how-to block ads
|
N O Y B
St. John 3.16
join:2005-12-15
Forest Grove, OR
4 edits | reply to N O Y B
Re: Harden Your Westell 327 Firewall
Here is another strong method without enabling services.
If you have others you think would make good addition to these please post and let us know.
For Westell 327w firewall rules help and syntax, go to 'Configuration -> Firewall', and click the 'edit' button. Then in the 'Firewall Rules' windows that pops up click the 'help' button. »dslrouter/fwHelp.htm or »192.168.1.1/fwHelp.htm
Note: The firewall rules are only executed in absence of a stateful packet match in the session state table.
Remote Router Administration
Disable "Remote Access" and set a strong password (minimum of 8 characters with at least 1 letter, 1 number and 1 punctuation) on the Maintenance -> Remote Access page. »dslrouter/remote.htm or »192.168.1.1/remote.htm
Inbound Firewall Rules - Low
Permit All Inbound Packets That Are Not Explicitly Denied or That Have a Matching Session State Table Entry.
title [ Security Level Custom (Low) IN rules ]
begin
# Drop and Log Packets with Time to Live (TTL) of 0 or 1
TTL
#drop match 3 8 { 01:FE } >> done, alert 4 [TTL of 0 or 1]
drop match 3 8 { 00:FF } >> done, alert 4 [TTL of 0]
drop match 3 8 { 01:FF } >> done, alert 4 [TTL of 1]
# Drop and Log Packets of Prohibited Source Address
Address
drop from addr 0.0.0.0 >> done, alert 4 [0.0.0.0 Source IP Address]
# Internet Control Message Protocol (ICMP)
# Pass Specific ICMP Types, Drop and Log all Unsolicited ICMP
ICMP
pass protocol icmp, icmp-type exceeded >> done # Type: 11 (allow TTL exceeded reply (trace route))
drop protocol icmp, icmp-type reply >> done, alert 3 [ICMP Message To WAN IP - Echo Reply - Dropped] # Type: 0 (block echo (ping) reply)
drop protocol icmp, icmp-type exceeded >> done, alert 3 [ICMP Message To WAN IP - TTL Exceeded - Dropped] # Type: 11 (block TTL exceeded reply (trace route))
drop protocol icmp, icmp-type unreachable >> done, alert 3 [ICMP Message To WAN IP - Dst Unreachable - Dropped] # Type: 3 (block unreachable reply)
drop protocol icmp, icmp-type request >> done, alert 3 [ICMP Message To WAN IP - Echo Request - Dropped] # Type: 8 (block echo (ping) requests)
drop protocol icmp >> done, alert 3 [ICMP Message To WAN IP - Dropped] # Type: (block all others)
# Permit All Inbound Packets That Are Not Explicitly Denied or That Have a Matching Session State Table Entry.
Permitted
pass all
end
Inbound Firewall Rules - Medium
Deny All Inbound Packets That Are Not Explicitly Permitted or Do Not Have a Matching Session State Table Entry (Unsolicited)
title [ Security Level Custom (Medium) IN rules ]
begin
# Drop and Log Packets with Time to Live (TTL) of 0 or 1
TTL
#drop match 3 8 { 01:FE } >> done, alert 4 [TTL of 0 or 1]
drop match 3 8 { 00:FF } >> done, alert 4 [TTL of 0]
drop match 3 8 { 01:FF } >> done, alert 4 [TTL of 1]
# Drop and Log Packets of Prohibited Source Address
Address
drop from addr 0.0.0.0 >> done, alert 4 [0.0.0.0 Source IP Address]
# Internet Control Message Protocol (ICMP)
# Pass Specific ICMP Types, Drop and Log all Unsolicited ICMP
ICMP
pass protocol icmp, icmp-type exceeded >> done # Type: 11 (allow TTL exceeded reply (trace route))
drop protocol icmp, icmp-type reply >> done, alert 3 [ICMP Message To WAN IP - Echo Reply - Dropped] # Type: 0 (block echo (ping) reply)
drop protocol icmp, icmp-type exceeded >> done, alert 3 [ICMP Message To WAN IP - TTL Exceeded - Dropped] # Type: 11 (block TTL exceeded reply (trace route))
drop protocol icmp, icmp-type unreachable >> done, alert 3 [ICMP Message To WAN IP - Dst Unreachable - Dropped] # Type: 3 (block unreachable reply)
drop protocol icmp, icmp-type request >> done, alert 3 [ICMP Message To WAN IP - Echo Request - Dropped] # Type: 8 (block echo (ping) requests)
drop protocol icmp >> done, alert 3 [ICMP Message To WAN IP - Dropped] # Type: (block all others)
# Deny All Inbound Packets That Do Not Have a Matching Session State Table Entry (Unsolicited)
Unsolicited
drop all >> alert 3 [Unsolicited Inbound - Drop]
end
Outbound Firewall Rules - Low
Permit All Outbound Packets That Are Not Explicitly Denied
title [ Security Level Custom (Low) OUT rules ]
begin
# Protocol Match conditions
# Internet Control Message Protocol
# Pass Specific ICMP Types, Drop and Log all other ICMP Types
ICMP
pass protocol icmp, icmp-type request >> state, done # Type: 8 (allow echo (ping) requests)
drop protocol icmp, icmp-type reply >> done, alert 2 [ICMP - Echo Reply - Drop] # Type: 0 (block echo (ping) reply)
drop protocol icmp, icmp-type exceeded >> done, alert 2 [ICMP - TTL Exceeded - Drop] # Type: 11 (block TTL exceeded reply (trace route))
drop protocol icmp, icmp-type unreachable >> done, alert 2 [ICMP - Dst Unreachable - Drop] # Type: 3 (block unreachable reply)
drop protocol icmp, icmp-type request >> done, alert 1 [ICMP - Echo Request - Drop] # Type: 8 (block echo (ping) requests)
drop protocol icmp >> done, alert 2 [ICMP - Prohibited Type - Drop] # Type: (block all others)
# Failed Protocol Match Conditions
# Network Basic Input/Output System (NetBIOS)
# Drop NetBIOS Packets
NetBIOS
drop to port >= 135, to port <= 139 >> done, alert 4 [Dropping NetBIOS Traffic] # NetBIOS
# Permit All Outbound Packets That Are Not Explicitly Denied, and Add to Session State Table for Medium Inbound Firewall Rules
Permitted
#pass all # For Use With Inbound Low Firewall Rules Only
pass all >> state # For Use With Inbound Low or Medium Firewall Rules
end
Outbound Firewall Rules - Medium
Deny All Outbound Packets That Are Not Explicitly Permitted, Unless Service is Enabled
title [ Security Level Custom (Medium) OUT rules ]
begin
# Protocol Match conditions
# World Wide Web
WWW
pass protocol tcp, to port 80 >> state, done # HTTP
pass protocol tcp, from port 80 >> state, done # HTTP
pass protocol tcp, to port 443 >> state, done # HTTPS - Secure Socket Layer (SSL)
# Domain Name System - Name/Address Resolution
DNS
pass protocol udp, to port 53 >> state, done # DNS
# Telecommunication Network (Telnet)
Telnet
pass protocol tcp, to port 23 >> state, done # Telnet
# Internet Protocol Security (IPsec)
IPsec
#pass protocol udp, to port 500 >> state, done # IPSEC IKE
#pass protocol 50 >> state, done # IPSEC ESP
# eMail & News Groups
# Post Office Protocol (POP) / Simple Mail Transfer Protocol (SMTP) / Network News Transfer Protocol (NNTP)
eMail
pass protocol tcp, to port 110 >> state, done # POP
pass protocol tcp, to port 25 >> state, done # SMTP
pass protocol tcp, to port 119 >> state, done # NNTP
# Secure Socket Layer POP / SMTP / NNTP
eMailSSL
pass protocol tcp, to port 995 >> state, done # POP SSL
pass protocol tcp, to port 465 >> state, done # SMTP SSL
pass protocol tcp, to port 563 >> state, done # NNTP SSL
# File Transfer Protocol (FTP) - "Active" and "Passive" Modes
FTP
pass protocol tcp, to port 20 >> state, done # Active Mode FTP Data Channel Port
pass protocol tcp, from port 20 >> state, done # Active Mode FTP Data Channel Port
pass protocol tcp, to port 21 >> state, done # Active & Passive Mode FTP Control Channel Port
pass protocol tcp, from port >= 1024, from port <= 5000 >> state, done # WE/IE Passive Mode FTP Data Channel Ports - Check 'Use Passive FTP' in IE Advanced Properties
# Skype - Assigned Port of Each Skype Installation - Tools -> Options... -> Connection
Skype
#pass protocol udp, from port XXXXX >> state, done # Skype
# Network Time Protocol (NTP) (Windows Time Sync)
NTP
pass protocol udp, to port 123 >> state, done # NTP (Windows Time Sync)
# Internet Control Message Protocol
# Pass Specific ICMP Types, Drop and Log all other ICMP Types
ICMP
pass protocol icmp, icmp-type request >> state, done # Type: 8 (allow echo (ping) requests)
drop protocol icmp, icmp-type reply >> done, alert 2 [ICMP - Echo Reply - Drop] # Type: 0 (block echo (ping) reply)
drop protocol icmp, icmp-type exceeded >> done, alert 2 [ICMP - TTL Exceeded - Drop] # Type: 11 (block TTL exceeded reply (trace route))
drop protocol icmp, icmp-type unreachable >> done, alert 2 [ICMP - Dst Unreachable - Drop] # Type: 3 (block unreachable reply)
drop protocol icmp, icmp-type request >> done, alert 1 [ICMP - Echo Request - Drop] # Type: 8 (block echo (ping) requests)
drop protocol icmp >> done, alert 2 [ICMP - Prohibited Type - Drop] # Type: (block all others)
# Failed Protocol Match Conditions
# Network Basic Input/Output System (NetBIOS)
# Drop NetBIOS Packets
NetBIOS
drop to port >= 135, to port <= 139 >> done, alert 4 [Dropping NetBIOS Traffic] # NetBIOS
# Deny All Outbound Packets That Are Not Explicitly Permitted, Unless Service is Enabled
NotPermitted
drop all >> alert 1 [Packet to be dropped unless Service enabled]
end
| |
N O Y B
St. John 3.16
join:2005-12-15
Forest Grove, OR
4 edits |
If passive mode FTP access need is limited to only a few servers, such as for virus scan definition file updates and managing a web site, etc., the 'Outbound Firewall Rules - Medium' can be further strengthened by making the following modifications to have the passive mode FTP port range 1024 through 5000 open only for known frequented FTP servers, rather than being open for any and all servers.
In the 'File Transfer Protocol (FTP) - "Active" and "Passive" Modes' section, of the 'Outbound Firewall Rules - Medium', comment out this line.
pass protocol tcp, from port >= 1024, from port <= 5000 >> state, done # WE/IE Passive Mode FTP Data Channel Ports - Check 'Use Passive FTP' in IE Advanced Properties
And add the following for each passive mode FTP site to be accessed. Replacing n.n.n.n with the IP address of the FTP server.
# WE/IE Passive Mode FTP Data Channel Ports, Server Specific - Check 'Use Passive FTP' in IE Advanced Properties
pass protocol tcp, to addr n.n.n.n, from port >= 1024, from port <= 5000 >> state, done # Virus Scan Updates - FTP
pass protocol tcp, to addr n.n.n.n, from port >= 1024, from port <= 5000 >> state, done # My Web Site - FTP
Additionally, if "Active" mode FTP is not required, these two, to and from port 20, rules may also be commented out.
pass protocol tcp, to port 20 >> state, done # Active Mode FTP Data Channel Port
pass protocol tcp, from port 20 >> state, done # Active Mode FTP Data Channel Port
To comment out a rule place a pound symbol (#) at the beginning of the rule statement. | |
saweetnesstr
join:2003-08-19
Grafton, OH
1 edit | Thanks i used the medium rules on the bottom,, any updates??  it works like a charm,, thanks NOYBNOYB :P,, i always get probed for 1026, 1027 ,, and it pisses me off and some other known ports.. | |
|
