dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
25034
share rss forum feed


NOYB
St. John 3.16
Premium
join:2005-12-15
Forest Grove, OR
kudos:1

4 edits

Harden Your Westell 327 Firewall

Some custom settings to help harden your Westell 327 firewall.
If you have others you think would make good addition to these please post and let us know.

For Westell 327w firewall rules help and syntax, go to 'Configuration -> Firewall', and click the 'edit' button. Then in the 'Firewall Rules' windows that pops up click the 'help' button. »dslrouter/fwHelp.htm or »192.168.1.1/fwHelp.htm


Services
The most needed/common dynamic services highlighted in bold.
DNS (required for name resolution, just about everything needs this service enabled)
FTP (Uncheck "Use Passive FTP" in IE Advanced Options)
World Wide Web (HTTP) (required for web browsing)
HTTPS (secure browsing, encryption)
ICMP (ping)
MSN Messenger
NNTP
Client POP/IMAP (required for receiving email via POP email client such as OE)
SMTP Client (required for sending email)
Telnet
* Skype (TCP/UDP - Tools Options Connection)
* Windows Time (NTP) (TCP/UDP 123) (required for Windows XP time sync service)


Inbound Rules
title       [ Security Level Custom (Medium) IN rules ]

begin

RulesDropTTL
drop match 3 8 { 00:FF } >> done, alert 4 [TTL of 0]
drop match 3 8 { 01:FF } >> done, alert 4 [TTL of 1]

RulesDropAddress
drop from addr 0.0.0.0 >> done, alert 4 [0.0.0.0 Source IP Address]

# Pass and Log Specific Unsolicited ICMP
RulesPassICMP
#pass icmp-type reply >> done, alert 0 [ICMP Message To WAN IP - Echo Reply - Passed] # Type: 0 (allow ping reply)
pass icmp-type exceeded >> done, alert 1 [ICMP Message To WAN IP - TTL Exceeded - Passed] # Type: 11 (allow tracert reply)
#pass icmp-type unreachable >> done, alert 2 [ICMP Message To WAN IP - Dst Unreachable - Passed] # Type: 3 (allow unreachable reply)

# Drop and Log all Unsolicited ICMP
RulesDropICMP
#drop protocol icmp >> alert 4 [ICMP Message To WAN IP]
drop icmp-type reply >> done, alert 3 [ICMP Message To WAN IP - Echo Reply - Dropped] # Type: 0 (block ping reply)
drop icmp-type exceeded >> done, alert 3 [ICMP Message To WAN IP - TTL Exceeded - Dropped] # Type: 11 (block tracert reply)
drop icmp-type unreachable >> done, alert 2 [ICMP Message To WAN IP - Dst Unreachable - Dropped] # Type: 3 (block unreachable reply)
drop icmp-type request >> done, alert 2 [ICMP Message To WAN IP - Echo Request - Dropped] # Type: 8 (block ping requests)
drop protocol icmp >> done, alert 3 [ICMP Message To WAN IP - Dropped] # Type: (block all others)

# Drop All Unsolicited Inbound
RulesDrop
drop all >> alert 3 [Drop All Unsolicited Inbound]

end

Outbound Rules
title       [ Security Level Custom (Medium) OUT rules ]

begin

# Protocol Match conditions
RulesPass
#pass to port 80 >> state, done # HTTP
#pass from port 80 >> state, done # HTTP
#pass protocol udp, to port 53 >> state, done # DNS
#pass to port 20 >> state, done # FTP
#pass from port 20 >> state, done # FTP
#pass to port 21 >> state, done # FTP
#pass to port 23 >> state, done # Telnet
#pass to port 110 >> state, done # POP
#pass to port 119 >> state, done # NNTP
##pass to port 143 >> state, done ## USENET News Service
##pass to port 220 >> state, done ## IMAP v.3
#pass to port 25 >> state, done # SMTP
#pass to port 443 >> state, done # HTTPS
##pass to port 500 >> state, done ## IPSEC ALG
##pass protocol 50 >> state, done ## IPSEC ESP

#pass to port >= 1024, to port <= 5000 >> state, done # WE/IE Passive FTP Ports
#Uncheck "Use Passive FTP" in IE Advanced Options and enable the FTP firewall service or enable above statement

# Failed to match
RulesDropNETBIOS
drop to port >= 135, to port <= 139 >> done, alert 4 [Dropping NETBIOS Traffic]

# Pass and Log ICMP Echo Request
RulesPassICMP
pass icmp-type request >> done, state, alert 0 [ICMP - Echo Request - Pass] # Type: 8 (allow ping requests)

# Drop and Log all ICMP Except Echo Request
RulesDropICMP
drop icmp-type reply >> done, alert 3 [ICMP - Echo Reply - Drop] # Type: 0 (block ping reply)
drop icmp-type exceeded >> done, alert 3 [ICMP - TTL Exceeded - Drop] # Type: 11 (block tracert reply)
drop icmp-type unreachable >> done, alert 3 [ICMP - Dst Unreachable - Drop] # Type: 3 (block unreachable reply)
#drop icmp-type request >> done, alert 0 [ICMP - Echo Request - Drop] # Type: 8 (block ping requests)
drop protocol icmp >> done, alert 3 [ICMP - Unknown Reply - Drop] # Type: (block all others replies)

# Save Session State for Enabled Services
RulesSaveState
pass all >> state

# Drop All Unless Service is Enabled
RulesDrop
drop all >> alert 1 [Packet to be dropped unless Service enabled]

end


KachiWachi

join:2004-02-12
Bucks Co, PA
NOYBNOYB -

Are you saying that you *should* enable these services in the Westell?


NOYB
St. John 3.16
Premium
join:2005-12-15
Forest Grove, OR
kudos:1

4 edits
With these firewall rules it is necessary to enable the services one wants to use. Or pass them in the outbound firewall rules with a 'state' and 'done' action. I prefer enabling them in the "Services" rather than in the firewall rules for a few reasons.

1) Making changes to the firewall rules clears the log.
2) Better display of what is enabled.
3) Supposedly can switch connection profile between any number of custom services profiles. Though I've not been successful with that yet.

Theoretically one could end the outbound firewall rules with 'pass all >> state', i.e. remove the 'drop all' rule at end of the outbound firewall rules, to eliminate the need for specifying specific services to be enabled. That would allow all non-explicitly blocked outbound and their corresponding inbound (based on session sate table entries). Though I have not verified this as at the moment I want it locked down tight to only services that are explicitly enabled rather than all services allowed except those explicitly blocked.


This rule at the end of the inbound firewall rules blocks anything that has not been explicitly allowed, or is not in the session state table. If session for packets are found in the table then the firewall rules are not executed.

# Drop All Unsolicited Inbound
RulesDrop
drop all >> alert 3 [Drop All Unsolicited Inbound]

These two rules at the end of the outbound firewall rules saves the session state for outbound packets, then drops all outbound packets that have not been explicitly passed, or are not passed by an enabled service.

# Save Session State for Enabled Services
RulesSaveState
pass all >> state

# Drop All Unless Service is Enabled
RulesDrop
drop all >> alert 1 [Packet to be dropped unless Service enabled]


Saving the session state in this manner is necessary because not all the enabled services save the session state. The only service I've seen save the session state as one would expect is DNS. I believe this is a bug/flaw with the Westell VersaLink 327w. It may or may not be the same with other Westell modems/routers/firewalls. So basically this is a work around for the bug/flaw.

Clear as mud? It's sort of difficult to explain because there are so many interdependencies between inbound firewall rules, outbound firewall rules, services, session state table, what appears to be some hard coded inbound rules, and the apparent bug/flaw that enabled services don't seem to save session state as one would expect them to.


KachiWachi

join:2004-02-12
Bucks Co, PA
reply to NOYB
Well, that makes sense.

All my inbound rules do say "done"...except for the "pass all"...which I guess because it is at the end of the string, it is kinda moot to have a "done" there.

Please explain your Inbound RulesDropTTL change.

Thanks.


NOYB
St. John 3.16
Premium
join:2005-12-15
Forest Grove, OR
kudos:1
Just to log TTL 1 and TTL 0 separately so to be able to see which it was.


KachiWachi

join:2004-02-12
Bucks Co, PA
reply to NOYB
Your rule is -

RulesDropTTL
drop match 3 8 { 00:FF } >> done, alert 4 [TTL of 0]
drop match 3 8 { 01:FF } >> done, alert 4 [TTL of 1]

The original rule is -

RulesDropTTL
drop match 3 8 { 01:FE } >> done, alert 4 [TTL of 0 or 1]

What does the "FF" change do for you? Recall I haven't reviewed the "how to" in some time now.

Thanks.

(Note for everyone - the "alert #" just defines a color change in the Westell log file so that the [text] is highlighted.)
--
CPU - DFI 586IPVG, Cyrix MII 433, K6-2/+ 450, i430VX, 128MB EDO.
BIOS patched by BiosMan.
VOL (ex-BA) 1500/384, Westell 2200.


NOYB
St. John 3.16
Premium
join:2005-12-15
Forest Grove, OR
kudos:1

4 edits
FF is the mask. I would have to go back and figure the bits out again to give any details. Maybe I'll do that and add it here sometime.

I created that several months ago. Are you thinking I flubbed it? Though with the 'drop all' rule at the end it wouldn't really matter, other than not being logged with it's own unique message.

Added - 8/18/2006
Basically the FE (1111 1110) mask is just saying we don't care about the least significant bit (LSB). So regardless of whether the LSB is 1 or 0 we don't care. We only care if at least one of the other 7 bits is a 1, then TTL is not 0 nor 1.

In my rules the bit string comparison to TTL of 0 and 1 are exact so there is no need to mask off any of the bits. Mask of FF (1111 1111) includes all 8 bits in the comparison.

Original TTL = 0 or 1 Rule & Bit Logic
drop match 3 8 { 01:FE } >> done, alert 4 [TTL of 0 or 1]
TTL Byte   = 02 = 0000 0010
Bit String = 01 = 0000 0001
XOR Result = 03 = 0000 0011
Mask = FE = 1111 1110
AND Result = 02 = 0000 0010 = No Match for TTL of 2 or greater

TTL Byte = 01 = 0000 0001
Bit String = 01 = 0000 0001
XOR Result = 00 = 0000 0000
Mask = FE = 1111 1110
AND Result = 00 = 0000 0000 = Match for TTL of 1

TTL Byte = 00 = 0000 0000
Bit String = 01 = 0000 0001
XOR Result = 01 = 0000 0001
Mask = FE = 1111 1110
AND Result = 00 = 0000 0000 = Match for TTL of 0

My TTL = 0 Rule & Bit Logic
drop match 3 8 { 00:FF } >> done, alert 4 [TTL of 0]
TTL Byte   = 02 = 0000 0010
Bit String = 00 = 0000 0000
XOR Result = 02 = 0000 0010
Mask = FF = 1111 1111
AND Result = 02 = 0000 0010 = No Match for TTL of 2 or greater

TTL Byte = 01 = 0000 0001
Bit String = 00 = 0000 0000
XOR Result = 01 = 0000 0001
Mask = FF = 1111 1111
AND Result = 00 = 0000 0001 = No Match for TTL of 1 or greater

TTL Byte = 00 = 0000 0000
Bit String = 00 = 0000 0000
XOR Result = 00 = 0000 0000
Mask = FF = 1111 1111
AND Result = 00 = 0000 0000 = Match for TTL of 0

My TTL = 1 Rule & Bit Logic
drop match 3 8 { 01:FF } >> done, alert 4 [TTL of 1]
TTL Byte   = 02 = 0000 0010
Bit String = 01 = 0000 0001
XOR Result = 03 = 0000 0011
Mask = FF = 1111 1111
AND Result = 03 = 0000 0011 = No Match for TTL of 2 or greater

TTL Byte = 01 = 0000 0001
Bit String = 01 = 0000 0001
XOR Result = 00 = 0000 0000
Mask = FF = 1111 1111
AND Result = 00 = 0000 0000 = Match for TTL of 1

TTL Byte = 00 = 0000 0000
Bit String = 01 = 0000 0001
XOR Result = 01 = 0000 0001
Mask = FF = 1111 1111
AND Result = 01 = 0000 0001 = No Match for TTL of 0

Did I do that correct? Any errors?

For Westell 327w firewall rules help and syntax, go to 'Configuration -> Firewall', and click the 'edit' button. Then in the 'Firewall Rules' windows that pops up click the 'help' button. http://dslrouter/fwHelp.htm or http://192.168.1.1/fwHelp.htm

SwiftFox

join:2005-11-01
Trenton, NJ

1 edit
Hi,
This guide has been very interesting. I was having trouble downloading drivers from HP's website. The only way I could do it was to lower the 327W's firewall setting from "medium" to "low." Then I came across this thread. I've now enabled FTP service and unchecked "Use passive FTP" in IE. Now I can download drivers from HP's website just fine without having to feel like I'm lowering security. Thanks!

Now, I was wondering if you (or anyone else) could help with another problem. I can't access any Yahoo games unless I lower the firewall from "medium" to "low." Once on "low," the applet required to start the game works fine. Any ideas on how to either enable a custom service or reconfigure the "medium" settings?

Thanks!


NOYB
St. John 3.16
Premium
join:2005-12-15
Forest Grove, OR
kudos:1

4 edits
reply to NOYB
Here is another strong method without enabling services.

If you have others you think would make good addition to these please post and let us know.

For Westell 327w firewall rules help and syntax, go to 'Configuration -> Firewall', and click the 'edit' button. Then in the 'Firewall Rules' windows that pops up click the 'help' button. »dslrouter/fwHelp.htm or »192.168.1.1/fwHelp.htm

Note: The firewall rules are only executed in absence of a stateful packet match in the session state table.

Remote Router Administration
Disable "Remote Access" and set a strong password (minimum of 8 characters with at least 1 letter, 1 number and 1 punctuation) on the Maintenance -> Remote Access page. »dslrouter/remote.htm or »192.168.1.1/remote.htm

Inbound Firewall Rules - Low
Permit All Inbound Packets That Are Not Explicitly Denied or That Have a Matching Session State Table Entry.
title [ Security Level Custom (Low) IN rules ]

begin

# Drop and Log Packets with Time to Live (TTL) of 0 or 1
TTL
#drop match 3 8 { 01:FE } >> done, alert 4 [TTL of 0 or 1]
drop match 3 8 { 00:FF } >> done, alert 4 [TTL of 0]
drop match 3 8 { 01:FF } >> done, alert 4 [TTL of 1]

# Drop and Log Packets of Prohibited Source Address
Address
drop from addr 0.0.0.0 >> done, alert 4 [0.0.0.0 Source IP Address]

# Internet Control Message Protocol (ICMP)
# Pass Specific ICMP Types, Drop and Log all Unsolicited ICMP
ICMP
pass protocol icmp, icmp-type exceeded >> done # Type: 11 (allow TTL exceeded reply (trace route))
drop protocol icmp, icmp-type reply >> done, alert 3 [ICMP Message To WAN IP - Echo Reply - Dropped] # Type: 0 (block echo (ping) reply)
drop protocol icmp, icmp-type exceeded >> done, alert 3 [ICMP Message To WAN IP - TTL Exceeded - Dropped] # Type: 11 (block TTL exceeded reply (trace route))
drop protocol icmp, icmp-type unreachable >> done, alert 3 [ICMP Message To WAN IP - Dst Unreachable - Dropped] # Type: 3 (block unreachable reply)
drop protocol icmp, icmp-type request >> done, alert 3 [ICMP Message To WAN IP - Echo Request - Dropped] # Type: 8 (block echo (ping) requests)
drop protocol icmp >> done, alert 3 [ICMP Message To WAN IP - Dropped] # Type: (block all others)

# Permit All Inbound Packets That Are Not Explicitly Denied or That Have a Matching Session State Table Entry.
Permitted
pass all

end

Inbound Firewall Rules - Medium
Deny All Inbound Packets That Are Not Explicitly Permitted or Do Not Have a Matching Session State Table Entry (Unsolicited)
title [ Security Level Custom (Medium) IN rules ]

begin

# Drop and Log Packets with Time to Live (TTL) of 0 or 1
TTL
#drop match 3 8 { 01:FE } >> done, alert 4 [TTL of 0 or 1]
drop match 3 8 { 00:FF } >> done, alert 4 [TTL of 0]
drop match 3 8 { 01:FF } >> done, alert 4 [TTL of 1]

# Drop and Log Packets of Prohibited Source Address
Address
drop from addr 0.0.0.0 >> done, alert 4 [0.0.0.0 Source IP Address]

# Internet Control Message Protocol (ICMP)
# Pass Specific ICMP Types, Drop and Log all Unsolicited ICMP
ICMP
pass protocol icmp, icmp-type exceeded >> done # Type: 11 (allow TTL exceeded reply (trace route))
drop protocol icmp, icmp-type reply >> done, alert 3 [ICMP Message To WAN IP - Echo Reply - Dropped] # Type: 0 (block echo (ping) reply)
drop protocol icmp, icmp-type exceeded >> done, alert 3 [ICMP Message To WAN IP - TTL Exceeded - Dropped] # Type: 11 (block TTL exceeded reply (trace route))
drop protocol icmp, icmp-type unreachable >> done, alert 3 [ICMP Message To WAN IP - Dst Unreachable - Dropped] # Type: 3 (block unreachable reply)
drop protocol icmp, icmp-type request >> done, alert 3 [ICMP Message To WAN IP - Echo Request - Dropped] # Type: 8 (block echo (ping) requests)
drop protocol icmp >> done, alert 3 [ICMP Message To WAN IP - Dropped] # Type: (block all others)

# Deny All Inbound Packets That Do Not Have a Matching Session State Table Entry (Unsolicited)
Unsolicited
drop all >> alert 3 [Unsolicited Inbound - Drop]

end

Outbound Firewall Rules - Low
Permit All Outbound Packets That Are Not Explicitly Denied
title [ Security Level Custom (Low) OUT rules ]

begin

# Protocol Match conditions

# Internet Control Message Protocol
# Pass Specific ICMP Types, Drop and Log all other ICMP Types
ICMP
pass protocol icmp, icmp-type request >> state, done # Type: 8 (allow echo (ping) requests)
drop protocol icmp, icmp-type reply >> done, alert 2 [ICMP - Echo Reply - Drop] # Type: 0 (block echo (ping) reply)
drop protocol icmp, icmp-type exceeded >> done, alert 2 [ICMP - TTL Exceeded - Drop] # Type: 11 (block TTL exceeded reply (trace route))
drop protocol icmp, icmp-type unreachable >> done, alert 2 [ICMP - Dst Unreachable - Drop] # Type: 3 (block unreachable reply)
drop protocol icmp, icmp-type request >> done, alert 1 [ICMP - Echo Request - Drop] # Type: 8 (block echo (ping) requests)
drop protocol icmp >> done, alert 2 [ICMP - Prohibited Type - Drop] # Type: (block all others)

# Failed Protocol Match Conditions

# Network Basic Input/Output System (NetBIOS)
# Drop NetBIOS Packets
NetBIOS
drop to port >= 135, to port <= 139 >> done, alert 4 [Dropping NetBIOS Traffic] # NetBIOS

# Permit All Outbound Packets That Are Not Explicitly Denied, and Add to Session State Table for Medium Inbound Firewall Rules
Permitted
#pass all # For Use With Inbound Low Firewall Rules Only
pass all >> state # For Use With Inbound Low or Medium Firewall Rules

end

Outbound Firewall Rules - Medium
Deny All Outbound Packets That Are Not Explicitly Permitted, Unless Service is Enabled
title [ Security Level Custom (Medium) OUT rules ]

begin

# Protocol Match conditions

# World Wide Web
WWW
pass protocol tcp, to port 80 >> state, done # HTTP
pass protocol tcp, from port 80 >> state, done # HTTP
pass protocol tcp, to port 443 >> state, done # HTTPS - Secure Socket Layer (SSL)

# Domain Name System - Name/Address Resolution
DNS
pass protocol udp, to port 53 >> state, done # DNS

# Telecommunication Network (Telnet)
Telnet
pass protocol tcp, to port 23 >> state, done # Telnet

# Internet Protocol Security (IPsec)
IPsec
#pass protocol udp, to port 500 >> state, done # IPSEC IKE
#pass protocol 50 >> state, done # IPSEC ESP

# eMail & News Groups
# Post Office Protocol (POP) / Simple Mail Transfer Protocol (SMTP) / Network News Transfer Protocol (NNTP)
eMail
pass protocol tcp, to port 110 >> state, done # POP
pass protocol tcp, to port 25 >> state, done # SMTP
pass protocol tcp, to port 119 >> state, done # NNTP

# Secure Socket Layer POP / SMTP / NNTP
eMailSSL
pass protocol tcp, to port 995 >> state, done # POP SSL
pass protocol tcp, to port 465 >> state, done # SMTP SSL
pass protocol tcp, to port 563 >> state, done # NNTP SSL

# File Transfer Protocol (FTP) - "Active" and "Passive" Modes
FTP
pass protocol tcp, to port 20 >> state, done # Active Mode FTP Data Channel Port
pass protocol tcp, from port 20 >> state, done # Active Mode FTP Data Channel Port
pass protocol tcp, to port 21 >> state, done # Active & Passive Mode FTP Control Channel Port
pass protocol tcp, from port >= 1024, from port <= 5000 >> state, done # WE/IE Passive Mode FTP Data Channel Ports - Check 'Use Passive FTP' in IE Advanced Properties

# Skype - Assigned Port of Each Skype Installation - Tools -> Options... -> Connection
Skype
#pass protocol udp, from port XXXXX >> state, done # Skype

# Network Time Protocol (NTP) (Windows Time Sync)
NTP
pass protocol udp, to port 123 >> state, done # NTP (Windows Time Sync)

# Internet Control Message Protocol
# Pass Specific ICMP Types, Drop and Log all other ICMP Types
ICMP
pass protocol icmp, icmp-type request >> state, done # Type: 8 (allow echo (ping) requests)
drop protocol icmp, icmp-type reply >> done, alert 2 [ICMP - Echo Reply - Drop] # Type: 0 (block echo (ping) reply)
drop protocol icmp, icmp-type exceeded >> done, alert 2 [ICMP - TTL Exceeded - Drop] # Type: 11 (block TTL exceeded reply (trace route))
drop protocol icmp, icmp-type unreachable >> done, alert 2 [ICMP - Dst Unreachable - Drop] # Type: 3 (block unreachable reply)
drop protocol icmp, icmp-type request >> done, alert 1 [ICMP - Echo Request - Drop] # Type: 8 (block echo (ping) requests)
drop protocol icmp >> done, alert 2 [ICMP - Prohibited Type - Drop] # Type: (block all others)

# Failed Protocol Match Conditions

# Network Basic Input/Output System (NetBIOS)
# Drop NetBIOS Packets
NetBIOS
drop to port >= 135, to port <= 139 >> done, alert 4 [Dropping NetBIOS Traffic] # NetBIOS

# Deny All Outbound Packets That Are Not Explicitly Permitted, Unless Service is Enabled
NotPermitted
drop all >> alert 1 [Packet to be dropped unless Service enabled]

end


KachiWachi

join:2004-02-12
Bucks Co, PA
reply to NOYB
SwiftFox -

See my thread on how I did this in my 2200, which is similar to the 327 rule-wise.

»Westell 2200 Firewall Rule Explanation Needed

What you really have to do is sit down and compare the rule sets...and see just what "extra" security you get by changing from one rule set to another. You can then decide if you really require that level of security...or not.

You can always make a "custom" rule set by cutting and pasting existing rules that you want/don't want...or by writing your own.

SwiftFox

join:2005-11-01
Trenton, NJ
KachiWachi,
Thanks, I'll definitely study your thread and then post back, as I'm sure I'll have questions.

Yeah, I've been carefully comparing the different rule sets for Low and Medium. I've been playing around with a custom rule set, but at one point, I must have screwed up, as I could no longer surf at all so then had to restore the backup configuration.

Anyway, I'm sure I'll learn a lot from your thread, as I've learned a lot from this one. Thanks again.


KachiWachi

join:2004-02-12
Bucks Co, PA
reply to NOYB
NOYBNOYB -

Do you really get that many TTL Drops that you need or want to see them in the log?

I don't think I've ever had any show up with the "standard" rule.

There's nothing wrong with having your rule...I was just curious as to why you implemented it.


NOYB
St. John 3.16
Premium
join:2005-12-15
Forest Grove, OR
kudos:1
I have seen a few from time to time, though they are fairly rare, and was just curious if they were 0 or 1.

Don't know what their capability is for devious exploits, but even if not being logged they should probably still at least be dropped (blocked).



NOYB
St. John 3.16
Premium
join:2005-12-15
Forest Grove, OR
kudos:1

4 edits
reply to NOYB

If passive mode FTP access need is limited to only a few servers, such as for virus scan definition file updates and managing a web site, etc., the 'Outbound Firewall Rules - Medium' can be further strengthened by making the following modifications to have the passive mode FTP port range 1024 through 5000 open only for known frequented FTP servers, rather than being open for any and all servers.

In the 'File Transfer Protocol (FTP) - "Active" and "Passive" Modes' section, of the 'Outbound Firewall Rules - Medium', comment out this line.
pass protocol tcp, from port >= 1024, from port <= 5000 >> state, done # WE/IE Passive Mode FTP Data Channel Ports - Check 'Use Passive FTP' in IE Advanced Properties


And add the following for each passive mode FTP site to be accessed. Replacing n.n.n.n with the IP address of the FTP server.
# WE/IE Passive Mode FTP Data Channel Ports, Server Specific - Check 'Use Passive FTP' in IE Advanced Properties
pass protocol tcp, to addr n.n.n.n, from port >= 1024, from port <= 5000 >> state, done # Virus Scan Updates - FTP
pass protocol tcp, to addr n.n.n.n, from port >= 1024, from port <= 5000 >> state, done # My Web Site - FTP


Additionally, if "Active" mode FTP is not required, these two, to and from port 20, rules may also be commented out.
pass protocol tcp, to port 20 >> state, done # Active Mode FTP Data Channel Port
pass protocol tcp, from port 20 >> state, done # Active Mode FTP Data Channel Port

To comment out a rule place a pound symbol (#) at the beginning of the rule statement.

saweetnesstr

join:2003-08-19
Grafton, OH

1 edit
Thanks i used the medium rules on the bottom,, any updates?? it works like a charm,, thanks NOYBNOYB :P,, i always get probed for 1026, 1027 ,, and it pisses me off and some other known ports..

MQY

join:2003-08-19
Flushing, NY

1 edit
reply to NOYB
Hello NOYBNOYB:

Thank you for wonderful article, i think I will copy/paste your rule. Is the rule in the first post a final edit?

BTW, is there anything wrong with 327w's default firewall rule? Is the default rule good enough to protect us?

thank you again


Miss Moose

@verizon.net
reply to NOYB
Good lawd, this is so useful. I've sewn up one segment and I'll hit the next one tomorrow.

I have an ex actively trying to access my network, so I've gone from medium technical knowledge to getting in quite a bit deeper.

Thanks so much!


poppster
Tell the truth and then run.
Premium
join:2003-12-23
Midwest
kudos:1
reply to NOYB
Click for full size
Click for full size
Testing your settings, here is what I get.

Port
Service
Status Security Implications

Random Common Ports with NO software firewall added.

0

Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

21
FTP
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

22
SSH
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

23
Telnet
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

25
SMTP
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

79
Finger
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

80
HTTP
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

110
POP3
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

113
IDENT
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

119
NNTP
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

135
RPC
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

139
Net
BIOS
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

143
IMAP
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

389
LDAP
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

443
HTTPS
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

445
MSFT
DS
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

1002
ms-ils
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

1024
DCOM
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

1025
Host
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

1026
Host
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

1027
Host
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

1028
Host
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

1029
Host
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

1030
Host
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

1720
H.323
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

5000
UPnP
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

p2p sharing
Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.
Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.

Nice settings.

The internet is completely browseable, so are p2p applications, very nice.

Looks like I might not need a software firewall....lol

Thanks for these settings.
--
Shortest Straw Has Been Pulled for You


poppster
Tell the truth and then run.
Premium
join:2003-12-23
Midwest
kudos:1
reply to NOYB
How do I edit the rules for xbox live to work? When I want to play on XBL I have to set the firewall down to low.

Otherwise your rules are great.
--
Shortest Straw Has Been Pulled for You

cardr01

join:2006-12-06
Bethel, OH
reply to NOYB
So could you guys help the less computer savey people with this?

The only reason I'm needing help is like others I found a program, Limewire, which I want to use but don't want to lower my security.

I cut and pasted the rules in the custom part of the westell firewall settings. However I still can't surf the internet. I don't see anything else in IE to enable. Any help would be appreciated.

Thanks

cardr01

join:2006-12-06
Bethel, OH
Ok the slow guy is finally figuring this out. I understand the services and have them enabled now. When enabling them, do you pick "Host" or "Dynamic"?

Thanks


NOYB
St. John 3.16
Premium
join:2005-12-15
Forest Grove, OR
kudos:1
reply to MQY

The first set of rules is for use with enabling services.

The second set is for using firewall configuration to allow needed traffic without enabling services. This is the set I use (medium in, medium out).

Only you can determine whether or not the default rule is good enough to protect you. The best practice for security is to block/disable everything and permit/enable only what is needed.

Been a while since I've been here. Looks like some folks getting some use out of the firewall rules. That's real nice to see.

Thank you, and you're welcome.