 192.168.1.1/fwHelp.htmNote: The firewall rules are only executed in absence of a stateful packet match in the session state table. Remote Router AdministrationDisable "Remote Access" and set a strong password (minimum of 8 characters with at least 1 letter, 1 number and 1 punctuation) on the Maintenance -> Remote Access page. » dslrouter/remote.htm or » 192.168.1.1/remote.htmInbound Firewall Rules - LowPermit All Inbound Packets That Are Not Explicitly Denied or That Have a Matching Session State Table Entry. title [ Security Level Custom (Low) IN rules ]
begin
# Drop and Log Packets with Time to Live (TTL) of 0 or 1 TTL #drop match 3 8 { 01:FE } >> done, alert 4 [TTL of 0 or 1] drop match 3 8 { 00:FF } >> done, alert 4 [TTL of 0] drop match 3 8 { 01:FF } >> done, alert 4 [TTL of 1]
# Drop and Log Packets of Prohibited Source Address Address drop from addr 0.0.0.0 >> done, alert 4 [0.0.0.0 Source IP Address]
# Internet Control Message Protocol (ICMP) # Pass Specific ICMP Types, Drop and Log all Unsolicited ICMP ICMP pass protocol icmp, icmp-type exceeded >> done # Type: 11 (allow TTL exceeded reply (trace route)) drop protocol icmp, icmp-type reply >> done, alert 3 [ICMP Message To WAN IP - Echo Reply - Dropped] # Type: 0 (block echo (ping) reply) drop protocol icmp, icmp-type exceeded >> done, alert 3 [ICMP Message To WAN IP - TTL Exceeded - Dropped] # Type: 11 (block TTL exceeded reply (trace route)) drop protocol icmp, icmp-type unreachable >> done, alert 3 [ICMP Message To WAN IP - Dst Unreachable - Dropped] # Type: 3 (block unreachable reply) drop protocol icmp, icmp-type request >> done, alert 3 [ICMP Message To WAN IP - Echo Request - Dropped] # Type: 8 (block echo (ping) requests) drop protocol icmp >> done, alert 3 [ICMP Message To WAN IP - Dropped] # Type: (block all others)
# Permit All Inbound Packets That Are Not Explicitly Denied or That Have a Matching Session State Table Entry. Permitted pass all
end Inbound Firewall Rules - MediumDeny All Inbound Packets That Are Not Explicitly Permitted or Do Not Have a Matching Session State Table Entry (Unsolicited) title [ Security Level Custom (Medium) IN rules ]
begin
# Drop and Log Packets with Time to Live (TTL) of 0 or 1 TTL #drop match 3 8 { 01:FE } >> done, alert 4 [TTL of 0 or 1] drop match 3 8 { 00:FF } >> done, alert 4 [TTL of 0] drop match 3 8 { 01:FF } >> done, alert 4 [TTL of 1]
# Drop and Log Packets of Prohibited Source Address Address drop from addr 0.0.0.0 >> done, alert 4 [0.0.0.0 Source IP Address]
# Internet Control Message Protocol (ICMP) # Pass Specific ICMP Types, Drop and Log all Unsolicited ICMP ICMP pass protocol icmp, icmp-type exceeded >> done # Type: 11 (allow TTL exceeded reply (trace route)) drop protocol icmp, icmp-type reply >> done, alert 3 [ICMP Message To WAN IP - Echo Reply - Dropped] # Type: 0 (block echo (ping) reply) drop protocol icmp, icmp-type exceeded >> done, alert 3 [ICMP Message To WAN IP - TTL Exceeded - Dropped] # Type: 11 (block TTL exceeded reply (trace route)) drop protocol icmp, icmp-type unreachable >> done, alert 3 [ICMP Message To WAN IP - Dst Unreachable - Dropped] # Type: 3 (block unreachable reply) drop protocol icmp, icmp-type request >> done, alert 3 [ICMP Message To WAN IP - Echo Request - Dropped] # Type: 8 (block echo (ping) requests) drop protocol icmp >> done, alert 3 [ICMP Message To WAN IP - Dropped] # Type: (block all others)
# Deny All Inbound Packets That Do Not Have a Matching Session State Table Entry (Unsolicited) Unsolicited drop all >> alert 3 [Unsolicited Inbound - Drop]
end Outbound Firewall Rules - LowPermit All Outbound Packets That Are Not Explicitly Denied title [ Security Level Custom (Low) OUT rules ]
begin
# Protocol Match conditions
# Internet Control Message Protocol # Pass Specific ICMP Types, Drop and Log all other ICMP Types ICMP pass protocol icmp, icmp-type request >> state, done # Type: 8 (allow echo (ping) requests) drop protocol icmp, icmp-type reply >> done, alert 2 [ICMP - Echo Reply - Drop] # Type: 0 (block echo (ping) reply) drop protocol icmp, icmp-type exceeded >> done, alert 2 [ICMP - TTL Exceeded - Drop] # Type: 11 (block TTL exceeded reply (trace route)) drop protocol icmp, icmp-type unreachable >> done, alert 2 [ICMP - Dst Unreachable - Drop] # Type: 3 (block unreachable reply) drop protocol icmp, icmp-type request >> done, alert 1 [ICMP - Echo Request - Drop] # Type: 8 (block echo (ping) requests) drop protocol icmp >> done, alert 2 [ICMP - Prohibited Type - Drop] # Type: (block all others)
# Failed Protocol Match Conditions
# Network Basic Input/Output System (NetBIOS) # Drop NetBIOS Packets NetBIOS drop to port >= 135, to port <= 139 >> done, alert 4 [Dropping NetBIOS Traffic] # NetBIOS
# Permit All Outbound Packets That Are Not Explicitly Denied, and Add to Session State Table for Medium Inbound Firewall Rules Permitted #pass all # For Use With Inbound Low Firewall Rules Only pass all >> state # For Use With Inbound Low or Medium Firewall Rules
end Outbound Firewall Rules - MediumDeny All Outbound Packets That Are Not Explicitly Permitted, Unless Service is Enabled title [ Security Level Custom (Medium) OUT rules ]
begin
# Protocol Match conditions
# World Wide Web WWW pass protocol tcp, to port 80 >> state, done # HTTP pass protocol tcp, from port 80 >> state, done # HTTP pass protocol tcp, to port 443 >> state, done # HTTPS - Secure Socket Layer (SSL)
# Domain Name System - Name/Address Resolution DNS pass protocol udp, to port 53 >> state, done # DNS
# Telecommunication Network (Telnet) Telnet pass protocol tcp, to port 23 >> state, done # Telnet
# Internet Protocol Security (IPsec) IPsec #pass protocol udp, to port 500 >> state, done # IPSEC IKE #pass protocol 50 >> state, done # IPSEC ESP
# eMail & News Groups # Post Office Protocol (POP) / Simple Mail Transfer Protocol (SMTP) / Network News Transfer Protocol (NNTP) eMail pass protocol tcp, to port 110 >> state, done # POP pass protocol tcp, to port 25 >> state, done # SMTP pass protocol tcp, to port 119 >> state, done # NNTP
# Secure Socket Layer POP / SMTP / NNTP eMailSSL pass protocol tcp, to port 995 >> state, done # POP SSL pass protocol tcp, to port 465 >> state, done # SMTP SSL pass protocol tcp, to port 563 >> state, done # NNTP SSL
# File Transfer Protocol (FTP) - "Active" and "Passive" Modes FTP pass protocol tcp, to port 20 >> state, done # Active Mode FTP Data Channel Port pass protocol tcp, from port 20 >> state, done # Active Mode FTP Data Channel Port pass protocol tcp, to port 21 >> state, done # Active & Passive Mode FTP Control Channel Port pass protocol tcp, from port >= 1024, from port <= 5000 >> state, done # WE/IE Passive Mode FTP Data Channel Ports - Check 'Use Passive FTP' in IE Advanced Properties
# Skype - Assigned Port of Each Skype Installation - Tools -> Options... -> Connection Skype #pass protocol udp, from port XXXXX >> state, done # Skype
# Network Time Protocol (NTP) (Windows Time Sync) NTP pass protocol udp, to port 123 >> state, done # NTP (Windows Time Sync)
# Internet Control Message Protocol # Pass Specific ICMP Types, Drop and Log all other ICMP Types ICMP pass protocol icmp, icmp-type request >> state, done # Type: 8 (allow echo (ping) requests) drop protocol icmp, icmp-type reply >> done, alert 2 [ICMP - Echo Reply - Drop] # Type: 0 (block echo (ping) reply) drop protocol icmp, icmp-type exceeded >> done, alert 2 [ICMP - TTL Exceeded - Drop] # Type: 11 (block TTL exceeded reply (trace route)) drop protocol icmp, icmp-type unreachable >> done, alert 2 [ICMP - Dst Unreachable - Drop] # Type: 3 (block unreachable reply) drop protocol icmp, icmp-type request >> done, alert 1 [ICMP - Echo Request - Drop] # Type: 8 (block echo (ping) requests) drop protocol icmp >> done, alert 2 [ICMP - Prohibited Type - Drop] # Type: (block all others)
# Failed Protocol Match Conditions
# Network Basic Input/Output System (NetBIOS) # Drop NetBIOS Packets NetBIOS drop to port >= 135, to port <= 139 >> done, alert 4 [Dropping NetBIOS Traffic] # NetBIOS
# Deny All Outbound Packets That Are Not Explicitly Permitted, Unless Service is Enabled NotPermitted drop all >> alert 1 [Packet to be dropped unless Service enabled]
end | actions · 2006-Aug-18 3:30 am · (locked) | |
to NOYB
SwiftFox - See my thread on how I did this in my 2200, which is similar to the 327 rule-wise. » Westell 2200 Firewall Rule Explanation NeededWhat you really have to do is sit down and compare the rule sets...and see just what "extra" security you get by changing from one rule set to another. You can then decide if you really require that level of security...or not. You can always make a "custom" rule set by cutting and pasting existing rules that you want/don't want...or by writing your own. | actions · 2006-Aug-18 8:00 am · (locked) | |
KachiWachi, Thanks, I'll definitely study your thread and then post back, as I'm sure I'll have questions.
Yeah, I've been carefully comparing the different rule sets for Low and Medium. I've been playing around with a custom rule set, but at one point, I must have screwed up, as I could no longer surf at all so then had to restore the backup configuration.
Anyway, I'm sure I'll learn a lot from your thread, as I've learned a lot from this one. Thanks again. | actions · 2006-Aug-18 3:02 pm · (locked) | |
to NOYB
NOYBNOYB -
Do you really get that many TTL Drops that you need or want to see them in the log?
I don't think I've ever had any show up with the "standard" rule.
There's nothing wrong with having your rule...I was just curious as to why you implemented it. | actions · 2006-Aug-19 6:53 am · (locked) | NOYBSt. John 3.16 Premium Member join:2005-12-15 Forest Grove, OR |
NOYB
Premium Member
2006-Aug-19 2:28 pm
I have seen a few from time to time, though they are fairly rare, and was just curious if they were 0 or 1.
Don't know what their capability is for devious exploits, but even if not being logged they should probably still at least be dropped (blocked).
| actions · 2006-Aug-19 2:28 pm · (locked) | NOYB 4 edits |
NOYB
Premium Member
2006-Aug-24 11:43 pm
If passive mode FTP access need is limited to only a few servers, such as for virus scan definition file updates and managing a web site, etc., the 'Outbound Firewall Rules - Medium' can be further strengthened by making the following modifications to have the passive mode FTP port range 1024 through 5000 open only for known frequented FTP servers, rather than being open for any and all servers. In the 'File Transfer Protocol (FTP) - "Active" and "Passive" Modes' section, of the 'Outbound Firewall Rules - Medium', comment out this line. pass protocol tcp, from port >= 1024, from port <= 5000 >> state, done # WE/IE Passive Mode FTP Data Channel Ports - Check 'Use Passive FTP' in IE Advanced Properties
And add the following for each passive mode FTP site to be accessed. Replacing n.n.n.n with the IP address of the FTP server. # WE/IE Passive Mode FTP Data Channel Ports, Server Specific - Check 'Use Passive FTP' in IE Advanced Properties pass protocol tcp, to addr n.n.n.n, from port >= 1024, from port <= 5000 >> state, done # Virus Scan Updates - FTP pass protocol tcp, to addr n.n.n.n, from port >= 1024, from port <= 5000 >> state, done # My Web Site - FTP
Additionally, if "Active" mode FTP is not required, these two, to and from port 20, rules may also be commented out. pass protocol tcp, to port 20 >> state, done # Active Mode FTP Data Channel Port pass protocol tcp, from port 20 >> state, done # Active Mode FTP Data Channel Port To comment out a rule place a pound symbol ( #) at the beginning of the rule statement. | actions · 2006-Aug-24 11:43 pm · (locked) | 1 edit |
Thanks i used the medium rules on the bottom,, any updates?? it works like a charm,, thanks NOYBNOYB :P,, i always get probed for 1026, 1027 ,, and it pisses me off and some other known ports.. | actions · 2006-Oct-16 3:56 pm · (locked) | MQY join:2003-08-19 Flushing, NY 1 edit |
MQY to NOYB
Member
2006-Nov-12 6:14 pm
to NOYB
Hello NOYBNOYB:
Thank you for wonderful article, i think I will copy/paste your rule. Is the rule in the first post a final edit?
BTW, is there anything wrong with 327w's default firewall rule? Is the default rule good enough to protect us?
thank you again | actions · 2006-Nov-12 6:14 pm · (locked) | | |
Miss Moose to NOYB
Anon
2006-Nov-25 2:44 am
to NOYB
Good lawd, this is so useful. I've sewn up one segment and I'll hit the next one tomorrow.
I have an ex actively trying to access my network, so I've gone from medium technical knowledge to getting in quite a bit deeper.
Thanks so much! | actions · 2006-Nov-25 2:44 am · (locked) | poppsterTell the truth and then run. Premium Member join:2003-12-23 Midwest |
to NOYB
Testing your settings, here is what I get. Port Service Status Security Implications Random Common Ports with NO software firewall added. 0 Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 21 FTP Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 22 SSH Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 23 Telnet Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 25 SMTP Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 79 Finger Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 80 HTTP Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 110 POP3 Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 113 IDENT Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 119 NNTP Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 135 RPC Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 139 Net BIOS Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 143 IMAP Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 389 LDAP Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 443 HTTPS Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 445 MSFT DS Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 1002 ms-ils Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 1024 DCOM Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 1025 Host Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 1026 Host Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 1027 Host Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 1028 Host Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 1029 Host Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 1030 Host Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 1720 H.323 Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 5000 UPnP Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! p2p sharing Your Internet port 139 does not appear to exist! One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion. Unable to connect with NetBIOS to your computer. All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet. Nice settings. The internet is completely browseable, so are p2p applications, very nice. Looks like I might not need a software firewall....lol Thanks for these settings. | actions · 2006-Nov-30 4:32 pm · (locked) | poppster |
to NOYB
How do I edit the rules for xbox live to work? When I want to play on XBL I have to set the firewall down to low.
Otherwise your rules are great. | actions · 2006-Dec-1 12:43 pm · (locked) | |
to NOYB
So could you guys help the less computer savey people with this?
The only reason I'm needing help is like others I found a program, Limewire, which I want to use but don't want to lower my security.
I cut and pasted the rules in the custom part of the westell firewall settings. However I still can't surf the internet. I don't see anything else in IE to enable. Any help would be appreciated.
Thanks | actions · 2006-Dec-6 7:04 pm · (locked) | cardr01 |
Ok the slow guy is finally figuring this out. I understand the services and have them enabled now. When enabling them, do you pick "Host" or "Dynamic"?
Thanks | actions · 2006-Dec-6 8:10 pm · (locked) | NOYBSt. John 3.16 Premium Member join:2005-12-15 Forest Grove, OR |
NOYB to MQY
Premium Member
2007-Feb-18 10:54 pm
to MQY
The first set of rules is for use with enabling services.
The second set is for using firewall configuration to allow needed traffic without enabling services. This is the set I use (medium in, medium out).
Only you can determine whether or not the default rule is good enough to protect you. The best practice for security is to block/disable everything and permit/enable only what is needed.
Been a while since I've been here. Looks like some folks getting some use out of the firewall rules. That's real nice to see.
Thank you, and you're welcome.
| actions · 2007-Feb-18 10:54 pm · (locked) |
|