DG834G Firewall setup

I am about to get ADSL with Plusnet and have purchased a DG834G so that I
have the choice of using my desktop or notebook. This may be overkill but
there we are! How much do the default firewall setting need altering to
provide adequate protection? Are there any specific settings that I should
alter and how?

--
(E-Mail Removed)




Peter Crosland

Peter Crosland wrote:
> I am about to get ADSL with Plusnet and have purchased a DG834G so
> that I have the choice of using my desktop or notebook. This may be
> overkill but there we are! How much do the default firewall setting
> need altering to provide adequate protection? Are there any specific
> settings that I should alter and how?

I have a DG834G. I'm a regular home user and not a network techy so if
anyone feels the need to correct the following then go ahead, but as I
understand it....

Default is to stealth all ports for incoming comms so you will be invisible
to the outside world on your ADSL link. But there is no block on outgoing
comms at all by default so if you catch a trojan or spyware you will be
vulnerable. You can overide any port settings by range or individually in
either direction so you can always fix the hole. Personally I haven't
bothered.

The wireless side is left wide open by default but this is the best way to
get started an make sure everything connects in the first place. I have
manually disabled SSID broadcast, enabled WEP 128 bit encryption and only
allow approved MAC addresses to connect wirelessly. I've also implemented
Open Key rather than Shared Key Authentication as I understand that is more
secure too. That's ample to prevent casual access but a determined hacker
can get past all those given enough time and motivation. I run a mixed B/G
network but I guess if you are only B or G then you could set the router to
ignore the other speed. If everything is at G speeds then I guess you
exclude connection by any B only devices.

FWIW I'm with PlusNet and it was very straightforward to get connected with
the DG834G. If you would like to use my referral please quote "easytiger"

Cheers,
Tim.

--
Email address is munged. Please reply to newsgroup.

> Default is to stealth all ports for incoming comms so you will be
invisible
> to the outside world on your ADSL link. But there is no block on outgoing
> comms at all by default so if you catch a trojan or spyware you will be
> vulnerable. You can overide any port settings by range or individually in
> either direction so you can always fix the hole. Personally I haven't
> bothered.

Thanks for that Tim. I already have outgoing connections sorted.


> The wireless side is left wide open by default but this is the best way to
> get started an make sure everything connects in the first place. I have
> manually disabled SSID broadcast, enabled WEP 128 bit encryption and only
> allow approved MAC addresses to connect wirelessly. I've also implemented
> Open Key rather than Shared Key Authentication as I understand that is
more
> secure too. That's ample to prevent casual access but a determined hacker
> can get past all those given enough time and motivation. I run a mixed B/G
> network but I guess if you are only B or G then you could set the router
to
> ignore the other speed. If everything is at G speeds then I guess you
> exclude connection by any B only devices.

I have set this up so that there are no broadcasts and 128 bit encryption to
a single MAC address so I am reasonably happy with that given that I am out
in the sticks.

>
> FWIW I'm with PlusNet and it was very straightforward to get connected
with
> the DG834G. If you would like to use my referral please quote "easytiger"

Sorry but I am already signed up!

Hi,

I have a DG834 (not G), and I have not managed to get the firewall function
to work at all yet - the default rule is as you say to block all inbound
packets, but this actually has no effect as far as I can see, they are still
being picked up by the PCs on the LAN. Adding other more specific rules to
block various ports hasn't worked either.

I have a static IP subnet, so I'm not using DHCP or NAT. Still waiting for a
response from Netgear on this.

Adrian Bowen

"Tiny Tim" <_(E-Mail Removed)> wrote in message
news:bvjqlc$tjvl0$(E-Mail Removed)...
> Peter Crosland wrote:
> > I am about to get ADSL with Plusnet and have purchased a DG834G so
> > that I have the choice of using my desktop or notebook. This may be
> > overkill but there we are! How much do the default firewall setting
> > need altering to provide adequate protection? Are there any specific
> > settings that I should alter and how?
>
> I have a DG834G. I'm a regular home user and not a network techy so if
> anyone feels the need to correct the following then go ahead, but as I
> understand it....
>
> Default is to stealth all ports for incoming comms so you will be
invisible
> to the outside world on your ADSL link. But there is no block on outgoing
> comms at all by default so if you catch a trojan or spyware you will be
> vulnerable. You can overide any port settings by range or individually in
> either direction so you can always fix the hole. Personally I haven't
> bothered.
>
> The wireless side is left wide open by default but this is the best way to
> get started an make sure everything connects in the first place. I have
> manually disabled SSID broadcast, enabled WEP 128 bit encryption and only
> allow approved MAC addresses to connect wirelessly. I've also implemented
> Open Key rather than Shared Key Authentication as I understand that is
more
> secure too. That's ample to prevent casual access but a determined hacker
> can get past all those given enough time and motivation. I run a mixed B/G
> network but I guess if you are only B or G then you could set the router
to
> ignore the other speed. If everything is at G speeds then I guess you
> exclude connection by any B only devices.
>
> FWIW I'm with PlusNet and it was very straightforward to get connected
with
> the DG834G. If you would like to use my referral please quote "easytiger"
>
> Cheers,
> Tim.
>
> --
> Email address is munged. Please reply to newsgroup.
>
>

Adrian Bowen wrote:
> Hi,
>
> I have a DG834 (not G), and I have not managed to get the firewall
> function to work at all yet - the default rule is as you say to block
> all inbound packets, but this actually has no effect as far as I can
> see, they are still being picked up by the PCs on the LAN. Adding
> other more specific rules to block various ports hasn't worked either.
>
> I have a static IP subnet, so I'm not using DHCP or NAT. Still
> waiting for a response from Netgear on this.
>
> Adrian Bowen
>
Repeating the "I'm not a techy" disclaimer, as far as I understand it, if
you disable NAT then you give up all the protection the router/firewall
offers. The router instructions tell you as much. Here is the text of the
"help" from the router's config page regarding NAT....

"NAT allows all LAN PCs to gain Internet access via this Router, by sharing
this Router's WAN IP address. In most situations, NAT is essential for
Internet access via this Router. You should only disable NAT if you are sure
you do not require it. When NAT is disabled, only standard routing is
performed by this Router."

Therefore no NAT = no firewall (I think).

With the DG834G you are able to reserve a specific IP address for each MAC
address of each of your devices. e.g. my laptop is always 192.168.0.3 and my
girlfriend's is always 192.168.0.2, while the Xbox gets anything else
(normally 192.168.0.4) allocated but frankly I couldn't care what it gets.
This helps allow port forwarding to the right machine when using P2P
software, for example. I don't know if this will suit your needs but perhaps
it's something to look into.

I've run a www.grc.com port scan test and with my setup I do not exist on
any of the ports tested by Shields Up. My P2P port is reported as "closed"
(no P2P running) while everything else is "stealthed".

I suppose it's of some interest that my router emailed me (at my choice) to
warn of a possible DOS attack while the port scanning took place.

Ahhh - thanks for that, I didn't pick up on that minor caveat in the manual!
Well spotted, you've saved me a lot of fruitless fiddling about.

Hmmm. Ok, well the DG834 might come in useful as a birthday present for
someone I guess.

Adrian


"Tiny Tim" <_(E-Mail Removed)> wrote in message
news:bvl2bo$t9q63$(E-Mail Removed)...
> Adrian Bowen wrote:
> > Hi,
> >
> > I have a DG834 (not G), and I have not managed to get the firewall
> > function to work at all yet - the default rule is as you say to block
> > all inbound packets, but this actually has no effect as far as I can
> > see, they are still being picked up by the PCs on the LAN. Adding
> > other more specific rules to block various ports hasn't worked either.
> >
> > I have a static IP subnet, so I'm not using DHCP or NAT. Still
> > waiting for a response from Netgear on this.
> >
> > Adrian Bowen
> >
> Repeating the "I'm not a techy" disclaimer, as far as I understand it, if
> you disable NAT then you give up all the protection the router/firewall
> offers. The router instructions tell you as much. Here is the text of the
> "help" from the router's config page regarding NAT....
>
> "NAT allows all LAN PCs to gain Internet access via this Router, by
sharing
> this Router's WAN IP address. In most situations, NAT is essential for
> Internet access via this Router. You should only disable NAT if you are
sure
> you do not require it. When NAT is disabled, only standard routing is
> performed by this Router."
>
> Therefore no NAT = no firewall (I think).
>
> With the DG834G you are able to reserve a specific IP address for each MAC
> address of each of your devices. e.g. my laptop is always 192.168.0.3 and
my
> girlfriend's is always 192.168.0.2, while the Xbox gets anything else
> (normally 192.168.0.4) allocated but frankly I couldn't care what it gets.
> This helps allow port forwarding to the right machine when using P2P
> software, for example. I don't know if this will suit your needs but
perhaps
> it's something to look into.
>
> I've run a www.grc.com port scan test and with my setup I do not exist on
> any of the ports tested by Shields Up. My P2P port is reported as "closed"
> (no P2P running) while everything else is "stealthed".
>
> I suppose it's of some interest that my router emailed me (at my choice)
to
> warn of a possible DOS attack while the port scanning took place.
>
>