Linksys wifi router - config for minimum open ports

Discussion in 'Broadband' started by Peter, Dec 15, 2003.

  1. Peter

    Peter Guest

    I am about to get one of these (ethernet - ethernet/wifi product).

    While it may seem bizzare to post this question before having it... it
    will have to be configured for a fairly strict access list. The
    following access list comes from a Cisco 803 router which works fine
    in that application (www, email, ftp, sntp ONLY).

    Is there an equivalent config for the Linksys?

    When I bought the 803, the handbook contained basically a wide-open
    ACL and this causes problems with today's constant Blaster etc
    attacks. This is for a friend and I can't guarantee that every PC on
    the wifi network will have the latest O/S patches...

    outgoing:

    access-list 100 permit tcp any any eq www
    access-list 100 permit udp any any eq domain
    access-list 100 permit tcp any any eq domain
    access-list 100 permit tcp any any eq nntp
    access-list 100 permit tcp any any eq pop3
    access-list 100 permit tcp any any eq ftp
    access-list 100 permit tcp any any eq ftp-data
    access-list 100 permit tcp any eq ftp-data any
    access-list 100 permit tcp any any established

    incoming:
    access-list 150 permit tcp any any established
    access-list 150 permit udp host 195.8.69.7 eq ntp any
    access-list 150 deny tcp any any eq ftp-data
    access-list 150 permit tcp any eq ftp-data any
    access-list 150 deny icmp any any echo
    access-list 150 permit icmp any any
    access-list 150 permit tcp any any eq ident
    access-list 150 permit tcp any any eq smtp
    access-list 150 permit udp any eq domain any
    access-list 150 deny ip any any

    Peter.
     
    Peter, Dec 15, 2003
    #1
    1. Advertisements

  2. Peter

    News Account Guest

    The Linksys won't have IOS but if you get one of the Wi-fi routers, it will
    most likely have some type of firewall software. You should go to the
    Linksys site to see if the manual is available for the model you are
    interested in.

    Don Woodward
     
    News Account, Dec 15, 2003
    #2
    1. Advertisements

  3. Peter

    Kirk Goins Guest

    I have a Linksys WRT54G at firmware 1.30.7 and it supports port
    forwarding and filters based on "THE" outside IP of the router. You can
    forward inbound ports to seperate inside IPs. The filters can be used to
    block/allow outbound traffic
     
    Kirk Goins, Dec 15, 2003
    #3
  4. Peter

    Peter Guest

    Is there a cross-reference somewhere so I can translate a Cisco IOS
    access list to the Linksys equivalent ?


    Peter.
     
    Peter, Dec 15, 2003
    #4
  5. :Is there a cross-reference somewhere so I can translate a Cisco IOS
    :access list to the Linksys equivalent ?

    You are assuming that the Linksys has a CLI. The device you are
    trying to configure for has a GUI instead. There are known hacks for
    that model that allow you to get down to a shell prompt (that particular
    model runs Linux internally, but most Linksys devices do not),
    but the hacks take a bit of effort.

    What I gather from what I've read is that Linksys devices block
    new incoming connections by default, and that there is a menu to allow
    you to configure exceptions. If it works similarily to the Netgear
    model I'm accustomed to, it's a pretty simple matter of configuring
    an outside port number, an inside IP address, and an inside port number.
    [I don't know if you can even control whether it is tcp or udp.] The
    conversion would thus be (in PIX notation, not IOS, sorry)

    static (inside, outside) tcp interface OUTSIDEPORT INSIDEIP INSIDEPORT netmask 255.255.255.255
    access-list out2in permit tcp any interface eq OUTSIDEPORT

    would become the table entry

    tcp OUTSIDEPORT INSIDEIP INSIDEPORT

    with there being no equivilent to using any destination other than
    'interface' (the outside IP address). My Netgear (from a couple of
    generations ago) had no equivilent in that table to using anything
    other than 'any' as the source.

    I know my old Netgear has a filter page, but I never had reason to use it.
    For you, the only reason to use the Linksys equivilent would be for
    enforcing your rule "permit udp host 195.8.69.7 eq ntp any" to ensure
    that only 195.8.69.7 could ntp in.
     
    Walter Roberson, Dec 15, 2003
    #5
  6. Peter

    Kirk Goins Guest

    There's no CLI if you will for the Linksys... If you have "EVER" done
    anything with "ANY" router then the Browser based interface will be no
    problems... Point and Click. If Cisco stuff was that easy...
     
    Kirk Goins, Dec 15, 2003
    #6
  7. Walter Roberson, Dec 15, 2003
    #7
  8. Peter

    MyndPhlyp Guest

    I'll save you a bit of time and trouble since I already tried something
    similar.

    For my home network, I wanted to set up the Linksys (BEFSX41) to block all
    unsolicited inbound and block all outbound except certain ports (HTTP, SMTP,
    POP3, DNS, etc.). The short story is that doing so using Filters causes
    things such as FTP to no longer function correctly. Filters take precidence
    over everything including NAT. If the protocol does not swithc ports after
    the initial connection, life is good.

    The best you can hope for is to enable the Block WAN Requests to keep out
    all the unsolicited traffic and build in a few (no more than 20) port
    filters to block some of the LAN noise (137-139, etc) from getting out. It's
    a far cry from "deny everything except."
     
    MyndPhlyp, Dec 15, 2003
    #8
  9. On Mon, 15 Dec 2003 19:38:01 +0000, Peter spoketh

    There's no such things. These Linksys devices are very simplistic.
    Basically, nothing is allowed inbound unless specifically allowed
    (good), and everything is allowed outbound unless specifically blocked
    (bad). It is very limited how many ports you can open for inbound
    access, and equally limited how many port (ranges) you can block for
    outbound access.


    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
     
    Lars M. Hansen, Dec 15, 2003
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.