hello all
I`ve updated my 500w with oleg`s firmware(1.9.2.7-10) and yea its really difference however I still quite dont understand firewal`s behavior. No matter what I do with basic "spi firewall" or "wan to lan" filter or both it seems I still cant make it work as expected.

I would like to simply drop any incoming traffic besides traffic coming to ports 20,21,22,80. I am behind NAT so there is kind of natural firewall in place but I am curious if it is even possible to properly set up real firewall on this router.

situation 1:
When I enable only basic firewal all ports besides 21 and 8080 are filtered. I would be happy with this if I could somehow manage to add also port 22.

situation2:
when I enable only "wan to lan" filtering It wont really filter any ports. Its just not working at all. Default policy is set to DROP

situation3:
combination of both enabled. Basic firewall has precedense and all ports are closed again(so again, I cant use 22)

Please advise how to filter incoming traffic except 20,21,22,80
thank you in advance!

ok, before I can help you out, I need to know a few things:p

the firewall page on the webinterface is bad, it sometimes works, but usually not (for me both oleg and asus fw didn't work). don't worry, there is a other way to setup the firewall;)


Did you set up your router according to wengi's how-to? (http://wl500g.info/showthread.php?t=10307)
and... did you return the router back to factory defaults after you flashed olegs?

can you screenshot the page of the firewall (basic and wan & lan page) for me?:D

and the ports 20,21,22,80 need to be send to a specific device?
since if you request something from outside, like a site, it will go through the firewall automatically:p (not sure how experienced you are)

hello
At first thank you for link, i`ll certainly go through all the posts.
Well, i did not go for factory defaults reset after flashing to olegs. I`ll try to re-flash it again and start from scratch. Meanwhile I re-discovered "post-firewall" thing and found it very useful(I managed to set it up as I wanted) but I didnt want to learn iptables to set up usable firewall to be honest. Maybe it should work by default imho. :rolleyes: I would be happy if there is convenient way to set it up via gui.
Not sure what you mean by "it will go through the firewall automatically" I would like to have 20,21,22,80 opened for ftp,ssh,admin page(all running on router, no other devices involved) so I can access it from outside(work or so..).
Please check screenshots and let me know if it makes any sense. Second picture: maybe it would make sense if destination ip was set as wan ip of router(didnt check it yet). Last picture no_port_forward.gif is how it should work even without forwarding to inside address(not set in virtual server in admin gui). I couldn`t find any info with solid explanation what is what in "filter setup" so maybe I am completelly wrong :confused:
Also I was wondering if it is possible to define http port for admin gui on linux level(?) whatever.
thank you

http://wpte.kicks-ass.net/forum/viewthread.php?thread_id=7 :)

and I guess you already found the way... but what you want to do is verry possible on the webinterface, you just have some little set-up mistakes:)
what you're trying to do is indeed portforwarding. (virtual server)

on the firewall wan to lan filter, you have set "port forwarding default policy" on DROP, so everything you portforward will be dropped:p
You can delete all those rules from the firewall filter, you just need portforwarding set up correctly ;)

now your virtual server list looks pretty normal. Port range seems to confuse you a bit, but it is just the same thing as local port.
Like if you connect from wan to ftp, you will connect for port 21, wich will lead to port 21 inside your network.
now you have the rule there to entirely accept all ports to be portforwarded to telnet... that can cause some problems, because every port will lead to telnet that way:p

anyway, for ssh you need a post-firewall script, it can't be done via the virtual server for some reason.

#!/bin/sh
ip#tables -D INPUT -j DROP
ip#tables -A INPUT -p tcp --dport 22 -j ACCEPT
ip#tables -t nat -A PREROUTING -i -p tcp --dport 22 -j DNAT --to-destination :200
ip#tables -A INPUT -j DROP


I wouldn't recommend port forwarding telnet, since it won't send your password and user name over a secure connection;)

ftp, if you use the build-in ftp server, you can set the server for lan & wan, wich will automatically lead to port forwarding it:)
btw... you need only port 21, and connect with an active connection from the wan instead of passive;)

and the website is done nicely:D

I hope I helped you out a bit;)