Equipment Support > Hardware By Brand > Westell > Westell 327W Firewall

Westell 327W Firewall

Unfortunately, FTP is a nasty protocol to firewall. There is one connection to port 21 for passing commands. That's usually called the control connection. And then there is another connection established for transferring data (a file or a directory listing). For active mode FTP, the data connection is to an arbitrary port, but using port 20 as the source port. And the connection is made in reverse direction, with the server connecting to the client. For passive mode FTP, the connection is in the standard direction (client to server), but uses arbitrary source and destination ports.

A firewall typically has to look inside control packets passed in order to determine which ports are to be used in the data connection, and then set temporary firewall rules to allow that. Not all firewalls handle it well.

I don't think I have ever tried that with my 327w. I normally use either "http" or "ssh" for file transfers.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.10

How can I find out about using "http" or "ssh" for file transfers? As I have always used FTP, I have not found out the advantages or disadvantages of the other protocols. My goal is to be able to access my home files while I am on the road.

As of now, the only protection I seem to have on my NAS preventing outside theft is the name and passwords I use. They are all abnormal, so the bots trying to break in have not been successful (so far). But it is just darn disconcerting to look at the logs and see all the attempts.

You would need to be running an http server (web server) or an ssh server.

I normally using linux on my home system, so there is an ssh server automatically started. I don't know what is available for windows. I use putty as an ssh client on windows, but that's not a server.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.10

How about for the Mac?

reply to The Hammer
is there really a difference between trying to hack the drive from HTTP and trying to hack the drive from FTP? Well, I can understand minimizing your exposure. To do what you want you probably need to add these rules to the inbound firewall:
#pass to port 20 >> state, done # FTP
#pass from port 20 >> state, done # FTP
#pass to port 21 >> state, done # FTP
#pass from port 21 >> state, done # FTP

On a mac, if you go to the networking tab in system preferences, you can enable the http and ssh services.

reply to The Hammer

reply to The Hammer

MacOS Sharing System Preference

reply to impala
OK, now my inbound firewall rules look like:

title [ Security Level Custom (Low) IN rules ]

begin

# Drop and Log Packets with Time to Live (TTL) of 0 or 1
TTL
#drop match 3 8 { 01:FE } >> done, alert 4 [TTL of 0 or 1]
drop match 3 8 { 00:FF } >> done, alert 4 [TTL of 0]
drop match 3 8 { 01:FF } >> done, alert 4 [TTL of 1]

# Drop and Log Packets of Prohibited Source Address
Address
drop from addr 0.0.0.0 >> done, alert 4 [0.0.0.0 Source IP Address]

# Internet Control Message Protocol (ICMP)
# Pass Specific ICMP Types, Drop and Log all Unsolicited ICMP
ICMP
pass protocol icmp, icmp-type exceeded >> done # Type: 11 (allow TTL exceeded reply (trace route))
drop protocol icmp, icmp-type reply >> done, alert 3 [ICMP Message To WAN IP - Echo Reply - Dropped] # Type: 0 (block echo (ping) reply)
drop protocol icmp, icmp-type exceeded >> done, alert 3 [ICMP Message To WAN IP - TTL Exceeded - Dropped] # Type: 11 (block TTL exceeded reply (trace route))
drop protocol icmp, icmp-type unreachable >> done, alert 3 [ICMP Message To WAN IP - Dst Unreachable - Dropped] # Type: 3 (block unreachable reply)
drop protocol icmp, icmp-type request >> done, alert 3 [ICMP Message To WAN IP - Echo Request - Dropped] # Type: 8 (block echo (ping) requests)
drop protocol icmp >> done, alert 3 [ICMP Message To WAN IP - Dropped] # Type: (block all others)
#pass to port 20 >> state, done # FTP
#pass from port 20 >> state, done # FTP
#pass to port 21 >> state, done # FTP
#pass from port 21 >> state, done # FTP

# Permit All Inbound Packets That Are Not Explicitly Denied or That Have a Matching Session State Table Entry.
Permitted
pass all

end

I will try it and see what happens. Thanks. Shouldn't I delete the '#' pound sign at the beginning of each? Doesn't the # sound disable the line?

As to the other posts that are helping me with the Mac, my question was confusing. The firewall I am trying to configure is not the Mac firewall, but the firewall on the Westell 327W DSL Modem / Router. Thanks.