2.3
Configuring a typical
Router
based Firewall
Let’s assume you have a wireless base
station, router or
DSL/Cable modem that has a built in firewall. The management interface
for
these devices is typically accessed via your favorite web browser. For
example
Microsoft sell a wireless base station (the MN-500) that you access by
going to
192.168.2.1
in your browser. The Linksys WCG routers use 192.168.0.1 while the
Linksys WRT range of routers are accessed via the 192.168.0.1 IP
address. Check the documentation for your device to find the
correct IP
address.
Once you have logged into the setup screen
of your Router
you will hopefully find a number of security related options:
2.3.1
Enable your Firewall
The device will have a status screen that
tells you about
the configuration. Make sure that the Firewall is enabled and if it is
not make
sure you enable it. Most devices will default to having the Firewall
enabled
but it is wise to check.
2.3.2
Port Forwarding
A typical port forwarding screen is shown in
figure 2.3.2. On
this screen you specify which ports are to be open on your firewall and
to
which
computer on your internal network incoming communications to this port
should be forwarded. For
example
192.169.1.12 is my Linux system. You will see that I have port 80
forwarded to
this IP address. This is because I run a web server on my Linux system
and web
servers communicate through port 80. Port 21 is used by the FTP file
transfer
protocol. I often use ftp to transfer files to and from my Linux system
when I
am traveling so I need this port open and forwarded. Similarly port 22
is also forwarded to enable me to use the Secure Shell (ssh) to gain
remote access through the firewall to the Linux server.
Figure 2.3 -
A typical Firewall
Port Forwarding Configuration Screen
If you don’t have a need to use ftp, aren’t
running a web
server and have no need to log into your system from outside make sure
no ports
are being forwarded.
2.3.3
Discard Pings
Check to see if your firewall has an option
to discard
pings. Attackers will often ping random IP address to find out which
ones are
alive. Discarding ping packets reduces the risk that an attacker will
find you
on the internet.
2.3.4
Application Triggered Port
Forwarding
Some applications (particularly internet
games) need to
communicate through multiple ports. Most firewalls have application
triggered
port forwarding to address this requirement. In order to configure the
Firewall
to support your particular game or application you will need two pieces
of
information – the outbound port and the inbound port used by the
application.
Check with the documentation of supplier of the game or application in
question
if you do not know the ports that are needed.
The inbound port that has
been
specified will not be opened by the Firewall until data is sent to the
outbound
port by the application. This ensures that the inbound port is not left
open
until it is needed. After a period of inactivity both the inbound and
outbound
ports will be automatically closed by the Firewall.
2.3.5
DMZ – The Demiliterized Zone
The DMZ setting allows you to specify a
computer on your
network for which all ports are open. What this means is that there is
effectively nothing protecting that computer from access and attack
from
outside – as though there was no Firewall between the computer and the
internet. You may wonder why you would want to do something like that
and
infact we strongly counsel against ever using this feature. It is
included here
so that you know what it does and that you need to avoid it.
