Netgear → Re: SUCCESS!!! TCP Estab in filters

Actually, on second thought, it might be a bad idea to use this if you want to use FTP in active mode. You would end up opening up the router itself to attack. Also, I got the port wrong in my last post; the ftp server connects back from port 20.

sounds like the cure is worse than the disease.

Well, passive FTP works fine and I feel is far preferable from a security standpoint. I think cases where someone absolutely needs to use active FTP are very uncommon (I have yet to).

In general, if security is a priority, it is better to default to dropping packets and open up ports/services as needed.

It is also better from a performance standpoint. If you set up rules to drop stuff and default to forwarding then forwarded packets (the ones you actually want) have to go through the whole filter chain. If you do it the other way, the packet will get forwarded on the first rule it matches. Only dropped packets will have to go through the whole chain.

As I cited in a previous article sometime back, when I had an Ascend router, they had a backdoor port on it opened up which was not documented. I would not be surprised if a firmware update does a similar thing on the Netgear (not necessarily a backdoor, but they could open up the auth/ident port, for instance, to provide those services on the router).

Right now, as it stands, my packet filter is more secure, has fewer rules and probably performs a tad better. While this may not be for everyone (like people who need to allow a lot of initiated connections on different ports from the outside), for those who want a higher level of security, it is a better option.