Linksys wifi router - config for minimum open ports

Discussion in 'Cisco' started by Peter, Dec 15, 2003.

  1. Peter

    Peter Guest

    I am about to get one of these (ethernet - ethernet/wifi product).

    While it may seem bizzare to post this question before having it... it
    will have to be configured for a fairly strict access list. The
    following access list comes from a Cisco 803 router which works fine
    in that application (www, email, ftp, sntp ONLY).

    Is there an equivalent config for the Linksys?

    When I bought the 803, the handbook contained basically a wide-open
    ACL and this causes problems with today's constant Blaster etc
    attacks. This is for a friend and I can't guarantee that every PC on
    the wifi network will have the latest O/S patches...

    outgoing:

    access-list 100 permit tcp any any eq www
    access-list 100 permit udp any any eq domain
    access-list 100 permit tcp any any eq domain
    access-list 100 permit tcp any any eq nntp
    access-list 100 permit tcp any any eq pop3
    access-list 100 permit tcp any any eq ftp
    access-list 100 permit tcp any any eq ftp-data
    access-list 100 permit tcp any eq ftp-data any
    access-list 100 permit tcp any any established

    incoming:
    access-list 150 permit tcp any any established
    access-list 150 permit udp host 195.8.69.7 eq ntp any
    access-list 150 deny tcp any any eq ftp-data
    access-list 150 permit tcp any eq ftp-data any
    access-list 150 deny icmp any any echo
    access-list 150 permit icmp any any
    access-list 150 permit tcp any any eq ident
    access-list 150 permit tcp any any eq smtp
    access-list 150 permit udp any eq domain any
    access-list 150 deny ip any any

    Peter.
    --
    Return address is invalid to help stop junk mail.
    E-mail replies to but remove the X and the Y.
    Please do NOT copy usenet posts to email - it is NOT necessary.
    Peter, Dec 15, 2003
    #1
    1. Advertising

  2. Peter

    News Account Guest

    The Linksys won't have IOS but if you get one of the Wi-fi routers, it will
    most likely have some type of firewall software. You should go to the
    Linksys site to see if the manual is available for the model you are
    interested in.

    Don Woodward

    "Peter" <> wrote in message
    news:...
    >
    > I am about to get one of these (ethernet - ethernet/wifi product).
    >
    > While it may seem bizzare to post this question before having it... it
    > will have to be configured for a fairly strict access list. The
    > following access list comes from a Cisco 803 router which works fine
    > in that application (www, email, ftp, sntp ONLY).
    >
    > Is there an equivalent config for the Linksys?
    >
    > When I bought the 803, the handbook contained basically a wide-open
    > ACL and this causes problems with today's constant Blaster etc
    > attacks. This is for a friend and I can't guarantee that every PC on
    > the wifi network will have the latest O/S patches...
    >
    > outgoing:
    >
    > access-list 100 permit tcp any any eq www
    > access-list 100 permit udp any any eq domain
    > access-list 100 permit tcp any any eq domain
    > access-list 100 permit tcp any any eq nntp
    > access-list 100 permit tcp any any eq pop3
    > access-list 100 permit tcp any any eq ftp
    > access-list 100 permit tcp any any eq ftp-data
    > access-list 100 permit tcp any eq ftp-data any
    > access-list 100 permit tcp any any established
    >
    > incoming:
    > access-list 150 permit tcp any any established
    > access-list 150 permit udp host 195.8.69.7 eq ntp any
    > access-list 150 deny tcp any any eq ftp-data
    > access-list 150 permit tcp any eq ftp-data any
    > access-list 150 deny icmp any any echo
    > access-list 150 permit icmp any any
    > access-list 150 permit tcp any any eq ident
    > access-list 150 permit tcp any any eq smtp
    > access-list 150 permit udp any eq domain any
    > access-list 150 deny ip any any
    >
    > Peter.
    > --
    > Return address is invalid to help stop junk mail.
    > E-mail replies to but remove the X and the Y.
    > Please do NOT copy usenet posts to email - it is NOT necessary.
    News Account, Dec 15, 2003
    #2
    1. Advertising

  3. Peter

    Kirk Goins Guest

    I have a Linksys WRT54G at firmware 1.30.7 and it supports port
    forwarding and filters based on "THE" outside IP of the router. You can
    forward inbound ports to seperate inside IPs. The filters can be used to
    block/allow outbound traffic

    Peter wrote:
    > I am about to get one of these (ethernet - ethernet/wifi product).
    >
    > While it may seem bizzare to post this question before having it... it
    > will have to be configured for a fairly strict access list. The
    > following access list comes from a Cisco 803 router which works fine
    > in that application (www, email, ftp, sntp ONLY).
    >
    > Is there an equivalent config for the Linksys?
    >
    > When I bought the 803, the handbook contained basically a wide-open
    > ACL and this causes problems with today's constant Blaster etc
    > attacks. This is for a friend and I can't guarantee that every PC on
    > the wifi network will have the latest O/S patches...
    >
    > outgoing:
    >
    > access-list 100 permit tcp any any eq www
    > access-list 100 permit udp any any eq domain
    > access-list 100 permit tcp any any eq domain
    > access-list 100 permit tcp any any eq nntp
    > access-list 100 permit tcp any any eq pop3
    > access-list 100 permit tcp any any eq ftp
    > access-list 100 permit tcp any any eq ftp-data
    > access-list 100 permit tcp any eq ftp-data any
    > access-list 100 permit tcp any any established
    >
    > incoming:
    > access-list 150 permit tcp any any established
    > access-list 150 permit udp host 195.8.69.7 eq ntp any
    > access-list 150 deny tcp any any eq ftp-data
    > access-list 150 permit tcp any eq ftp-data any
    > access-list 150 deny icmp any any echo
    > access-list 150 permit icmp any any
    > access-list 150 permit tcp any any eq ident
    > access-list 150 permit tcp any any eq smtp
    > access-list 150 permit udp any eq domain any
    > access-list 150 deny ip any any
    >
    > Peter.
    > --
    > Return address is invalid to help stop junk mail.
    > E-mail replies to but remove the X and the Y.
    > Please do NOT copy usenet posts to email - it is NOT necessary.
    Kirk Goins, Dec 15, 2003
    #3
  4. Peter

    Peter Guest

    Kirk Goins <> wrote

    >I have a Linksys WRT54G at firmware 1.30.7 and it supports port
    >forwarding and filters based on "THE" outside IP of the router. You can
    >forward inbound ports to seperate inside IPs. The filters can be used to
    >block/allow outbound traffic


    Is there a cross-reference somewhere so I can translate a Cisco IOS
    access list to the Linksys equivalent ?


    Peter.
    --
    Return address is invalid to help stop junk mail.
    E-mail replies to but remove the X and the Y.
    Please do NOT copy usenet posts to email - it is NOT necessary.
    Peter, Dec 15, 2003
    #4
  5. In article <>,
    Peter <> wrote:
    :Is there a cross-reference somewhere so I can translate a Cisco IOS
    :access list to the Linksys equivalent ?

    You are assuming that the Linksys has a CLI. The device you are
    trying to configure for has a GUI instead. There are known hacks for
    that model that allow you to get down to a shell prompt (that particular
    model runs Linux internally, but most Linksys devices do not),
    but the hacks take a bit of effort.

    What I gather from what I've read is that Linksys devices block
    new incoming connections by default, and that there is a menu to allow
    you to configure exceptions. If it works similarily to the Netgear
    model I'm accustomed to, it's a pretty simple matter of configuring
    an outside port number, an inside IP address, and an inside port number.
    [I don't know if you can even control whether it is tcp or udp.] The
    conversion would thus be (in PIX notation, not IOS, sorry)

    static (inside, outside) tcp interface OUTSIDEPORT INSIDEIP INSIDEPORT netmask 255.255.255.255
    access-list out2in permit tcp any interface eq OUTSIDEPORT

    would become the table entry

    tcp OUTSIDEPORT INSIDEIP INSIDEPORT

    with there being no equivilent to using any destination other than
    'interface' (the outside IP address). My Netgear (from a couple of
    generations ago) had no equivilent in that table to using anything
    other than 'any' as the source.

    I know my old Netgear has a filter page, but I never had reason to use it.
    For you, the only reason to use the Linksys equivilent would be for
    enforcing your rule "permit udp host 195.8.69.7 eq ntp any" to ensure
    that only 195.8.69.7 could ntp in.
    --
    Perposterous!! Where would all the calculators go?!
    Walter Roberson, Dec 15, 2003
    #5
  6. Peter

    Kirk Goins Guest

    There's no CLI if you will for the Linksys... If you have "EVER" done
    anything with "ANY" router then the Browser based interface will be no
    problems... Point and Click. If Cisco stuff was that easy...

    Peter wrote:
    > Kirk Goins <> wrote
    >
    >
    >>I have a Linksys WRT54G at firmware 1.30.7 and it supports port
    >>forwarding and filters based on "THE" outside IP of the router. You can
    >>forward inbound ports to seperate inside IPs. The filters can be used to
    >>block/allow outbound traffic

    >
    >
    > Is there a cross-reference somewhere so I can translate a Cisco IOS
    > access list to the Linksys equivalent ?
    >
    >
    > Peter.
    > --
    > Return address is invalid to help stop junk mail.
    > E-mail replies to but remove the X and the Y.
    > Please do NOT copy usenet posts to email - it is NOT necessary.
    Kirk Goins, Dec 15, 2003
    #6
  7. Walter Roberson, Dec 15, 2003
    #7
  8. Peter

    MyndPhlyp Guest

    "Peter" <> wrote in message
    news:...
    >
    > I am about to get one of these (ethernet - ethernet/wifi product).
    >
    > While it may seem bizzare to post this question before having it... it
    > will have to be configured for a fairly strict access list. The
    > following access list comes from a Cisco 803 router which works fine
    > in that application (www, email, ftp, sntp ONLY).
    >
    > Is there an equivalent config for the Linksys?


    I'll save you a bit of time and trouble since I already tried something
    similar.

    For my home network, I wanted to set up the Linksys (BEFSX41) to block all
    unsolicited inbound and block all outbound except certain ports (HTTP, SMTP,
    POP3, DNS, etc.). The short story is that doing so using Filters causes
    things such as FTP to no longer function correctly. Filters take precidence
    over everything including NAT. If the protocol does not swithc ports after
    the initial connection, life is good.

    The best you can hope for is to enable the Block WAN Requests to keep out
    all the unsolicited traffic and build in a few (no more than 20) port
    filters to block some of the LAN noise (137-139, etc) from getting out. It's
    a far cry from "deny everything except."
    MyndPhlyp, Dec 15, 2003
    #8
  9. On Mon, 15 Dec 2003 19:38:01 +0000, Peter spoketh

    >
    >Kirk Goins <> wrote
    >
    >>I have a Linksys WRT54G at firmware 1.30.7 and it supports port
    >>forwarding and filters based on "THE" outside IP of the router. You can
    >>forward inbound ports to seperate inside IPs. The filters can be used to
    >>block/allow outbound traffic

    >
    >Is there a cross-reference somewhere so I can translate a Cisco IOS
    >access list to the Linksys equivalent ?
    >
    >
    >Peter.



    There's no such things. These Linksys devices are very simplistic.
    Basically, nothing is allowed inbound unless specifically allowed
    (good), and everything is allowed outbound unless specifically blocked
    (bad). It is very limited how many ports you can open for inbound
    access, and equally limited how many port (ranges) you can block for
    outbound access.


    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
    Lars M. Hansen, Dec 15, 2003
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. admin too
    Replies:
    1
    Views:
    925
    News Account
    May 6, 2004
  2. Replies:
    5
    Views:
    5,862
    Malke
    Jul 26, 2006
  3. =?Utf-8?B?VGhvbWFzUA==?=

    Linksys wifi router suddenly not working? Help please.

    =?Utf-8?B?VGhvbWFzUA==?=, Mar 6, 2007, in forum: Wireless Networking
    Replies:
    6
    Views:
    1,705
    =?Utf-8?B?VGhvbWFzUA==?=
    Mar 10, 2007
  4. Giuen
    Replies:
    0
    Views:
    680
    Giuen
    Sep 12, 2008
  5. (PeteCresswell)
    Replies:
    2
    Views:
    591
    Jack \(MVP-Networking\).
    Dec 29, 2008
Loading...

Share This Page