jggiii2
join:2008-11-13
Mont Vernon, NH
|  Westell 7500: Disabling Access to Admin UI from Wireless:
While the Westell 7500 I received for one of my customers supports disabling remote access to the admin UI from the 'outside', there are no obvious provisions for blocking access to the UI from the ethernet ports or, more importantly, the wireless access point. To me, this is a serious deficiency.
If it were a straight iptables problem, I could have done it easily, but I cannot find any docs on the interface definitions or how the predefined tables are set up. It appears that Verizon has added a bunch of default rules on top of what is in the Westell source code package.
Is there an approved solution for this, or is there a document describing the 'base' iptables setup? |
|
Bytebender
Bytebender
Premium
join:2008-02-12
Canada
1 edit | Changing the username/password for the 7500's GUI is the only way that I can think of to restrict local or wireless access. The documentation you want, if it exists, is not publicly available.
--
reboot, reset, reconfigure, then recycle. |
|
jggiii2
join:2008-11-13
Mont Vernon, NH
| That's already done, as well as 'hiding' the SSID (for all the good that does - at least it keeps most of the kids out), setting WEP and changing the LAN IP of the device itself. But the basic panel available just by browsing to the router shows more information that I'm comfortable sharing... |
|
Jodokast96
R.I.P Bassman442
Premium
join:2005-11-23
Erial, NJ | Why not WPA? |
|
jggiii2
join:2008-11-13
Mont Vernon, NH
| It's just temporary until I solve this issue, then the network can be opened for guest use. I'm just using it to keep the curious out until I can keep them away from the router.
After digging through the source code, I believe I've found that the wireless interface is identifed as wl0. So, I will try adding this to the medium firewall settings tomorrow:
${APPEND} inlan_level_input_filter -i wl+ -d 192.168.1.1 --dport 80 -j logOutboundBlocked
in the LAN to Modem section and see if I turn the router into a brick or not  .... |
|
jggiii2
join:2008-11-13
Mont Vernon, NH
| reply to jggiii2
After trying several different versions of the previous idea, I found that I could not disable access from wireless using the firewall rules. Verizon must be inserting a rule before the user-modifiable rules that permit the access, or something else is going on that I don't yet understand.
rats. Now I am going to have to get the firmware and see what they did. |
|
JohnA
Premium
join:2003-09-16
Pittsburgh, PA |
Why don't you just bridge it, shut off the wireless, and put a router behind it that does what you want, like the rest of the world. |
|
Bytebender
Bytebender
Premium
join:2008-02-12
Canada
| reply to jggiii2
said by jggiii2  :After digging through the source code, I believe I've found that the wireless interface is identifed as wl0. So, I will try adding this to the medium firewall settings tomorrow: ${APPEND} inlan_level_input_filter -i wl+ -d 192.168.1.1 --dport 80 -j logOutboundBlocked If you changed the LAN IP of the device, this code should contain the new address, no?
--
reboot, reset, reconfigure, then recycle. |
|
jggiii2
join:2008-11-13
Mont Vernon, NH | Yep, did that. No good. My guess is that the Verizon folks grant access before the user-modifiable script is executed.
Decided to tell him to send it back and I'll use a Linksys box with DD-WRT. No sense in screwing with it. |
|
aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
 ·Verizon Online DSL
| reply to jggiii2
Just an odd question I have to ask.
#1 Are you sure remote access is enabled?
Just because you entered in the public IP of the router and got access, does not mean remote access is turned on.
Note: You need to check the port (or ports) from the outside. This can mean at any one of the following sites..
Only if the port is open, remote access is turned on
grc.com shields up
»www.dyndns.com/support/tools/openport.html - Will called, open and accepting connections.
»www.whatsmyip.org/ports/
»www.canyouseeme.org - Will be called "success" if open.
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact. |
|
