Linksys wifi router - config for minimum open ports

I am about to get one of these (ethernet - ethernet/wifi product).

While it may seem bizzare to post this question before having it... it
will have to be configured for a fairly strict access list. The
following access list comes from a Cisco 803 router which works fine
in that application (www, email, ftp, sntp ONLY).

Is there an equivalent config for the Linksys?

When I bought the 803, the handbook contained basically a wide-open
ACL and this causes problems with today's constant Blaster etc
attacks. This is for a friend and I can't guarantee that every PC on
the wifi network will have the latest O/S patches...

outgoing:

access-list 100 permit tcp any any eq www
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any any eq domain
access-list 100 permit tcp any any eq nntp
access-list 100 permit tcp any any eq pop3
access-list 100 permit tcp any any eq ftp
access-list 100 permit tcp any any eq ftp-data
access-list 100 permit tcp any eq ftp-data any
access-list 100 permit tcp any any established

incoming:
access-list 150 permit tcp any any established
access-list 150 permit udp host 195.8.69.7 eq ntp any
access-list 150 deny tcp any any eq ftp-data
access-list 150 permit tcp any eq ftp-data any
access-list 150 deny icmp any any echo
access-list 150 permit icmp any any
access-list 150 permit tcp any any eq ident
access-list 150 permit tcp any any eq smtp
access-list 150 permit udp any eq domain any
access-list 150 deny ip any any

Peter.
--
Return address is invalid to help stop junk mail.
E-mail replies to (E-Mail Removed) but remove the X and the Y.
Please do NOT copy usenet posts to email - it is NOT necessary.

The Linksys won't have IOS but if you get one of the Wi-fi routers, it will
most likely have some type of firewall software. You should go to the
Linksys site to see if the manual is available for the model you are
interested in.

Don Woodward

"Peter" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> I am about to get one of these (ethernet - ethernet/wifi product).
>
> While it may seem bizzare to post this question before having it... it
> will have to be configured for a fairly strict access list. The
> following access list comes from a Cisco 803 router which works fine
> in that application (www, email, ftp, sntp ONLY).
>
> Is there an equivalent config for the Linksys?
>
> When I bought the 803, the handbook contained basically a wide-open
> ACL and this causes problems with today's constant Blaster etc
> attacks. This is for a friend and I can't guarantee that every PC on
> the wifi network will have the latest O/S patches...
>
> outgoing:
>
> access-list 100 permit tcp any any eq www
> access-list 100 permit udp any any eq domain
> access-list 100 permit tcp any any eq domain
> access-list 100 permit tcp any any eq nntp
> access-list 100 permit tcp any any eq pop3
> access-list 100 permit tcp any any eq ftp
> access-list 100 permit tcp any any eq ftp-data
> access-list 100 permit tcp any eq ftp-data any
> access-list 100 permit tcp any any established
>
> incoming:
> access-list 150 permit tcp any any established
> access-list 150 permit udp host 195.8.69.7 eq ntp any
> access-list 150 deny tcp any any eq ftp-data
> access-list 150 permit tcp any eq ftp-data any
> access-list 150 deny icmp any any echo
> access-list 150 permit icmp any any
> access-list 150 permit tcp any any eq ident
> access-list 150 permit tcp any any eq smtp
> access-list 150 permit udp any eq domain any
> access-list 150 deny ip any any
>
> Peter.
> --
> Return address is invalid to help stop junk mail.
> E-mail replies to (E-Mail Removed) but remove the X and the Y.
> Please do NOT copy usenet posts to email - it is NOT necessary.

I have a Linksys WRT54G at firmware 1.30.7 and it supports port
forwarding and filters based on "THE" outside IP of the router. You can
forward inbound ports to seperate inside IPs. The filters can be used to
block/allow outbound traffic

Peter wrote:
> I am about to get one of these (ethernet - ethernet/wifi product).
>
> While it may seem bizzare to post this question before having it... it
> will have to be configured for a fairly strict access list. The
> following access list comes from a Cisco 803 router which works fine
> in that application (www, email, ftp, sntp ONLY).
>
> Is there an equivalent config for the Linksys?
>
> When I bought the 803, the handbook contained basically a wide-open
> ACL and this causes problems with today's constant Blaster etc
> attacks. This is for a friend and I can't guarantee that every PC on
> the wifi network will have the latest O/S patches...
>
> outgoing:
>
> access-list 100 permit tcp any any eq www
> access-list 100 permit udp any any eq domain
> access-list 100 permit tcp any any eq domain
> access-list 100 permit tcp any any eq nntp
> access-list 100 permit tcp any any eq pop3
> access-list 100 permit tcp any any eq ftp
> access-list 100 permit tcp any any eq ftp-data
> access-list 100 permit tcp any eq ftp-data any
> access-list 100 permit tcp any any established
>
> incoming:
> access-list 150 permit tcp any any established
> access-list 150 permit udp host 195.8.69.7 eq ntp any
> access-list 150 deny tcp any any eq ftp-data
> access-list 150 permit tcp any eq ftp-data any
> access-list 150 deny icmp any any echo
> access-list 150 permit icmp any any
> access-list 150 permit tcp any any eq ident
> access-list 150 permit tcp any any eq smtp
> access-list 150 permit udp any eq domain any
> access-list 150 deny ip any any
>
> Peter.
> --
> Return address is invalid to help stop junk mail.
> E-mail replies to (E-Mail Removed) but remove the X and the Y.
> Please do NOT copy usenet posts to email - it is NOT necessary.

Kirk Goins <(E-Mail Removed)> wrote

>I have a Linksys WRT54G at firmware 1.30.7 and it supports port
>forwarding and filters based on "THE" outside IP of the router. You can
>forward inbound ports to seperate inside IPs. The filters can be used to
>block/allow outbound traffic

Is there a cross-reference somewhere so I can translate a Cisco IOS
access list to the Linksys equivalent ?


Peter.
--
Return address is invalid to help stop junk mail.
E-mail replies to (E-Mail Removed) but remove the X and the Y.
Please do NOT copy usenet posts to email - it is NOT necessary.

In article <(E-Mail Removed)>,
Peter <(E-Mail Removed)> wrote:
:Is there a cross-reference somewhere so I can translate a Cisco IOS
:access list to the Linksys equivalent ?

You are assuming that the Linksys has a CLI. The device you are
trying to configure for has a GUI instead. There are known hacks for
that model that allow you to get down to a shell prompt (that particular
model runs Linux internally, but most Linksys devices do not),
but the hacks take a bit of effort.

What I gather from what I've read is that Linksys devices block
new incoming connections by default, and that there is a menu to allow
you to configure exceptions. If it works similarily to the Netgear
model I'm accustomed to, it's a pretty simple matter of configuring
an outside port number, an inside IP address, and an inside port number.
[I don't know if you can even control whether it is tcp or udp.] The
conversion would thus be (in PIX notation, not IOS, sorry)

static (inside, outside) tcp interface OUTSIDEPORT INSIDEIP INSIDEPORT netmask 255.255.255.255
access-list out2in permit tcp any interface eq OUTSIDEPORT

would become the table entry

tcp OUTSIDEPORT INSIDEIP INSIDEPORT

with there being no equivilent to using any destination other than
'interface' (the outside IP address). My Netgear (from a couple of
generations ago) had no equivilent in that table to using anything
other than 'any' as the source.

I know my old Netgear has a filter page, but I never had reason to use it.
For you, the only reason to use the Linksys equivilent would be for
enforcing your rule "permit udp host 195.8.69.7 eq ntp any" to ensure
that only 195.8.69.7 could ntp in.
--
Perposterous!! Where would all the calculators go?!

There's no CLI if you will for the Linksys... If you have "EVER" done
anything with "ANY" router then the Browser based interface will be no
problems... Point and Click. If Cisco stuff was that easy...

Peter wrote:
> Kirk Goins <(E-Mail Removed)> wrote
>
>
>>I have a Linksys WRT54G at firmware 1.30.7 and it supports port
>>forwarding and filters based on "THE" outside IP of the router. You can
>>forward inbound ports to seperate inside IPs. The filters can be used to
>>block/allow outbound traffic
>
>
> Is there a cross-reference somewhere so I can translate a Cisco IOS
> access list to the Linksys equivalent ?
>
>
> Peter.
> --
> Return address is invalid to help stop junk mail.
> E-mail replies to (E-Mail Removed) but remove the X and the Y.
> Please do NOT copy usenet posts to email - it is NOT necessary.

In article <(E-Mail Removed)>,
Kirk Goins <(E-Mail Removed)> wrote:
:There's no CLI if you will for the Linksys...

There is, but it isn't trivial to get to.

http://www.seattlewireless.net/index.cgi/LinksysWrt54g
--
"[...] it's all part of one's right to be publicly stupid." -- Dave Smey

"Peter" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> I am about to get one of these (ethernet - ethernet/wifi product).
>
> While it may seem bizzare to post this question before having it... it
> will have to be configured for a fairly strict access list. The
> following access list comes from a Cisco 803 router which works fine
> in that application (www, email, ftp, sntp ONLY).
>
> Is there an equivalent config for the Linksys?

I'll save you a bit of time and trouble since I already tried something
similar.

For my home network, I wanted to set up the Linksys (BEFSX41) to block all
unsolicited inbound and block all outbound except certain ports (HTTP, SMTP,
POP3, DNS, etc.). The short story is that doing so using Filters causes
things such as FTP to no longer function correctly. Filters take precidence
over everything including NAT. If the protocol does not swithc ports after
the initial connection, life is good.

The best you can hope for is to enable the Block WAN Requests to keep out
all the unsolicited traffic and build in a few (no more than 20) port
filters to block some of the LAN noise (137-139, etc) from getting out. It's
a far cry from "deny everything except."

On Mon, 15 Dec 2003 19:38:01 +0000, Peter spoketh

>
>Kirk Goins <(E-Mail Removed)> wrote
>
>>I have a Linksys WRT54G at firmware 1.30.7 and it supports port
>>forwarding and filters based on "THE" outside IP of the router. You can
>>forward inbound ports to seperate inside IPs. The filters can be used to
>>block/allow outbound traffic
>
>Is there a cross-reference somewhere so I can translate a Cisco IOS
>access list to the Linksys equivalent ?
>
>
>Peter.


There's no such things. These Linksys devices are very simplistic.
Basically, nothing is allowed inbound unless specifically allowed
(good), and everything is allowed outbound unless specifically blocked
(bad). It is very limited how many ports you can open for inbound
access, and equally limited how many port (ranges) you can block for
outbound access.


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)