Help! Tweaking Westell Versalink 327W Firewall for Starcraft

Author	All Replies
HappyDude join:2008-02-18 Brooklyn, NY 4 edits	Help! Tweaking Westell Versalink 327W Firewall for Starcraft Hiya !! This is my first post on the fourms. I've visited this site before and I was amazed by the knowledge and information that the members and administrators have. I'm very pleased :) !! Well, to my problem: I need help configuring Westell Versalink 327W's Firewall to allow Starcraft multiplayer online gameplay. (It would also be nice to allow universal battle.net gameplay, but I will attend to that once Starcraft II is released :) !!) My current firewall configuration is the same as the one posted my NOYBNOYB »Re: Harden Your Westell 327 Firewall ; I am using both Medium levels for inbound and outbound control. I love how secure the configuration is, passing both GRC and Hackerwatch port scans and the fact that it is user posted. However, I cannot seem to play Starcraft multiplayer online with those configurations. I have tried port triggering and port forwarding, but the program still hasn't able to go through. I am using the lastest B90 firmware and I have tried connecting with my software firewall (COMODO) and hardware firewall to see which is the source of my problem. It turns out that the hardware firewall is not accepting UDP packets form port 6112. And, stupid Verizon firmware, the latest firmware doesn't seem to have a help page for firewall configurations. So I do have some special requests for a specific firewall configuration: *-Configuration based on the Medium levels of both your Inbound and Outbound rules on »Re: Harden Your Westell 327 Firewall* -Entries for easy Starcraft Battle.net play and updates (I hope that these links will make it easier to understand what is needed for the online play to work :), »www.portforward.com/english/rout···raft.htm ; »www.portforward.com/english/rout···raft.htm ; »us.blizzard.com/support/article.···Number=1 ; »www.battle.net/forums/thread.asp···st417413 ; *-Removal of Skype rules (since I do never plan to use a program; besides, since the rule has been posted, it shouldn't be difficult to search for them once again to implement them)* -The following rule is just a subconscious thing that I wish would be taken in consideration. As long as you keep your Medium settings and have it self configured and such, that would be enough for me :) Implementation of rules that will allows the strongest of all the usable firewall configurations. Something in the likes of stealthing all ports, passing the GRC and Hackerwatch tests flawlessly, allows the highest of network security (like enabling IPSec and such), and easing impact of usability on software based security applications. Can you explain to me how and what exactly I am doing with the configuration. I would like to learn to write rules for my firewall configuration in the case that some other program comes up and I cannot use it online. I really hope that this won't be too much of a hassle. I really appreciate all your time and best wishes :) !! P.S.- As far as I can see it, I think that this configuration would be optimal for my purposes, but I don't fully understand how it would work (Note, Inbound would be unchanged from NOYBNOYB's Medium level configuration): --I have deleted/commented out the eMail & News Groups, Secure Socket Layer POP / SMTP / NNTP , Skype, and Network Time Protocol (NTP) (Windows Time Sync)* rules as I do not use the programs/services. I feel like it is somewhat of a violation to my security (Windows time especially) and I don't use an email program like Outlook or Thunderbird, though I just commented it out in the block.-- [Is commenting out the just a # before the rules ?] title [ Security Level Custom (Medium) OUT rules ] begin # Protocol Match conditions # World Wide Web WWW pass protocol tcp, to port 80 >> state, done # HTTP pass protocol tcp, from port 80 >> state, done # HTTP pass protocol tcp, to port 443 >> state, done # HTTPS - Secure Socket Layer (SSL) # Domain Name System - Name/Address Resolution DNS pass protocol udp, to port 53 >> state, done # DNS # Telecommunication Network (Telnet) Telnet pass protocol tcp, to port 23 >> state, done # Telnet # Internet Protocol Security (IPsec) IPsec pass protocol udp, to port 500 >> state, done # IPSEC IKE pass protocol 50 >> state, done # IPSEC ESP # eMail & News Groups # Post Office Protocol (POP) / Simple Mail Transfer #Protocol (SMTP) / Network News Transfer Protocol (NNTP) #eMail #pass protocol tcp, to port 110 >> state, done # POP #pass protocol tcp, to port 25 >> state, done # SMTP #pass protocol tcp, to port 119 >> state, done # NNTP # Secure Socket Layer POP / SMTP / NNTP #eMailSSL #pass protocol tcp, to port 995 >> state, done # POP SSL #pass protocol tcp, to port 465 >> state, done # SMTP SSL #pass protocol tcp, to port 563 >> state, done # NNTP SSL # File Transfer Protocol (FTP) - "Active" and "Passive" Modes FTP pass protocol tcp, to port 20 >> state, done # Active Mode FTP Data Channel Port pass protocol tcp, from port 20 >> state, done # Active Mode FTP Data Channel Port pass protocol tcp, to port 21 >> state, done # Active & Passive Mode FTP Control Channel Port pass protocol tcp, from port >= 1024, from port > state, done # WE/IE Passive Mode FTP Data Channel Ports - Check 'Use Passive FTP' in IE Advanced Properties # Internet Control Message Protocol # Pass Specific ICMP Types, Drop and Log all other ICMP Types ICMP pass protocol icmp, icmp-type request >> state, done # Type: 8 (allow echo (ping) requests) drop protocol icmp, icmp-type reply >> done, alert 2 [ICMP - Echo Reply - Drop] # Type: 0 (block echo (ping) reply) drop protocol icmp, icmp-type exceeded >> done, alert 2 [ICMP - TTL Exceeded - Drop] # Type: 11 (block TTL exceeded reply (trace route)) drop protocol icmp, icmp-type unreachable >> done, alert 2 [ICMP - Dst Unreachable - Drop] # Type: 3 (block unreachable reply) drop protocol icmp, icmp-type request >> done, alert 1 [ICMP - Echo Request - Drop] # Type: 8 (block echo (ping) requests) drop protocol icmp >> done, alert 2 [ICMP - Prohibited Type - Drop] # Type: (block all others) # Failed Protocol Match Conditions # Network Basic Input/Output System (NetBIOS) # Drop NetBIOS Packets NetBIOS drop to port >= 135, to port > done, alert 4 [Dropping NetBIOS Traffic] # NetBIOS # Deny All Outbound Packets That Are Not Explicitly Permitted, Unless Service is Enabled NotPermitted drop all >> alert 1 [Packet to be dropped unless Service enabled] end I do not fully understand what the File Transfer Protocol (FTP) - "Active" and "Passive" Modes rules do and why I would need them. What I do know about them is that IE7 is configured to use them. Is there any reason why I should continue using the services and what other programs use them? As for a specific Starcraft rule, as far as I can understand from what I am looking at, this is what I came up with so far: # Starcraft Battle.net Multiplayer Configuration Starcraft pass protocol tcp, to port 6112 >> state, done pass protocol tcp, from port 6112 >> state, done pass protocol udp, to port 6112 >> state, done pass protocol udp, from port 6112 >> state, done ---Is there a need for other port configurations and will what I have work ? Also, is there a way that I can log every connection to Battle.net I/those on my network make ?
	to forum · permalink · 2008-02-19 01:10:46 ·
HappyDude join:2008-02-18 Brooklyn, NY 1 edit	Well, a little bit of an update. Thanks to NOYBNOYB's help file post, I was able to understand the rules writing a bit better. With it, I was able to create some decent Starcraft rules that allows me to play it seemlessly without any halts. These are the rules I am now using: Inbound Rules (unchanged from NOYBNOYB's Medium level rules)- title [ Security Level Custom (Medium) IN rules ] begin # Drop and Log Packets with Time to Live (TTL) of 0 or 1 TTL #drop match 3 8 { 01:FE } >> done, alert 4 [TTL of 0 or 1] drop match 3 8 { 00:FF } >> done, alert 4 [TTL of 0] drop match 3 8 { 01:FF } >> done, alert 4 [TTL of 1] # Drop and Log Packets of Prohibited Source Address Address drop from addr 0.0.0.0 >> done, alert 4 [0.0.0.0 Source IP Address] # Internet Control Message Protocol (ICMP) # Pass Specific ICMP Types, Drop and Log all Unsolicited ICMP ICMP pass protocol icmp, icmp-type exceeded >> done # Type: 11 (allow TTL exceeded reply (trace route)) drop protocol icmp, icmp-type reply >> done, alert 3 [ICMP Message To WAN IP - Echo Reply - Dropped] # Type: 0 (block echo (ping) reply) drop protocol icmp, icmp-type exceeded >> done, alert 3 [ICMP Message To WAN IP - TTL Exceeded - Dropped] # Type: 11 (block TTL exceeded reply (trace route)) drop protocol icmp, icmp-type unreachable >> done, alert 3 [ICMP Message To WAN IP - Dst Unreachable - Dropped] # Type: 3 (block unreachable reply) drop protocol icmp, icmp-type request >> done, alert 3 [ICMP Message To WAN IP - Echo Request - Dropped] # Type: 8 (block echo (ping) requests) drop protocol icmp >> done, alert 3 [ICMP Message To WAN IP - Dropped] # Type: (block all others) # Deny All Inbound Packets That Do Not Have a Matching Session State Table Entry (Unsolicited) Unsolicited drop all >> alert 3 [Unsolicited Inbound - Drop] end Outbound Rules (Tweaked a bit for my settings; would anyone care to explain to me why the rules I've deleted are necessary/important and why I should reimplement them ?) title [ Security Level Custom (Medium) OUT rules ] begin # Protocol Match conditions # World Wide Web WWW pass protocol tcp, to port 80 >> state, done # HTTP pass protocol tcp, from port 80 >> state, done # HTTP pass protocol tcp, to port 443 >> state, done # HTTPS - Secure Socket Layer (SSL) # Domain Name System - Name/Address Resolution DNS pass protocol udp, to port 53 >> state, done # DNS # Internet Protocol Security (IPsec) IPsec pass protocol udp, to port 500 >> state, done # IPSEC IKE pass protocol 50 >> state, done # IPSEC ESP # File Transfer Protocol (FTP) - "Active" and "Passive" Modes FTP pass protocol tcp, to port 20 >> state, done # Active Mode FTP Data Channel Port pass protocol tcp, from port 20 >> state, done # Active Mode FTP Data Channel Port pass protocol tcp, to port 21 >> state, done # Active & Passive Mode FTP Control Channel Port pass protocol tcp, from port >= 1024, from port <= 5000 >> state, done # WE/IE Passive Mode FTP Data Channel Ports - Check 'Use Passive FTP' in IE Advanced Properties # Internet Control Message Protocol # Pass Specific ICMP Types, Drop and Log all other ICMP Types ICMP pass protocol icmp, icmp-type request >> state, done # Type: 8 (allow echo (ping) requests) drop protocol icmp, icmp-type reply >> done, alert 2 [ICMP - Echo Reply - Drop] # Type: 0 (block echo (ping) reply) drop protocol icmp, icmp-type exceeded >> done, alert 2 [ICMP - TTL Exceeded - Drop] # Type: 11 (block TTL exceeded reply (trace route)) drop protocol icmp, icmp-type unreachable >> done, alert 2 [ICMP - Dst Unreachable - Drop] # Type: 3 (block unreachable reply) drop protocol icmp, icmp-type request >> done, alert 1 [ICMP - Echo Request - Drop] # Type: 8 (block echo (ping) requests) drop protocol icmp >> done, alert 2 [ICMP - Prohibited Type - Drop] # Type: (block all others) # Failed Protocol Match Conditions # Network Basic Input/Output System (NetBIOS) # Drop NetBIOS Packets NetBIOS drop to port >= 135, to port <= 139 >> done, alert 4 [Dropping NetBIOS Traffic] # NetBIOS # Deny All Outbound Packets That Are Not Explicitly Permitted, Unless Service is Enabled NotPermitted drop all >> alert 1 [Packet to be dropped unless Service enabled] # Battle.net Multiplayer Configuration Starcraft pass protocol tcp, to port 6112 >> state, done, alert 0 [Starcraft Battle.net Multiplayer Connection Made] pass protocol tcp, from port 6112 >> state, done, alert 0 [Starcraft Battle.net Multiplayer Connection Made] pass protocol udp, to port 6112 >> state, done, alert 0 [Starcraft Battle.net Multiplayer Connection Made] pass protocol udp, from port 6112 >> state, done, alert 0 [Starcraft Battle.net Multiplayer Connection Made] end Would anyone care to explain to me what I exactly did and how important were the rules that I removed ? I've also removed the telnet rules since I think I have removed the network component of that service (it doesn't even appear in services.msc at all).
	to forum · permalink · 2008-02-19 01:59:00 ·
NOYB St. John 3.16 Premium join:2005-12-15 Forest Grove, OR kudos:1	reply to HappyDude Yes comment is anything following # symbol. Any of the rules for things you do not use, such as SMTP, POP, Telnet, FTP, NTP, NNTP, Skype, etc. can be commented out with no problem. Classic FTP uses one of two modes, Active or Passive. Google should yield plenty of info. By default if I recall MSIE uses outbound ports 1024 to 5000 for passive mode. In general (I don’t know the specific requirements) your Starcraft rules look fine.
	to forum · permalink · 2008-02-19 15:53:03 ·
HappyDude join:2008-02-18 Brooklyn, NY 1 edit	reply to HappyDude Heya guys again !!!! Apparently, my Westell 327W B90 is no longer able to connect to the internet properly. Somehow, the service and router is not communicating properly. So that was yesterday, and today, Verizon sent me a Westell Model 7500. And ... The internet is still having problems connecting. So tomorrow, they are going to send me the same model (they think the one I had was damaged during packaging). Right now, I'm able to connect to the internet via wired and the Windows "dialer" connection. To get to the point, I'm wondering: Is the Westell Versalink 327W Firewall language compatible with the Westell 7500 ? I still want the awesome protection the hardware firewall gave me, and if it is compatible, all I need to do is to copy and paste the settings. But, from what I've looked at, the Firewall page on the 7500 has some special symbols and rules that I haven't seen on the 327W ... Guys, a little help here "translating" the rules for me so I can still have hardened firewall protection ? Thank you all so very much.
	to forum · permalink · 2008-04-22 14:32:53 ·
HappyDude join:2008-02-18 Brooklyn, NY 2 edits	Alright, heres a syntax that I've got from the Westell 7500 Firewall Edit page: High Settings: #! /bin/sh # High Security Firewall Rules #echo "***executing FirewallHigh" #set -x FLUSH="iptables -F" APPEND="iptables -A" ###################### # # IPSec # Unchangeable rule. Only allow IPSec in/out in high firewall mode. # ${FLUSH} proto_chain ${APPEND} proto_chain -p 50 -j logforwardaccept ${APPEND} proto_chain -p 51 -j logforwardaccept ${APPEND} proto_chain -p udp --sport 500 -j logforwardaccept ${APPEND} proto_chain -p udp --dport 4500 -j logforwardaccept ##### # # WAN to modem. # Override default of block all: allow certain inbound ICMP responses from WAN to modem # (These may not be needed because ICMP responses take the ESTABLISHED,RELATED rule) # ${APPEND} inwan_level_input_filter -j inwan_spoofing_filter ${APPEND} inwan_level_input_filter -p icmp --icmp-type echo-reply -j logInboundPermitted ${APPEND} inwan_level_input_filter -p icmp --icmp-type destination-unreachable -j logInboundPermitted ${APPEND} inwan_level_input_filter -p icmp --icmp-type time-exceeded -j logInboundPermitted ${APPEND} inwan_level_input_filter -p icmp -j logInboundBlocked #### # # LAN to modem # ${APPEND} inlan_level_input_filter -p udp -m multiport --destination-port 135,136,137,138,139,161,389,445,3268 -j logOutboundBlocked ${APPEND} inlan_level_input_filter -p tcp -m multiport --destination-port 53,135,136,137,138,139,161,389,445,3268 -j logOutboundBlocked ######### # # WAN to LAN # Apply anti-spoofing # ${APPEND} inwan_level_forward_filter -j inwan_spoofing_filter ######### # # LAN to WAN # Open necessary ports for outbound traffic # ${APPEND} outwan_level_forward_filter -p udp -m multiport --destination-port 20,21,23,25,53,80,110,119,143,220,443,500 -j logOutboundPermitted ${APPEND} outwan_level_forward_filter -p tcp -m multiport --destination-port 20,21,23,25,80,110,119,143,220,443,500 -j logOutboundPermitted ######## # # WAN to LAN or modem: anti-spoofing rules. One more rule is added by FirewallUpDown. # ${APPEND} inwan_spoofing_filter -s 0.0.0.0/32 -j logInboundBlocked ${APPEND} inwan_spoofing_filter -s 127.0.0.0/8 -j logInboundBlocked ${APPEND} inwan_spoofing_filter -d 127.0.0.0/8 -j logInboundBlocked ${APPEND} inwan_spoofing_filter -s 192.168.0.0/16 -j logInboundBlocked ######## # # default handling # ${APPEND} inwan_default_forward_filter -j logInboundBlocked ${APPEND} outwan_default_forward_filter -j logOutboundBlocked ${APPEND} inwan_default_input_filter -j logInboundBlocked ${APPEND} outwan_default_output_filter -j logOutboundPermitted ${APPEND} inlan_default_input_filter -j ACCEPT ${APPEND} outlan_default_output_filter -j ACCEPT And here's medium settings: #! /bin/sh # Medium Security Firewall Rules #echo "*executing FirewallMedium" #set -x APPEND="iptables -A" ##### # # WAN to modem. # Override default of block all: allow certain inbound ICMP responses from WAN to modem # (These may not be needed because ICMP responses take the ESTABLISHED,RELATED rule) # ${APPEND} inwan_level_input_filter -j inwan_spoofing_filter ${APPEND} inwan_level_input_filter -p icmp --icmp-type echo-reply -j logInboundPermitted ${APPEND} inwan_level_input_filter -p icmp --icmp-type destination-unreachable -j logInboundPermitted ${APPEND} inwan_level_input_filter -p icmp --icmp-type time-exceeded -j logInboundPermitted ${APPEND} inwan_level_input_filter -p icmp -j logInboundBlocked #### # # LAN to modem # ${APPEND} inlan_level_input_filter -p udp -m multiport --destination-port 135,136,137,138,139,161,389,445,3268 -j logOutboundBlocked ${APPEND} inlan_level_input_filter -p tcp -m multiport --destination-port 53,135,136,137,138,139,161,389,445,3268 -j logOutboundBlocked ######### # # WAN to LAN # Apply anti-spoofing # ${APPEND} inwan_level_forward_filter -j inwan_spoofing_filter ######### # # LAN to WAN # Open necessary ports for outbound traffic # ${APPEND} outwan_level_forward_filter -p udp -m multiport --destination-port 20,21,23,25,53,80,110,119,143,220,443,500 -j logOutboundPermitted ${APPEND} outwan_level_forward_filter -p tcp -m multiport --destination-port 20,21,23,25,80,110,119,143,220,443,500 -j logOutboundPermitted ######## # # WAN to LAN or modem: anti-spoofing rules. One more rule is added by FirewallUpDown. # ${APPEND} inwan_spoofing_filter -s 0.0.0.0/32 -j logInboundBlocked ${APPEND} inwan_spoofing_filter -s 127.0.0.0/8 -j logInboundBlocked ${APPEND} inwan_spoofing_filter -d 127.0.0.0/8 -j logInboundBlocked ${APPEND} inwan_spoofing_filter -s 192.168.0.0/16 -j logInboundBlocked ######## # # default handling # ${APPEND} inwan_default_forward_filter -j logInboundBlocked ${APPEND} outwan_default_forward_filter -j logOutboundBlocked ${APPEND} inwan_default_input_filter -j logInboundBlocked ${APPEND} outwan_default_output_filter -j logOutboundPermitted ${APPEND} inlan_default_input_filter -j ACCEPT ${APPEND} outlan_default_output_filter -j ACCEPT And thought the Verizon tech dude told me that the syntax was compatible, it apparently isn't, because I just did a GRC ShieldsUP! Port Scan and a "Complete" Hackerwatch Port Scan, and they report that: Port 20, Port 21 [which are both FTP ports], in addition to Port 500 [which is an Internet Security Association and Key Management Protocol (ISAKMP) port which I have no clue what its about ARE CLOSED, REACHABLE, & UNSECURE** Can anyone help me here ? I really wish to be secure through the Westell 7500 Hardware Firewall. Thanks very much :) !!
	to forum · permalink · 2008-04-23 22:57:11 ·
foobar2 @comcast.net	the grc report you listed just means that your router/nat/modem sends a tcp reset when contacted on those tcp ports. No big deal, really. But it is interesting that the 7500 is apparently just a linux appliance running iptables. That means normal iptables rules should work fine. google a little and you'll get more iptables examples than you can shake a stick at.
	to forum · permalink · 2008-04-24 23:51:50 ·
HappyDude join:2008-02-18 Brooklyn, NY 4 edits	Alright, so I've Googled and Wikied IPTables and found some nice organized information. Unfortunately, I will not be able to write up my own set of rules because learning IPTables seems like learning a whole new Computer Programming Language (and that would take a prolonged amount of time). I don't have the time, and so, after gathering some rules and settings, I put together this configuration for the Westell 7500: Note: I'm not even sure why this works, let alone know its strengths. But as far as I can see, the authors seem to know what they are doing and the rules are quite well organized :) !! #! /bin/sh # Copyright (c) 2005 # # Author: David Mair # # /etc/init.d/firewall # ### BEGIN INIT INFO # Provides: firewall # Required-Start: $network syslog # Required-Stop: # Should-Stop: # Default-Start: 3 4 5 # Default-Stop: 0 1 2 6 # Short-Description: Firewall configuration ### END INIT INFO ############################################################################## # DEFAULT POLICY SetDefaultPolicy() { # Drop everything iptables -A INPUT -i eth0 -p tcp --syn -j DROP iptables -A INPUT -i eth0 -p tcp --dport 0 -j DROP iptables -A INPUT -i eth0 -p tcp --dport 1 -j DROP iptables -F iptables -P INPUT DROP iptables -P FORWARD DROP iptables -F INPUT iptables -N inbound iptables -P OUTPUT ACCEPT iptables -A INPUT -i eth0 -j inbound iptables -A INPUT -i lo -j ACCEPT iptables -A inbound -m state --state ESTABLISHED -j ACCEPT iptables -A inbound -m state --state RELATED -j ACCEPT } ############################################################################## # FLUSH TABLES FlushTables() { iptables -F -t nat iptables -F -t mangle iptables -F -t filter iptables -X } ############################################################################## # ROUTING EnableRouting() { echo 1 > /proc/sys/net/ipv4/ip_forward } DisableRouting() { echo 0 > /proc/sys/net/ipv4/ip_forward } ############################################################################## # FORWARDING SetForwardingRules() { iptables -A FORWARD -i $IF_PUB -o $IF_PRV -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $IF_PRV -o $IF_PUB -j ACCEPT } ############################################################################## # LOOPBACK SetLoopbackRules() { # Allow everything iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT } ############################################################################## # PRIVATE INTERFACES SetPrivateInterfaceRules() { # Allow everything iptables -A INPUT -i $IF_PRV -s $NET_PRV -j ACCEPT iptables -A OUTPUT -o $IF_PRV -d $NET_PRV -j ACCEPT } ############################################################################# # PUBLIC INTERFACES SetPublicInterfaceRules() { iptables -A INPUT -i $IF_PUB -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $IF_PUB -j ACCEPT } ############################################################################## # SOURCE NAT EnableSourceNAT() { # Then source NAT everything else iptables -t nat -A POSTROUTING -s $NET_PRV -o $IF_PUB -j SNAT --to $IP_PUB } # Various ICMP SetICMP_Open() { iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT } # SSH (on a non-standard port) SetSSH_Open() { iptables -A INPUT -i $IF_PUB -p tcp -d $IP_PUB --dport 2202 -j ACCEPT } ############################################################################## # Destination NAT # smtp SetSMTP_DNAT() { iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport smtp -j DNAT --to 192.168.1.254 iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp --dport smtp -j ACCEPT } # pop3 SetPOP3_DNAT() { iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport pop3 -j DNAT --to 192.168.10.254 iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp --dport pop3 -j ACCEPT } # Webmail (444->443) SetWebmail_DNAT() { iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport 444 -j DNAT --to 192.168.10.254:443 iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -o $IF_PRV -p tcp --dport 443 -j ACCEPT } # http SetHTTP_DNAT() { iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport http -j DNAT --to 192.168.10.253 iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp --dport http -j ACCEPT } # Blocked protocols SetBlockedProtocols() { # Block all normal irc (used by botnets) iptables -A INPUT -p tcp --dport irc -j DROP iptables -A INPUT -p udp --dport irc -j DROP iptables -A INPUT -p tcp --dport irc-serv -j DROP iptables -A INPUT -p udp --dport irc-serv -j DROP iptables -A INPUT -p tcp --dport ircs -j DROP iptables -A INPUT -p udp --dport ircs -j DROP } # Blocked hosts SetBlockedHosts() { iptables -A INPUT -i $IF_PUB -s 10.220.231.236 -j REJECT --reject-with icmp-host-prohibited iptables -A FORWARD -i $IF_PUB -s 10.220.231.236 -j REJECT --reject-with icmp-host-prohibited } # Blocked networks SetBlockedNetworks() { iptables -A INPUT -i $IF_PUB -s 10.220.232.0/24 -j REJECT --reject-with icmp-net-prohibited iptables -A FORWARD -i $IF_PUB -d $IP_PUB -s 10.220.232.0/24 -j REJECT --reject-with icmp-net-prohibited } # Specify things to drop before logging SetPrelogDropRules() { # DHCP iptables -A INPUT -i $IF_PUB -p udp --sport bootps -j DROP } # Log those on the public interface SetLoggingRules() { iptables -A INPUT -i $IF_PUB -j LOG --log-prefix="INPUT " iptables -A OUTPUT -o $IF_PUB -j LOG --log-prefix="OUTPUT " iptables -A FORWARD -j LOG --log-prefix="FORWARD " #iptables -t nat -A PREROUTING -i $IF_PUB -j LOG --log-prefix="nPre " #iptables -t nat -A POSTROUTING -o $IF_PUB -j LOG --log-prefix="nPost " #iptables -t nat -A OUTPUT -o $IF_PUB -j LOG --log-prefix="NAT OUT " } # Drop them all SetDropRules() { # Reset tcp connection attempts on all other ports # This is the standard TCP behaviour for a closed port. Reading # suggests there is no value in stealthing ports and since some are # open on this host it doesn't seem to matter. Therefore, let's be a # good TCP citizen iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset } ############################################################################## # SCRIPT ENTRY POINT echo -n "Firewall configuration..." echo $1 ############################################################################## # ENVIRONMENT # Private interface IF_PRV=eth0 IP_PRV=192.168.1.1 NET_PRV=192.168.1.0/24 # Public interface IF_PUB=eth1 IP_PUB=10.0.0.1 NET_PUB=10.0.0.0/24 # Others ANYWHERE=0.0.0.0/0 . /etc/rc.status rc_reset ############################################################################## # COMMAND LINE case "$1" in start) SetDefaultPolicy FlushTables EnableRouting SetBlockedProtocols SetBlockedNetworks SetBlockedHosts SetForwardingRules SetLoopbackRules SetPrivateInterfaceRules SetPublicInterfaceRules EnableSourceNAT SetICMP_Open SetSSH_Open SetSMTP_DNAT SetPOP3_DNAT SetWebmail_DNAT SetHTTP_DNAT SetPrelogDropRules SetLoggingRules SetDropRules ;; stop) SetDefaultPolicy FlushTables SetPrivateInterfaceRules SetPublicInterfaceRules ;; restart) $0 stop $0 start ;; ) ;; esac rc_exit Alright, so here is the compiled rule. This is a combination of rule sets that I acquired from: »www.novell.com/coolsolutions/fea···139.html --> Which is the main layout of the firewall. »www.linuxquestions.org/questions···t-21338/ --> Which I've added some rules onto the Default Policy. »fixunix.com/security/17626-shiel···les.html --> Which further tweaks the Default Policy to what it is now. So that's my current ruleset. Now, when I do a GRC Port Scan and HackerWatch Port Scan (on my father's computer, which runs the Windows XP Firewall. I noticed that me and my sister's computers, which both run COMODO Firewall Pro V3, have all our ports stealthed. This should be because the software firewall back-up* the hardware firewall during port scanning) : Port 20, Port 21 [which are both FTP ports] **ARE STILL* CLOSED, REACHABLE, & UNSECURE* 20 Closed ftp-data File Transfer Protocol (Default Data Channel) 21 Closed ftp File Transfer Protocol (Control Channel) Closed but Unsecure 21 (FTP) This port is not being blocked, but there is no program currently accepting connections on this port. ***HOWEVER !! I continued reading on some threads and forums on specifically stealthing a single port (by Googling something like stealth port 20 using IPTables) and apparently I could use TELNET to test the stealth status of my ports: telnet port 20 --> (which was detected by the scans as closed) Reports Connecting To port...Could not open connection to the host, on port 20: Connect failed* Now I tried it for something that was scanned as stealth: telnet port 100 (dunno what it is) --> Reports Connecting To port...Could not open connection to the host, on port 20: Connect failed --> Same as the previous, so does that mean it is stealthed? And from something I read on a thread (»ubuntuforums.org/showthread.php?t=609500): telnet 127.0.0.1 20 & telnet 127.0.0.1 reported the same results. Alright, so there's my 2 cents. Anyone can give me any insight on whats happening? Am I secured behind a strong hardware firewall now? Once again, thank you all for your time :) !! EDIT: The first line of the rules, #! /bin/sh, differs from David Mair's first line, #! /bin/bash, because that's what the default security rules for the Westell 7500 started out with. I don't know the difference or why its like that, but I wouldn't want to try it out. Now how exactly do I get Starcraft to work right again ... ? EDIT 2- Check out this post for some of my ramblings, which is somewhat related to this thread. »Verizon correcting problems /w 4.x.x firmware & 7500 gateway
	to forum · permalink · 2008-04-25 11:14:44 ·
HappyDude join:2008-02-18 Brooklyn, NY	Alright, so apparently, the best thing to do for port scans is to do it through a variety of scanners. Here are my results from the following sites: »www.auditmypc.com/security-scan.asp --Standard Security Scan: We completed the audit and did not find any open ports. This is ideal for the average visitor. --Ranged Security Scan (1-2500): We completed the audit and did not find any open ports. This is ideal for the average visitor. »www.t1shopper.com/tools/port-scanner/ --Checked all boxes and did a ranged scan for ports 0-470: basic results: [my IP Address] isn't responding on port [ALL PORTS FROM 0-470 ([information/ port puspose]). »www.pcflank.com/scanner1.htm --TCP standard scanning for typical vulnerable ports: all scanned are stealthed but closed for ports 21, 80, 135 --TCP SYN scanning for typical vulnerable ports: all scanned are stealthed (including 80) except for 21 Overall, I think I'm quite happy with the results. So tests report closed or stealthed. I suppose the sults are pleasing.
	to forum · permalink · 2008-04-26 10:37:32 ·
HappyDude join:2008-02-18 Brooklyn, NY 1 edit	reply to HappyDude #! /bin/sh # # Author: Stanley Chan # # Version 06/27/08 # # /etc/init.d/firewall # # ### Based on rules from: ### http://www.novell.com/coolsolutions/feature/18139.html ### http://www.linuxquestions.org/questions/linux-security-4/stealth-iptables-ruleset-21338/ ### http://fixunix.com/security/17626-shields-up-reports-one-open-port-through-iptables.html ### http://www.dslreports.com/forum/r20642422-Help-Configuring-Router-IPTables-to-stealth-all-ports- # # ### BEGIN INIT INFO # Provides: Firewall for Router/Modem/Switch [Westell Versalink 7500] # Required-Start: $network syslog # Required-Stop: # Should-Stop: # Default-Start: 3 4 5 # Default-Stop: 0 1 2 6 # Short-Description: Firewall Configuration ### END INIT INFO # # ############################################################################## # DEFAULT POLICY SetDefaultPolicy() { # Drop everything iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP } ############################################################################## # FLUSH TABLES FlushTables() { iptables -F -t nat iptables -F -t mangle iptables -F -t filter iptables -X } ############################################################################## # ROUTING EnableRouting() { echo 1 > /proc/sys/net/ipv4/ip_forward } DisableRouting() { echo 0 > /proc/sys/net/ipv4/ip_forward } ############################################################################## # FORWARDING SetForwardingRules() { iptables -A FORWARD -i $IF_PUB -o $IF_PRV -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $IF_PRV -o $IF_PUB -j ACCEPT } ############################################################################## # Stan's Custom Rules SetCustomRules() { iptables -N inbound iptables -A INPUT -i eth0 -j inbound iptables -A INPUT -i eth0 -p tcp --syn -j DROP iptables -A INPUT -i eth0 -p tcp --dport 0 -j DROP iptables -A INPUT -i eth0 -p tcp --dport 1 -j DROP iptables -A INPUT -i eth0 -p udp --syn -j DROP iptables -A INPUT -i eth0 -p udp --dport 0 -j DROP iptables -A INPUT -i eth0 -p udp --dport 1 -j DROP # Drop all traffic that's not allowed iptables -A INPUT -i eth0 -d $YOURBOX -j LOG --log-level 7 --log-prefix "Default Deny" iptables -A INPUT -j DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT } ############################################################################## # LOOPBACK SetLoopbackRules() { # Allow everything iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT } ############################################################################## # PRIVATE INTERFACES SetPrivateInterfaceRules() { # Allow everything iptables -A INPUT -i $IF_PRV -s $NET_PRV -j ACCEPT iptables -A OUTPUT -o $IF_PRV -d $NET_PRV -j ACCEPT } ############################################################################# # PUBLIC INTERFACES SetPublicInterfaceRules() { iptables -A INPUT -i $IF_PUB -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $IF_PUB -j ACCEPT } ############################################################################## # SOURCE NAT EnableSourceNAT() { # Then source NAT everything else iptables -t nat -A POSTROUTING -s $NET_PRV -o $IF_PUB -j SNAT --to $IP_PUB } # Various ICMP SetICMP_Open() { iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT } # SSH (on a non-standard port) SetSSH_Open() { iptables -A INPUT -i $IF_PUB -p tcp -d $IP_PUB --dport 2202 -j ACCEPT } ############################################################################## # Destination NAT # smtp SetSMTP_DNAT() { iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport smtp -j DNAT --to 192.168.1.254 iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp --dport smtp -j ACCEPT } # pop3 SetPOP3_DNAT() { iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport pop3 -j DNAT --to 192.168.10.254 iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp --dport pop3 -j ACCEPT } # Webmail (444->443) SetWebmail_DNAT() { iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport 444 -j DNAT --to 192.168.10.254:443 iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -o $IF_PRV -p tcp --dport 443 -j ACCEPT } # http SetHTTP_DNAT() { iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport http -j DNAT --to 192.168.10.253 iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp --dport http -j ACCEPT } # Blocked protocols SetBlockedProtocols() { # Block all normal irc (used by botnets) iptables -A INPUT -p tcp --dport irc -j DROP iptables -A INPUT -p udp --dport irc -j DROP iptables -A INPUT -p tcp --dport irc-serv -j DROP iptables -A INPUT -p udp --dport irc-serv -j DROP iptables -A INPUT -p tcp --dport ircs -j DROP iptables -A INPUT -p udp --dport ircs -j DROP } # Blocked hosts SetBlockedHosts() { iptables -A INPUT -i $IF_PUB -s 10.220.231.236 -j DROP --reject-with icmp-host-prohibited iptables -A FORWARD -i $IF_PUB -s 10.220.231.236 -j DROP --reject-with icmp-host-prohibited } # Blocked networks SetBlockedNetworks() { iptables -A INPUT -i $IF_PUB -s 10.220.232.0/24 -j DROP --reject-with icmp-net-prohibited iptables -A FORWARD -i $IF_PUB -d $IP_PUB -s 10.220.232.0/24 -j DROP --reject-with icmp-net-prohibited } # Specify things to drop before logging SetPrelogDropRules() { # DHCP iptables -A INPUT -i $IF_PUB -p udp --sport bootps -j DROP } # Log those on the public interface SetLoggingRules() { iptables -A INPUT -i $IF_PUB -j LOG --log-prefix="INPUT " iptables -A OUTPUT -o $IF_PUB -j LOG --log-prefix="OUTPUT " iptables -A FORWARD -j LOG --log-prefix="FORWARD " #iptables -t nat -A PREROUTING -i $IF_PUB -j LOG --log-prefix="nPre " #iptables -t nat -A POSTROUTING -o $IF_PUB -j LOG --log-prefix="nPost " #iptables -t nat -A OUTPUT -o $IF_PUB -j LOG --log-prefix="NAT OUT " } # Drop them all SetDropRules() { # Reset tcp connection attempts on all other ports # This is the standard TCP behaviour for a closed port. Reading # suggests there is no value in stealthing ports and since some are # open on this host it doesn't seem to matter. Therefore, let's be a # good TCP citizen ### Stan- Changed rule from REJECT to DROP for stealthing iptables -A INPUT -p tcp -j DROP --reject-with tcp-reset } ############################################################################## # SCRIPT ENTRY POINT echo -n "Firewall Configuration..." echo $1 ############################################################################## # ENVIRONMENT # Private interface IF_PRV=eth0 IP_PRV=192.168.1.1 NET_PRV=192.168.1.0/24 # Public interface IF_PUB=eth1 IP_PUB=10.0.0.1 NET_PUB=10.0.0.0/24 # Others ANYWHERE=0.0.0.0/0 . /etc/rc.status rc_reset ############################################################################## # COMMAND LINE case "$1" in start) SetDefaultPolicy FlushTables EnableRouting SetBlockedProtocols SetBlockedNetworks SetBlockedHosts SetForwardingRules SetCustomRules SetLoopbackRules SetPrivateInterfaceRules SetPublicInterfaceRules EnableSourceNAT SetICMP_Open SetSSH_Open SetSMTP_DNAT SetPOP3_DNAT SetWebmail_DNAT SetHTTP_DNAT SetPrelogDropRules SetLoggingRules SetDropRules ;; stop) SetDefaultPolicy FlushTables SetPrivateInterfaceRules SetPublicInterfaceRules ;; restart) $0 stop $0 start ;; *) ;; esac rc_exit Updated my rules. Still unable to get ports 20/21 stealthed for some scanners. Still working on that issue. EDIT- Updated rules. Still unable to stealth all ports Sad . GRC (of other few scanners) reports ports 20 & 21 closed and not stealth. Individual port scan from GRC of 500 reports closed (while service port scanning of first 1056 ports reports stealthed). Huh? Can anyone help?
	to forum · permalink · 2008-06-27 17:41:07 ·

Equipment Support > Hardware By Brand > Westell > Help! Tweaking Westell Versalink 327W Firewall for Starcraft