The Hammer
@verizon.net
| Westell 327W Firewall
I have been following instructions on how to harden the firewall built into my Westell 327W DSL Modem at
»Harden Your Westell 327 Firewall
I have a LaCie NAS and am bothered by all the logged attempts to break into the drive. I want to be able to access via FTP certain shares on the drive. The only way I have been able to accomplish this is to leave the firewall set to low. But my NAS log shows continued attempts to enter the drive. [Important note to others - change your default Administrator password NOW!]
If I set the custom firewall based on the recommendations of the post listed above, I can no longer access my files via FTP. The language in the firewall is cryptic enough that I cannot understand it. What do I need to change to allow FTP through the firewall and ports 20,21? |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| Unfortunately, FTP is a nasty protocol to firewall. There is one connection to port 21 for passing commands. That's usually called the control connection. And then there is another connection established for transferring data (a file or a directory listing). For active mode FTP, the data connection is to an arbitrary port, but using port 20 as the source port. And the connection is made in reverse direction, with the server connecting to the client. For passive mode FTP, the connection is in the standard direction (client to server), but uses arbitrary source and destination ports.
A firewall typically has to look inside control packets passed in order to determine which ports are to be used in the data connection, and then set temporary firewall rules to allow that. Not all firewalls handle it well.
I don't think I have ever tried that with my 327w. I normally use either "http" or "ssh" for file transfers.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.10 |
|
The Hammer
@verizon.net
| How can I find out about using "http" or "ssh" for file transfers? As I have always used FTP, I have not found out the advantages or disadvantages of the other protocols. My goal is to be able to access my home files while I am on the road.
As of now, the only protection I seem to have on my NAS preventing outside theft is the name and passwords I use. They are all abnormal, so the bots trying to break in have not been successful (so far). But it is just darn disconcerting to look at the logs and see all the attempts. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| You would need to be running an http server (web server) or an ssh server.
I normally using linux on my home system, so there is an ssh server automatically started. I don't know what is available for windows. I use putty as an ssh client on windows, but that's not a server.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.10 |
|
The Hammer
@verizon.net | How about for the Mac? |
|
impala
join:2008-03-08
Clemson, SC
·AT&T Southeast
| reply to The Hammer
is there really a difference between trying to hack the drive from HTTP and trying to hack the drive from FTP? Well, I can understand minimizing your exposure. To do what you want you probably need to add these rules to the inbound firewall:
#pass to port 20 >> state, done # FTP
#pass from port 20 >> state, done # FTP
#pass to port 21 >> state, done # FTP
#pass from port 21 >> state, done # FTP
On a mac, if you go to the networking tab in system preferences, you can enable the http and ssh services. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| reply to The Hammer
said by The Hammer :
How about for the Mac?
Recent Macs are using unix beneath the hood (apparently based on BSD unix). Both openssh and apache should be available.
Note that I am not a Mac user, and I do not have any experience setting these up.
--
AT&T dsl; Speedstream 5100b modem; Zyxel NBG334W router; openSuSE 11.0; firefox 3.0.11 |
|
impala
join:2008-03-08
Clemson, SC
·AT&T Southeast
| reply to The Hammer
MacOS Sharing System Preference |
|
|
The Hammer
join:2009-07-09
| reply to impala
OK, now my inbound firewall rules look like:
title [ Security Level Custom (Low) IN rules ]
begin
# Drop and Log Packets with Time to Live (TTL) of 0 or 1
TTL
#drop match 3 8 { 01:FE } >> done, alert 4 [TTL of 0 or 1]
drop match 3 8 { 00:FF } >> done, alert 4 [TTL of 0]
drop match 3 8 { 01:FF } >> done, alert 4 [TTL of 1]
# Drop and Log Packets of Prohibited Source Address
Address
drop from addr 0.0.0.0 >> done, alert 4 [0.0.0.0 Source IP Address]
# Internet Control Message Protocol (ICMP)
# Pass Specific ICMP Types, Drop and Log all Unsolicited ICMP
ICMP
pass protocol icmp, icmp-type exceeded >> done # Type: 11 (allow TTL exceeded reply (trace route))
drop protocol icmp, icmp-type reply >> done, alert 3 [ICMP Message To WAN IP - Echo Reply - Dropped] # Type: 0 (block echo (ping) reply)
drop protocol icmp, icmp-type exceeded >> done, alert 3 [ICMP Message To WAN IP - TTL Exceeded - Dropped] # Type: 11 (block TTL exceeded reply (trace route))
drop protocol icmp, icmp-type unreachable >> done, alert 3 [ICMP Message To WAN IP - Dst Unreachable - Dropped] # Type: 3 (block unreachable reply)
drop protocol icmp, icmp-type request >> done, alert 3 [ICMP Message To WAN IP - Echo Request - Dropped] # Type: 8 (block echo (ping) requests)
drop protocol icmp >> done, alert 3 [ICMP Message To WAN IP - Dropped] # Type: (block all others)
#pass to port 20 >> state, done # FTP
#pass from port 20 >> state, done # FTP
#pass to port 21 >> state, done # FTP
#pass from port 21 >> state, done # FTP
# Permit All Inbound Packets That Are Not Explicitly Denied or That Have a Matching Session State Table Entry.
Permitted
pass all
end
I will try it and see what happens. Thanks. Shouldn't I delete the '#' pound sign at the beginning of each? Doesn't the # sound disable the line?
As to the other posts that are helping me with the Mac, my question was confusing. The firewall I am trying to configure is not the Mac firewall, but the firewall on the Westell 327W DSL Modem / Router. Thanks. |
|
impala
join:2008-03-08
Clemson, SC
·AT&T Southeast
| said by The Hammer  : Shouldn't I delete the '#' pound sign at the beginning of each? Doesn't the # sound disable the line? correct. delete the # to activate the rule |
|
