A simple port blocking firewall?

Is there a simple to configure firewall box which can block port
ranges so that only 80, 443, and DNS (59, IIRC) go through?

I believe Cisco do the PIX firewall but I have used various Cisco
products over the years and their config is at best very complex and
full of gotchas.

Currently I solve this by using a WRT54GC wifi access point which
works well for the ethernet-wifi mode, but now I need something which
works inline in the cable.

"Peter Crosland" <(E-Mail Removed)> wrote

>How big is your budget? A Draytek 2800G will provide fully configurable
>firewall facilities for Ethernet and wireless connects but at a price. Easy
>to configure.

A couple of hundred quid perhaps?

I already run a Draytek 2900Gi but that can't do anything between its
(4) ethernet ports; they are just a 4-port switch.

Remember I am after ethernet-ethernet.

Peter wrote:
> Is there a simple to configure firewall box which can block port
> ranges so that only 80, 443, and DNS (59, IIRC) go through?
>
> I believe Cisco do the PIX firewall but I have used various Cisco
> products over the years and their config is at best very complex and
> full of gotchas.
>
> Currently I solve this by using a WRT54GC wifi access point which
> works well for the ethernet-wifi mode, but now I need something which
> works inline in the cable.

How big is your budget? A Draytek 2800G will provide fully configurable
firewall facilities for Ethernet and wireless connects but at a price. Easy
to configure.

Peter Crosland

"Peter Crosland" <(E-Mail Removed)> wrote

>How big is your budget? A Draytek 2800G will provide fully configurable
>firewall facilities for Ethernet and wireless connects but at a price. Easy
>to configure.

I think I see what you are getting at. Using the router's WAN port as
the "input" ethernet port.

The 2900 should do the same - if it works. On the 2900 I can't see an
obvious config for this - it has "disable PPPOE" but I already have
that disabled (I am using a Dlink 300G ADSL modem which goes into that
port).

In message <(E-Mail Removed)>, Peter Crosland
<(E-Mail Removed)> writes
>Peter wrote:
>> Is there a simple to configure firewall box which can block port
>> ranges so that only 80, 443, and DNS (59, IIRC) go through?
>>
>> I believe Cisco do the PIX firewall but I have used various Cisco
>> products over the years and their config is at best very complex and
>> full of gotchas.
>>
>> Currently I solve this by using a WRT54GC wifi access point which
>> works well for the ethernet-wifi mode, but now I need something which
>> works inline in the cable.
>
>How big is your budget? A Draytek 2800G will provide fully configurable
>firewall facilities for Ethernet and wireless connects but at a price. Easy
>to configure.
>
Wireless not as powerful as a Belkin WAP F5D7132 nor a Speedtouch 780
router though, IME.

--
dave @ stejonda

On Sun, 28 Oct 2007 18:14:05 +0000, in uk.telecom.broadband , Peter
<occassionally-(E-Mail Removed)> wrote:

>Is there a simple to configure firewall box which can block port
>ranges so that only 80, 443, and DNS (59, IIRC) go through?

I can do that on all three of my routers . My Dlink DI-604 and Netgear
wgr614 can limit that block by source IP too, eg block all except my
mail server from sending or recieving email from the internet.Its a
bit trickier on my SMC2804WBRP-G but still fairly easy.

>I believe Cisco do the PIX firewall but I have used various Cisco
>products over the years and their config is at best very complex and
>full of gotchas.

On the Dlink its ridiculously easy - select IP Filters, enter the IP
range and port range, select protocol and click Ok You can even block
by time-of-day if you want. The same router also lets you block by
URL, MAC and Domain.
--
Mark McIntyre

Peter wrote:
> Is there a simple to configure firewall box which can block port
> ranges so that only 80, 443, and DNS (59, IIRC) go through?
>
> I believe Cisco do the PIX firewall but I have used various Cisco
> products over the years and their config is at best very complex and
> full of gotchas.
>
> Currently I solve this by using a WRT54GC wifi access point which
> works well for the ethernet-wifi mode, but now I need something
> which works inline in the cable.

Have you had a look at the Netgear FVS114?

"kráftéé" <kraftee@b&e-cottee.me.uk> wrote

>Have you had a look at the Netgear FVS114?
>
The spec

>LAN ports: Four (4) 10/100 Mbps auto-sensing, Auto Uplink™, RJ-45 ports
>WAN port: 10/100BASE-T Ethernet RJ-45 port to connect to any broadband modem, such as DSL or cable

suggests that the firewall feature is between the ethernet WAN port
and the 4-port ethernet switch.

The Q is whether the WAN port can be used as a general purpose
ethernet LAN port. The spec says it is for a modem, and this is the
potential problem with using any of the common cheap internet routers.
They all have the port blocking features I want but (as I posted
earlier) I am after an ethernet-ethernet box.

Peter wrote:
> "kráftéé" <kraftee@b&e-cottee.me.uk> wrote
>
>> Have you had a look at the Netgear FVS114?
>>
> The spec
>
>> LAN ports: Four (4) 10/100 Mbps auto-sensing, Auto UplinkT, RJ-45
>> ports
>> WAN port: 10/100BASE-T Ethernet RJ-45 port to connect to any
>> broadband modem, such as DSL or cable
>
> suggests that the firewall feature is between the ethernet WAN port
> and the 4-port ethernet switch.
>
> The Q is whether the WAN port can be used as a general purpose
> ethernet LAN port. The spec says it is for a modem, and this is the
> potential problem with using any of the common cheap internet routers.
> They all have the port blocking features I want but (as I posted
> earlier) I am after an ethernet-ethernet box.

Perhaps we are misunderstanding what is behind your need to block these
ports. Can you please elaborate on this?

Peter Crosland

"Peter Crosland" <(E-Mail Removed)> wrote

>Perhaps we are misunderstanding what is behind your need to block these
>ports. Can you please elaborate on this?

internet ---- d-link 300g adsl modem ------ draytek 2900 router

then I have an ethernet LAN with a number of PCs on it, sharing files
etc

from that LAN I have a cable going to another building, where somebody
might be using the internet unsupervised, with a computer which might
be infected or even running software which might be trying to hack
into the aforementioned PCs. So I want to block all ports which are
used by windows networking (138,139 etc etc) as well as all the high
ports (I would like to block P2P).

The job is very simple - I am after a simple and relatively cheap
ethernet-to-ethernet firewall.

I could achieve this easily by putting a wireless AP (e.g. the WRT54GC
which can block 2 or 3 blocks of port numbers) in that building and
force any user there to use wifi, and hope that nobody is going to
discover the ethernet socket