[Firewall] Internet firewall

[msi]

I have this WL-500g, fw: 1653, (customized), i want to stelth all ports including telnet & http 23,80, But when i turn on the "internet firewall", I cant connect to internet.
I have tried different filter settings but it will not work. I have sent about 20 emails regarding this to asus support, but no response from asus. Has anyone got it working ?

[pmduque]

I've managed to get my internet firewall working (kind off...)

The problem is with the WAN->LAN filter. By default it blocks all packets coming from the internet, even if it's a reply to a connection you have made.

To allow it to work, you should configure the filter. I haven't managed to make it work as stated in the "help", but if you create a rule specifing only the source port (for example, 80), leaving all other field blank, you can get the replies for the requests you have made.

Please if you get any more information on how to use the "internet firewall" do share!!!

Thks,
Pedro Duque

[KoOlDuDe]

I have found a way of stealthing all ports and still being able to connect to the internet! But not thanks to the stupid "internet firewall".

Here is the thing (u must hav customized version of the firmware):
1 - Deactivate Internet Firewall and Wireless Firewall because they will override this thing.
2 - Telnet to your router.
3 - Type the following commands:
nvram set bootCmd0="/usr/sbin/iptables -A PREROUTING -i eth1 -j DROP -t nat"
nvram set bootCmd1="/usr/sbin/iptables -A INPUT -p tcp --dport 0:1 -i eth1 -j DROP"
nvram commit
4 - Reboot your wl-500g (if still using telnet u can use "reboot" command)
5 - Congratulations! You should now hav a fully stealthed wan side!

If u hav already other boot commands on the nvram just use the next numbers.

For those curious about the seccond command, the 1st command doesnt stealth port 0 and 1 (dunno why ) so since i dont need those ports for anything i stealthed them using the main table ("filter").

Hope this works with you!! Works with my wl-500g!

Post your results please!

[fredo]

I tried your commands but couldn't get a stealth mode, I just got all my ports closed, except the remote printer one, but nothing stealth (according to the GRC.com test).

I think the command did not have any impact, because I just cleared them and had the same results...

btw how do I get the 515 port closed or stealth ?

thanks,

Fredo

[KoOlDuDe]

I'm not sure why it didn't work with u...but u must be sure that "WAN & LAN Filter", "WLAN & WAN Filter" and "WLAN & LAN Filter" are all set to disabled because it overrides the commands.
I used the tests at grc.com to verify that they were all stealthed.
Before i disabled all filters it didnt work and the ports were closed and not stealthed.

[john37]

Isn't there an easier way to put all ports in stealth mode? My router is replacing a software routing program which was very easy to use. I needed just one selection to put all ports in stealth mode.

@ KoOlDuDe: After you have steathed (?) all ports, do you activate the firewall again or do you leave it off?

[john37]

Nobody?

[tunga2001]

the problem here is that the "firewall" settings on the asus are a PIECE OF CRAP. looking at the script that sets it up, its noticeable that the asus people have absolutely no idea what they are doing. they dont even use the state module, but even so, its possible to write a better firewall script. i wanted to do that some time ago but didnt find the time.. maybe when i have some vacations.

when we have a "community disto/firmware" for the asus, then it will REALLY work properly. damn consumer oriented routers.. at least its cheap. :P

[RCR]

It's worse than bad setup scripts. Look at the /usr/local/lib/iptables directory - no state module!

Oddly enough the stuff that was posted purporting to be the Asus source (as required by the GPL, which Asus is in violation of, as far as I know). has the state module.

Lack of the state module severely limits the cababilities of the router.

[msi]

It has taken 6 months and with the latest firmware 1.7.5.6 from ASUS, FINALLY, everything but 21,23 & 80 is stelthed, checked with "shields up" www.grc.com, stelthing the remaing ports, that i can fix with virtual server. And the system log says something useful aswell.