Results 1 to 4 of 4

Thread: strange firewall behavior

  1. #1

    Question strange firewall behavior

    hello all
    I`ve updated my 500w with oleg`s firmware(1.9.2.7-10) and yea its really difference however I still quite dont understand firewal`s behavior. No matter what I do with basic "spi firewall" or "wan to lan" filter or both it seems I still cant make it work as expected.

    I would like to simply drop any incoming traffic besides traffic coming to ports 20,21,22,80. I am behind NAT so there is kind of natural firewall in place but I am curious if it is even possible to properly set up real firewall on this router.

    situation 1:
    When I enable only basic firewal all ports besides 21 and 8080 are filtered. I would be happy with this if I could somehow manage to add also port 22.

    situation2:
    when I enable only "wan to lan" filtering It wont really filter any ports. Its just not working at all. Default policy is set to DROP

    situation3:
    combination of both enabled. Basic firewall has precedense and all ports are closed again(so again, I cant use 22)

    Please advise how to filter incoming traffic except 20,21,22,80
    thank you in advance!
    Last edited by seeya; 27-12-2008 at 21:22.

  2. #2
    Join Date
    Dec 2007
    Location
    The Netherlands - Eindhoven
    Posts
    1,767
    ok, before I can help you out, I need to know a few things

    the firewall page on the webinterface is bad, it sometimes works, but usually not (for me both oleg and asus fw didn't work). don't worry, there is a other way to setup the firewall


    Did you set up your router according to wengi's how-to? (http://wl500g.info/showthread.php?t=10307)
    and... did you return the router back to factory defaults after you flashed olegs?

    can you screenshot the page of the firewall (basic and wan & lan page) for me?

    and the ports 20,21,22,80 need to be send to a specific device?
    since if you request something from outside, like a site, it will go through the firewall automatically (not sure how experienced you are)

  3. #3
    hello
    At first thank you for link, i`ll certainly go through all the posts.
    Well, i did not go for factory defaults reset after flashing to olegs. I`ll try to re-flash it again and start from scratch. Meanwhile I re-discovered "post-firewall" thing and found it very useful(I managed to set it up as I wanted) but I didnt want to learn iptables to set up usable firewall to be honest. Maybe it should work by default imho. I would be happy if there is convenient way to set it up via gui.
    Not sure what you mean by "it will go through the firewall automatically" I would like to have 20,21,22,80 opened for ftp,ssh,admin page(all running on router, no other devices involved) so I can access it from outside(work or so..).
    Please check screenshots and let me know if it makes any sense. Second picture: maybe it would make sense if destination ip was set as wan ip of router(didnt check it yet). Last picture no_port_forward.gif is how it should work even without forwarding to inside address(not set in virtual server in admin gui). I couldn`t find any info with solid explanation what is what in "filter setup" so maybe I am completelly wrong
    Also I was wondering if it is possible to define http port for admin gui on linux level(?) whatever.
    thank you
    Attached Images Attached Images     
    Last edited by seeya; 31-12-2008 at 00:10.

  4. #4
    Join Date
    Dec 2007
    Location
    The Netherlands - Eindhoven
    Posts
    1,767
    http://wpte.kicks-ass.net/forum/view...hp?thread_id=7

    and I guess you already found the way... but what you want to do is verry possible on the webinterface, you just have some little set-up mistakes
    what you're trying to do is indeed portforwarding. (virtual server)

    on the firewall wan to lan filter, you have set "port forwarding default policy" on DROP, so everything you portforward will be dropped
    You can delete all those rules from the firewall filter, you just need portforwarding set up correctly

    now your virtual server list looks pretty normal. Port range seems to confuse you a bit, but it is just the same thing as local port.
    Like if you connect from wan to ftp, you will connect for port 21, wich will lead to port 21 inside your network.
    now you have the rule there to entirely accept all ports to be portforwarded to telnet... that can cause some problems, because every port will lead to telnet that way

    anyway, for ssh you need a post-firewall script, it can't be done via the virtual server for some reason.
    #!/bin/sh
    ip#tables -D INPUT -j DROP
    ip#tables -A INPUT -p tcp --dport 22 -j ACCEPT
    ip#tables -t nat -A PREROUTING -i -p tcp --dport 22 -j DNAT --to-destination :200
    ip#tables -A INPUT -j DROP
    I wouldn't recommend port forwarding telnet, since it won't send your password and user name over a secure connection

    ftp, if you use the build-in ftp server, you can set the server for lan & wan, wich will automatically lead to port forwarding it
    btw... you need only port 21, and connect with an active connection from the wan instead of passive

    and the website is done nicely

    I hope I helped you out a bit

Similar Threads

  1. Secure settings (firewall, iptables and vsftpd)
    By absolon in forum WL-500gP Q&A
    Replies: 1
    Last Post: 04-08-2008, 18:54
  2. Strange behaviour on reboot.
    By raas in forum WL-500gP Q&A
    Replies: 16
    Last Post: 08-05-2008, 12:55
  3. Firewall Issues
    By rattyUK in forum WL-700g Q&A
    Replies: 0
    Last Post: 23-04-2008, 11:35
  4. Strange ipkg behavior
    By Zigster in forum WL-500gP Q&A
    Replies: 5
    Last Post: 22-10-2007, 20:51
  5. WL500g Deluxe+HP5550 - strange behavior!
    By Snowii in forum WL-500g Q&A
    Replies: 0
    Last Post: 10-12-2005, 16:05

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •