Can Linksys broadband/wifi routers run inbound/outbound access lists?

Discussion in 'Cisco' started by Peter, Dec 5, 2003.

  1. Peter

    Peter Guest

    My GF is getting one of these soon. I've had lots of problems with
    getting probed from what looks like infected external machines, but
    I've got a Cisco 803 on which you can set this up...

    I think a decent router is the only way forward these days...


    Peter.
    --
    Return address is invalid to help stop junk mail.
    E-mail replies to but remove the X and the Y.
    Please do NOT copy usenet posts to email - it is NOT necessary.
     
    Peter, Dec 5, 2003
    #1
    1. Advertising

  2. In article <>,
    Peter <> wrote:
    :My GF is getting one of these soon. I've had lots of problems with
    :getting probed from what looks like infected external machines, but
    :I've got a Cisco 803 on which you can set this up...

    Linksys has a lot of different models. I don't know if any of them
    has what you would recognize as access lists. I see a review for
    the WAPG54G that indicates you can configure what outbound users
    can connect to. I see indications that the WAP54G that you can
    filter based upon MAC address (up to 20).


    Hmmm, a number of the Amazon reviews for the WAP54G are pretty harsh.
    I know though, that a number of people think that BEFSR41 is pretty
    good, and the V equivilent is said to be quite good as long as
    you stick to release 3 instead of release 4. So it appears that
    experiences differ a lot based upon model and version.
    --
    Reviewers should be required to produce a certain number of
    negative reviews - like police given quotas for handing out
    speeding tickets. -- The Audio Anarchist
     
    Walter Roberson, Dec 5, 2003
    #2
    1. Advertising

  3. > My GF is getting one of these soon. I've had lots of problems with
    > getting probed from what looks like infected external machines, but
    > I've got a Cisco 803 on which you can set this up...


    Well, all of the Linksys models stop all unsolicited inbound traffic on the
    "WAN" port unless explicitly permitted (since it is really a Network Address
    Translation (NAT) box, not a 'router'), so that should stop the probing at
    the door. Using access-lists is moot, since the default is to deny
    everyone. Compare this to IOS routing, where packets are allowed in unless
    explicitly denied. Note that IOS NAT also denies all inbound packets unless
    it matches an outbound stream or is explicitly permitted.

    You can restrict wireless access by MAC address and WEP keys.
     
    Phillip Remaker, Dec 5, 2003
    #3
  4. Peter

    doobr1e Guest

    > Hmmm, a number of the Amazon reviews for the WAP54G are pretty harsh.
    > I know though, that a number of people think that BEFSR41 is pretty
    > good, and the V equivilent is said to be quite good as long as
    > you stick to release 3 instead of release 4. So it appears that
    > experiences differ a lot based upon model and version.


    i replaced my dlink di-604 with a linksys wireless wrt54g - using it
    with telewest blueyonder and so far its been great, thought i had a drop
    out problem on one of the network ports but seems it was the network
    cable.

    covers the area i need (its upstairs front of house and signal fine
    downstairs back of house) and works flawlessly so far after a few weeks
    use.
     
    doobr1e, Dec 5, 2003
    #4
  5. Peter

    Peter Guest

    "Phillip Remaker" <> wrote

    >> My GF is getting one of these soon. I've had lots of problems with
    >> getting probed from what looks like infected external machines, but
    >> I've got a Cisco 803 on which you can set this up...

    >
    >Well, all of the Linksys models stop all unsolicited inbound traffic on the
    >"WAN" port unless explicitly permitted (since it is really a Network Address
    >Translation (NAT) box, not a 'router'), so that should stop the probing at
    >the door. Using access-lists is moot, since the default is to deny
    >everyone. Compare this to IOS routing, where packets are allowed in unless
    >explicitly denied. Note that IOS NAT also denies all inbound packets unless
    >it matches an outbound stream or is explicitly permitted.


    I don't understand the last 2 lines above, unless you assume that the
    access list start with a simple 'permit any any' line; then you have
    to start restricting things...

    The reason I posted the Linksys question is because over the last week
    or two I have spent many hours, very well assisted by another man from
    around here, setting up the following 803 access list

    outbound:
    >access-list 100 permit tcp any any eq www
    >access-list 100 permit udp any any eq domain
    >access-list 100 permit tcp any any eq domain
    >access-list 100 permit tcp any any eq nntp
    >access-list 100 permit tcp any any eq pop3
    >access-list 100 permit tcp any any eq ftp
    >access-list 100 permit tcp any any eq ftp-data
    >access-list 100 permit tcp any eq ftp-data any
    >access-list 100 permit tcp any any established


    inbound:
    >access-list 150 permit tcp any any established
    >access-list 150 deny tcp any any eq ftp-data
    >access-list 150 permit tcp any eq ftp-data any
    >access-list 150 deny icmp any any echo
    >access-list 150 permit icmp any any
    >access-list 150 permit tcp any any eq ident
    >access-list 150 permit tcp any any eq smtp
    >access-list 150 permit udp any eq domain any
    >access-list 150 deny ip any any


    just so that the router works for the normal internet stuff (http,
    pop3 email, ftp) while numerous Blaster (and possibly other) inbound
    traffic does not keep the line up for long enough to stretch my normal
    20hr/mo online time to beyond 250hrs/mo and get me kicked off the
    flat-rate ISP !!

    I am getting a Blaster attack every minute at least, from different
    people.

    Until a few months ago, I was able to use

    >access-list 100 deny udp any any eq netbios-ns
    >access-list 100 deny udp any any eq netbios-dgm
    >access-list 100 deny udp any any eq netbios-ss
    >access-list 100 deny udp host 0.0.0.0 eq 135 any
    >access-list 100 permit ip any any


    (straight out of the Cisco 800 handbook) and that worked for the
    previous 3 years without a single problem.

    Times are changing...

    Is the above sort of thing possible on the Linksys 54G wifi broadband
    router, or would people rely on the fact that with broadband nobody
    cares (or notices) what gets retransmitted following the receipt of
    Blaster packet?


    Peter.
    --
    Return address is invalid to help stop junk mail.
    E-mail replies to but remove the X and the Y.
    Please do NOT copy usenet posts to email - it is NOT necessary.
     
    Peter, Dec 6, 2003
    #5
  6. In article <1070646350.91342@sj-nntpcache-5>,
    Phillip Remaker <> wrote:
    :Well, all of the Linksys models stop all unsolicited inbound traffic on the
    :"WAN" port unless explicitly permitted (since it is really a Network Address
    :Translation (NAT) box, not a 'router'), so that should stop the probing at
    :the door.

    And how do they do that for UDP? How can they tell whether the traffic
    is "unsolicited" ?

    Linksys has an extensive model line, and not all of the models use
    any kind of stateful inspection.
    --
    Suppose there was a test you could take that would report whether
    you had Free Will or were Pre-Destined. Would you take the test?
     
    Walter Roberson, Dec 6, 2003
    #6
  7. Peter

    Rik Bain Guest

    On Sat, 06 Dec 2003 11:59:21 -0600, Walter Roberson wrote:

    > In article <1070646350.91342@sj-nntpcache-5>, Phillip Remaker
    > <> wrote: :Well, all of the Linksys models stop all
    > unsolicited inbound traffic on the :"WAN" port unless explicitly
    > permitted (since it is really a Network Address :Translation (NAT) box,
    > not a 'router'), so that should stop the probing at :the door.
    >
    > And how do they do that for UDP? How can they tell whether the traffic
    > is "unsolicited" ?
    >
    > Linksys has an extensive model line, and not all of the models use any
    > kind of stateful inspection.


    It builds a translation for the outbound UDP stream, and subsequent
    packets are permitted in.

    If I were to send a UDP datagram to one of these devices, and it does not
    have a translation for that particular port to an internal host, the
    packet will be dropped.
     
    Rik Bain, Dec 6, 2003
    #7
  8. Peter

    Peter Guest

    Rik Bain <> wrote:

    >> In article <1070646350.91342@sj-nntpcache-5>, Phillip Remaker
    >> <> wrote: :Well, all of the Linksys models stop all
    >> unsolicited inbound traffic on the :"WAN" port unless explicitly
    >> permitted (since it is really a Network Address :Translation (NAT) box,
    >> not a 'router'), so that should stop the probing at :the door.
    >>
    >> And how do they do that for UDP? How can they tell whether the traffic
    >> is "unsolicited" ?
    >>
    >> Linksys has an extensive model line, and not all of the models use any
    >> kind of stateful inspection.

    >
    >It builds a translation for the outbound UDP stream, and subsequent
    >packets are permitted in.
    >
    >If I were to send a UDP datagram to one of these devices, and it does not
    >have a translation for that particular port to an internal host, the
    >packet will be dropped.


    The One I was thinking of was WRT54G-UK, details at


    http://uk.insight.com/apps/productpresentation/index.php?product_id=LNKNA03D8S

    This one is going to be getting Blaster attacks all day long... but it
    needs to work for www, email, ftp, and also yahoo and hotmail
    messenger.

    Re the messenger, the yahoo one can be configured to use http only and
    the msn one can too I think... The file transfer in both of these
    stops working (even through a wide-open Cisco router) but that's OK.


    Peter.
    --
    Return address is invalid to help stop junk mail.
    E-mail replies to but remove the X and the Y.
    Please do NOT copy usenet posts to email - it is NOT necessary.
     
    Peter, Dec 9, 2003
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark Matheney
    Replies:
    1
    Views:
    882
  2. Replies:
    2
    Views:
    7,836
  3. chellappa

    Inbound Proxy and Outbound Proxy

    chellappa, Apr 7, 2006, in forum: VOIP
    Replies:
    0
    Views:
    2,468
    chellappa
    Apr 7, 2006
  4. Scooty
    Replies:
    0
    Views:
    1,708
    Scooty
    Mar 8, 2007
  5. Computerflyer

    x64 fast outbound - slow inbound net traffic

    Computerflyer, Dec 27, 2006, in forum: Windows 64bit
    Replies:
    2
    Views:
    555
    Computerflyer
    Dec 27, 2006
Loading...

Share This Page