What are basic firewall settings for home router / gateway?

Home Page Forums Network Management Firewall, Traffic Shaping and Net Balancer What are basic firewall settings for home router / gateway?

This topic contains 11 replies, has 0 voices, and was last updated by  knitatoms 8 years, 8 months ago.

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #42240

    knitatoms
    Member

    Sorry if this is covered elsewhere but I’ve hunted through the docs and forum and can’t find a clear description of what I need for a simple newbie setup.

    As I understand it the default Zeroshell firewall means the network is wide open.

    I have ppp0 connected to my DSL modem via ETH01. ppp0 is set to do NAT.

    I then have BRIDGE00 of ETH00 (lan) and ETH02 (wireless) to serve the home network. BRIDGE00 has IP of 192.168.1.254 which is the default gateway for the LAN.

    I want a basic firewall that blocks all incoming requests and allows all outgoing. Later I will add more specific rules. Can someone post the rules I need to add please?

    Thanks in advance!

    #49752

    ppalias
    Member

    On the firewall page check the drop-down menus. Select the chain you want (INPUT,OUTPUT,FORWARD) and apply the policy (ACCEPT,DROP). Be careful though not to lock yourself outside the ZS. First of all create a rule on the INPUT chain to allow https and ssh from your BRIDGE interface. Then you can do whatever you want on the firewall with no fear of locking yourself outside the box.

    #49753

    knitatoms
    Member

    Thanks again for the quick reply. OK – I’ve done that and am safely not locked out which gave me the freedom to experiment…

    But 1 hour later I still can’t work it out 😳

    I’ve tried a lot of combinations… too many to list.

    Can someone suggest a simple config: i.e. block all incoming traffic. Allow all LAN traffic out.

    Thanks again and sorry for being slow on the uptake – I’m normally quite good at working networking stuff out…

    #49754

    ppalias
    Member

    One rule would be to deny all traffic from ppp0. Another to accept anything from BRIDGE00. Leave FORWARD chain in ACCEPT and open in port forward (known as Virtual Servers) only the traffic you want to come from ppp0 to your intranet (not the reply packets to those initiated from the intranet, but the connections that are initiating from the internet).

    #49755

    knitatoms
    Member

    Thanks again for the reply and for taking the time to walk me through this! I’ve really looked through docs and forum posts… anyhow I now have simple rules as shown below. I have internet access from the LAN and if I scan ports from web based port scanners it says everything is closed. Is this basically secure?!



    I will start a new thread in a minute regarding virtual servers / port forwarding as this is key to what I’m trying to achieve with Zeroshell – namely we have 2 sip ata’s for VOIP on the lan. One of my reasons for using Zeroshell is to get improved QOS for these over what my old router could offer.

    Thanks again for your help and I’m planning to write this up clearly as newbie documentation when it’s all working (with due credits)!

    #49756

    ppalias
    Member

    On the INPUT chain verify that it is port 21 (ftp) you want to open and not 22 (ssh).

    #49757

    knitatoms
    Member

    Fixed – thanks!

    #49758

    knitatoms
    Member

    Based on info in this document:

    http://www.zeroshell.net/listing/1_1_NAT_in_ZeroShell.pdf

    I added a couple of rules to the forwarding chain and set default to drop as shown below:

    #49759

    Heathy
    Member

    Hi,

    I’m totally new to ZeroShell and have managed to get myself very confused with the basic firewall configuration.

    I have a very simple setup, i.e. ETH0 is my LAN and ETH01/ppp0 is my PPPOE ASDL connection (with NAT enabled).

    I was using pfsense prior to ZeroShell and with that system the basic/default firewall configuration is very simple with all defaalt rules available to see via the GUI. That system, by default, allows any traffic from the LAN to the Internet and disallows any unsolicited traffic from the Internet to the LAN.

    Now with ZeroShell things don’t seem to be as simple (to me).

    From the reading I have done, I see there are 3 default chains, this is my understanding of them:

    – Input: Traffic ingressing to ZeroShell and terminating there
    – Output: Traffic originating from ZeroShell
    – Forward: Traffic traversing ZeroShell (in either direction)

    The 1st thing that is confusing me is that when looking via the GUI these chains seem to be blank but when I click on view for each of the chains I see that they are not (as follows):

    Chain INPUT (policy ACCEPT 79 packets, 6162 bytes)
    pkts bytes target prot opt in out source destination
    223 22665 SYS_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 SYS_HTTPS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
    144 16503 SYS_HTTPS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
    0 0 SYS_SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22

    Chain OUTPUT (policy ACCEPT 13323 packets, 3730K bytes)
    pkts bytes target prot opt in out source destination
    27629 4775K SYS_OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0

    Chain FORWARD (policy ACCEPT 12090 packets, 6477K bytes)
    pkts bytes target prot opt in out source destination

    Also I want to understand the best-practice configuration to secure my simple setup to protect it from the Internet.

    I can see from the Input chain that http/https/ssh seem to be allowed. I did try adding a rule to block https but it appears at the bottom of the list and has no effect.

    With regard to protecting my equipment on my LAN (rather than ZeroShell itself) what’s the best practice? Do I need to do anything since I’m running NAT, i.e. does that itself protect my LAN from unsolicited attack?

    Many thanks,

    Ian

    #49760

    jimmyz
    Member

    These are the rules I use, taken from one of the contributes on the Document page, note that ETH00 is LAN. Rule 3 I added myself for when I want to let someone ping me from the net, I disable it all the rest of the time.


    Select the "INPUT" chain.

    Rule #1, click "Add" and set the Input to "ETH00", changing nothing else, and click Confirm. This rule will permit all traffic from the ETH00 LAN to anywhere on the box.

    Rule #2, click "Add", and check only "ESTABLISHED" and "RELATED" under
    "Connection State", then click Confirm. This rule will permit response traffic from
    established connections to the box to wherever they originated.

    Rule #3 to be de-activated in everday use:
    Add Accept input to ppp0 ICMP type 8 New.

    Click "Save" to make the new input rules active.

    Then change INPUT CHAIN DEFAULT policy from "ACCEPT" to "DROP"
    so the rules actually take affect.

    Then test your config at Shields Up

    article I mentioned here: 1:1 NAT in ZeroShell

    #49761

    Heathy
    Member

    @jimmyz wrote:

    These are the rules I use, taken from one of the contributes on the Document page, note that ETH00 is LAN. Rule 3 I added myself for when I want to let someone ping me from the net, I disable it all the rest of the time.


    Select the "INPUT" chain.

    Rule #1, click "Add" and set the Input to "ETH00", changing nothing else, and click Confirm. This rule will permit all traffic from the ETH00 LAN to anywhere on the box.

    Rule #2, click "Add", and check only "ESTABLISHED" and "RELATED" under
    "Connection State", then click Confirm. This rule will permit response traffic from
    established connections to the box to wherever they originated.

    Rule #3 to be de-activated in everday use:
    Add Accept input to ppp0 ICMP type 8 New.

    Click "Save" to make the new input rules active.

    Then change INPUT CHAIN DEFAULT policy from "ACCEPT" to "DROP"
    so the rules actually take affect.

    Then test your config at Shields Up

    article I mentioned here: 1:1 NAT in ZeroShell

    Thanks for your reply, but I’d appreciate further clarification.

    It’s my understanding that these are the usages of the chains:

    – Input: Traffic ingressing to ZeroShell and terminating there
    – Output: Traffic originating from ZeroShell
    – Forward: Traffic traversing ZeroShell (in either direction)

    So how does the Input chain effect LAN to Internet & Internet to LAN traffic (unless web proxy is enabled)?

    Also regarding your rule 1 why is that needed? Since the default Forward configuration is Accept so that’ll allow any LAN traffic to reach the Internet anyway and there is system specific configuration to allow the LAN to reach the web/ssh interfaces of ZS in the Input chain too as here:

    Chain INPUT (policy ACCEPT 79 packets, 6162 bytes)
    pkts bytes target prot opt in out source destination
    223 22665 SYS_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 SYS_HTTPS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
    144 16503 SYS_HTTPS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
    0 0 SYS_SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22

    Thanks

    #49762

    jimmyz
    Member

    Well…if I were an expert or even power user of iptables and the network filtering used in the latest linux kernels I would give you better answers. I think that when you are using NAT it makes a difference.

    From the article I pointed to and my own experimentation, INPUT to ppp0 includes all traffic coming from the internet. This is why default rule of input drop is needed to get a stealth passed result on the shields up test. This interface is also NAT enabled.

    An example of forwarding I know of is where you want to block clients on the lan from communicating to other DNS servers on udp port 53, so you add a rule to drop those matching packets on the forward chain.

    Sorry I cannot give you more definitive answers / references.

    #49763

    Heathy
    Member

    @jimmyz wrote:

    Well…if I were an expert or even power user of iptables and the network filtering used in the latest linux kernels I would give you better answers. I think that when you are using NAT it makes a difference.

    From the article I pointed to and my own experimentation, INPUT to ppp0 includes all traffic coming from the internet. This is why default rule of input drop is needed to get a stealth passed result on the shields up test. This interface is also NAT enabled.

    An example of forwarding I know of is where you want to block clients on the lan from communicating to other DNS servers on udp port 53, so you add a rule to drop those matching packets on the forward chain.

    Sorry I cannot give you more definitive answers / references.

    Hi, you certainly don’t need to apologise for your comments, I appreciate your thoughts/dialogue.

    I’ve been testing with ShieldsUp too and it seems from the basic testing that I’ve done that the Input chain does indeed effect more that just traffic originating from anywhere (LAN/Internet) and terminating on ZS itself, so it looks like my understanding is flawed 😳

    I think I need to do some Googling on IP Chains etc and do some more testing. If/when I come to any conclusions I’ll repost.

    Thanks for your thoughts, again.

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.