TheWiseGuyDog And ButterflyPremium,MVM
join:2002-07-04
Yonkers, NY
kudos:1 Reviews:
 ·Optimum Online
| reply to KachiWachi
Re: Westell 2200 Firewall Rule Explanation Needed said by KachiWachi:
Perhaps that's what the Diagnostic log is trying to say - 'Nonezero number of answers' with the 24 byte Packet Dump afterwards.
When the router drops an Inbound Packet I see in the log "Inbound PRIOR_DropToWANUDP". I'm wondering how I can get that to display for Outbound...if it is even possible.
I would guess there is no equivalent Outbound rule and that this is the result of NAT dropping unsolicited Inbound packets where there are no explicit rules on forwarding packets.
I looked at that packet dump but couldn't make any sense out of it. 
said by KachiWachi:
I do have to remember that this is a Hardware Firewall and may not have all the configuration options that I would like to see, though at this point I don't know if I really want/need a Software Firewall...thoughts?
BTW...thanks for the links. I was looking at them and the ethereal program looks interesting...
Well you can block outbound by ports and protocol and log what happens using firewall rules. You can't control which programs are allowed to access the Internet with a hardware firewall. A software firewall will allow you to control outbound with the caveat that a Malware program might shut it down. I have my software firewall set up to prompt me just enough so it is not annoying but if it was shut down I would know very quickly.
Ethereal really helps you find out exactly what is happening with your connection.
--
Dog and Butterfly |
|
| The only thing I can figure on the dump is that it is an ASCII dump and not a HEX dump. I broke it out into 24 different lines; each entry then became xx:x. It then became a bit more clear, but I still don't know what it means as far as what was actually dumped. Too bad we don't have a Westell "expert" following this...oh wait...there seem not to be any  !!
The only programs I use on the net are the browser, NAV LiveUpdate, and IM programs. So I really don't feel the need to get a software firewall as yet.
Right now I'm trying to get the Yahoo! peer-to-peer webcam mode working. I have a friend on cable that can run this "Super Webcam" mode with me, but I can't with them. Along with that, my Father, who is on cable, cannot do that...but he has a Mac. A future contact will be my sister...her apartment complex is wired for satellite... 
From their tech article, the Yahoo! webcam utilizes port 5100. I created a custom port-forward of 5100 only, but it did not seem to help with my Father. With my friend, I do not need to have this activated. It does not seem to matter if they initiate contact with me, or I initiate it with them.
So I'm now at a loss there on what is going on. Would Ethereal shed some light on this you think? As far as the program install...I'm pretty picky with programs...does it have a full un-installer? Does it un-register itself, etc...??? How hard does it "patch" the system, etc...??
Thanks. |
|
| In doing some research, it seems that the Yahoo! Messenger works the same as the MSN Messenger with regard to the public/private IP.
I have also read that putting the 2200 into bridge mode will solve this issue...however, that will expose me to a lot of other nastiness that's going around these days.
Will the hardware firewall alone be enough to protect me?
I'm almost tempted to setup my testbed computer for the Messengers when I want to use them in that fashion... |
|
TheWiseGuyDog And ButterflyPremium,MVM
join:2002-07-04
Yonkers, NY
kudos:1 Reviews:
·Optimum Online
| said by KachiWachi:
Will the hardware firewall alone be enough to protect me?
With the correct rules it might be OK without NAT. Does the router support uPNP, (probably) does Yahoo! Webcam? If it does, it might be slightly safer then bridge mode and firewall only.
--
Dog and Butterfly |
|
| Just FYI -
I had this running in the Security Forum, but had it moved here. Thought it would be a better place for it.
Everyone please chime in with your thoughts and learning experiences!! |
|
LibraPremium
join:2003-08-06
USA
kudos:1 | Hi Kachi,
It's my understanding that a software firewall is necessary in addition to the hardware firewall. The hardware firewall monitors everything inbound while the software firewall asks your permission before anything can leave your computer (i.e. spyware, trojans). So I think it's important.
Sincerely, Libra |
|
| Not exactly true...
The Westell has Outbound Firewall Rules as you know. These can be setup to block responses to Incoming items (like NetBIOS). You do not need to be running any applications for this to take place.
The Software Firewall monitors your applications for network traffic and will allow/dis-allow traffic based on the rules you set.
Personally, I only use a browser and IM programs, so I would say I don't have to worry about that too much. If you tend to download and try out things, or run other "network aware" applications, then a Software Firewall could be useful to you.
So yes, you could say both are necessary...but that is a topic for a different post. |
|
| OK...
I decided to post the Rule Sets I'm using. Some of the Rules have added diagnostic labels and colors added for my own benefit and learning, and will fill up the Firewall log with a bit more info.
**********************************************************
title [ Custom Security Level 2 INBOUND Rules ]
begin
TTLDrop
drop match 3 8 { 01:FE } >> done, alert 4 [ TTL of 0 or 1 ]
AddressDrop
drop from addr 0.0.0.0 >> done, alert 4 [ 0.0.0.0 Source IP Address ]
PassUDP
pass protocol udp, to port 53 >> done, alert 3 [ Pass to port 53 ]
pass protocol udp, from port 53 >> done, alert 1 [ Pass from port 53 ]
ICMPPass
pass icmp-type reply >> done, alert 3 [ Pass ICMP Type 0 ]
pass icmp-type unreachable >> done, alert 3 [ Pass ICMP Type 3 ]
pass icmp-type exceeded >> done, alert 3 [ Pass ICMP Type 11 ]
ICMPDrop
drop protocol icmp >> done, alert 4 [ Prohibited ICMP Type ]
Rules
pass all
end
**********************************************************
title [ Custom Security Level 1 OUTBOUND Rules ]
begin
DropNetBIOS
drop to port >= 135, to port > done, alert 4 [ Dropping NETBIOS Traffic ]
PassUDP
pass protocol udp, to port 53 >> alert 1 [ Pass to port 53 ]
pass protocol udp, from port 53 >> alert 2 [ Pass from port 53 ]
ICMPPass
pass icmp-type reply >> alert 3 [ Pass ICMP Type 0 ]
pass icmp-type unreachable >> alert 3 [ Pass ICMP Type 3 ]
pass icmp-type request >> alert 3 [ Pass ICMP Type 8 ]
pass icmp-type exceeded >> alert 3 [ Pass ICMP Type 11 ]
Rules
pass all
end
**********************************************************
--
CPU - DFI 586IPVG, Cyrix MII 433, K6-2/+ 450, i430VX, 128MB EDO.
BIOS patched by BiosMan.
VOL (ex-BA) 768/128, Westell 2200. |
|
| OK...I just noted an error in the Rules I posted above, but I can't figure out how to make the post work properly (it's a message board thing). You will have to change the following below manually in the OUTBOUND rule set -
DropNetBIOS
drop to port >= 135, to port "LT"= 139 >> done, alert 4 [Dropping NETBIOS Traffic]
You need to replace the "LT" with the "Less Than" character. For some reason the message board is interpreting this as some kind of bracketed item, and is automatically removing what is between the "brackets".
If anyone knows how to stop this let me know, and I'll get the MOD to fix it permanently. Thanks.
--
CPU - DFI 586IPVG, Cyrix MII 433, K6-2/+ 450, i430VX, 128MB EDO.
BIOS patched by BiosMan.
VOL (ex-BA) 768/128, Westell 2200. |
|
|
|
 Riss_CentaurMod'taur - - - - 4 On The Floor.Premium,MVM,Ex-Mod 2005-07
join:2004-01-20
Chicago, IL | That is what the [ c o d e ] [ / c o d e ] tags are for
Anything <= => in between
the CODE Tags
<<<<<
=====>>>>>>>
!@#$%^&*()_+=-
is displayed verbatum.
See the hint for CODE BLOCKS on the right side when composing a message.
:)
=< => < > <> <= >=
--
I have a plan so cunning you can pin a tail on it and call it a weasel!
Anyone who takes any of this seriously, deserves to! |
|
| reply to KachiWachi
Thanks Riss_Centaur.
At the time this was written, I didn't know about the "code" tag.
Here are the rules then for "cut and paste" (per request) -
**********************************************************
title [ Custom Security Level 2 INBOUND Rules ]
begin
TTLDrop
drop match 3 8 { 01:FE } >> done, alert 4 [ TTL of 0 or 1 ]
AddressDrop
drop from addr 0.0.0.0 >> done, alert 4 [ 0.0.0.0 Source IP Address ]
PassUDP
pass protocol udp, to port 53 >> done, alert 3 [ Pass to port 53 ]
pass protocol udp, from port 53 >> done, alert 1 [ Pass from port 53 ]
ICMPPass
pass icmp-type reply >> done, alert 3 [ Pass ICMP Type 0 ]
pass icmp-type unreachable >> done, alert 3 [ Pass ICMP Type 3 ]
pass icmp-type exceeded >> done, alert 3 [ Pass ICMP Type 11 ]
ICMPDrop
drop protocol icmp >> done, alert 4 [ Prohibited ICMP Type ]
Rules
pass all
end
**********************************************************
title [ Custom Security Level 1 OUTBOUND Rules ]
begin
DropNetBIOS
drop to port >= 135, to port <= 139 >> done, alert 4 [ Dropping NETBIOS Traffic ]
PassUDP
pass protocol udp, to port 53 >> alert 1 [ Pass to port 53 ]
pass protocol udp, from port 53 >> alert 2 [ Pass from port 53 ]
ICMPPass
pass icmp-type reply >> alert 3 [ Pass ICMP Type 0 ]
pass icmp-type unreachable >> alert 3 [ Pass ICMP Type 3 ]
pass icmp-type request >> alert 3 [ Pass ICMP Type 8 ]
pass icmp-type exceeded >> alert 3 [ Pass ICMP Type 11 ]
Rules
pass all
end
**********************************************************
--
CPU - DFI 586IPVG, Cyrix MII 433, K6-2/+ 450, i430VX, 128MB EDO.
BIOS patched by BiosMan.
VOL (ex-BA) 1500/384, Westell 2200. |
|
| I have Westell 327W and I have to do these same rules lol. I wish there was an easier way of setting it up. |
|
1 edit | reply to KachiWachi
Actually, I just noticed I made a small change, just to make UDP identification easier.
**********************************************************
title [ Custom Security Level 2 INBOUND Rules ]
begin
TTLDrop
drop match 3 8 { 01:FE } >> done, alert 4 [TTL of 0 or 1]
AddressDrop
drop from addr 0.0.0.0 >> done, alert 4 [0.0.0.0 Source IP Address]
PassUDP
pass protocol udp, to port 53 >> done, alert 3 [Out to port 53]
pass protocol udp, from port 53 >> done, alert 1 [In from port 53]
ICMPPass
pass icmp-type reply >> done, alert 3 [Pass ICMP Type 0]
pass icmp-type unreachable >> done, alert 3 [Pass ICMP Type 3]
pass icmp-type exceeded >> done, alert 3 [Pass ICMP Type 11]
ICMPDrop
drop protocol icmp >> done, alert 4 [Prohibited ICMP Type]
Rules
pass all
end
**********************************************************
title [ Custom Security Level 1 OUTBOUND Rules ]
begin
DropNetBIOS
drop to port >= 135, to port <= 139 >> done, alert 4 [Dropping NETBIOS Traffic]
PassUDP
pass protocol udp, to port 53 >> alert 1 [Out to port 53]
pass protocol udp, from port 53 >> alert 2 [In from port 53]
ICMPPass
pass icmp-type reply >> alert 3 [Pass ICMP Type 0]
pass icmp-type unreachable >> alert 3 [Pass ICMP Type 3]
pass icmp-type request >> alert 3 [Pass ICMP Type 8]
pass icmp-type exceeded >> alert 3 [Pass ICMP Type 11]
Rules
pass all
end
********************************************************** |
|
| This is a great thread! Anyone know how to add to the above rules so I can allow a remote server on the WAN side to connect to a server on the LAN side without opening it to the entire Internet.
Basically in the linux world using iptables, the rule would look like this:
ACCEPT TCP 200.2.2.2 192.168.1.5 tcp dpt:22
The above rules says to accept tcp destination port 22 from ip address 200.2.2.2 to lan ip 192.168.1.5. Is this possible w/ Westell 327w?
I know you could open up a port from WAN to LAN but for security reasons, I need it to only allow specific WAN ip address in to LAN on a specific destination port.
Any help is greatly appreciated!
thx,
SW |
|
