From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-gh0-f171.google.com (mail-gh0-f171.google.com [209.85.160.171]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id B2EE621F0A2 for ; Fri, 12 Oct 2012 19:22:45 -0700 (PDT) Received: by mail-gh0-f171.google.com with SMTP id r17so962469ghr.16 for ; Fri, 12 Oct 2012 19:22:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=9ADHMwB1xrK5Q3wSoU0464F6jYMRqhINH7GFjH/Gb7s=; b=jMlkbtJCxS9nb6AEBoU4odUKRiAb/7SMru/FNEtFf+9yKK+44FTa1gj+rCuZdg/nOy S3mmYTpdCxGHPQuEzYFd5JhKCeIvKJ0ds87E+yHXFvKsBDs92S9Lbo5htEmNEEWcZMxS m4pPxsj5UhGlWhu3ZGVvhIwzCa2EWIWSA9wLfd0AliCfBkpvGfxvDBi8paaOsFdtZKr3 doM3rLEI1HFVZ87E8tl3K9LAt9T+Sc1hAuhC/vh7ditDRuoWg9LUsiLy/61TH5Cc3Pjt 47xvvySWYkIeW8xP2WMMn0OaJRQNFvMQmm8MWB/tNc01Mi8gfATv4w98rGz5S2VJqe0t qLXQ== Received: by 10.101.75.8 with SMTP id c8mr1832675anl.16.1350094963900; Fri, 12 Oct 2012 19:22:43 -0700 (PDT) Received: from [172.30.42.10] (173-18-100-2.client.mchsi.com. [173.18.100.2]) by mx.google.com with ESMTPS id h22sm8894792yhk.13.2012.10.12.19.22.41 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 12 Oct 2012 19:22:43 -0700 (PDT) Sender: Shannon Kendrick Mime-Version: 1.0 (Apple Message framework v1283) Content-Type: text/plain; charset=iso-8859-1 From: Shannon Kendrick In-Reply-To: Date: Fri, 12 Oct 2012 22:22:42 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: References: <6CE74534-FA74-422A-8718-92855EA77BEA@kendrickonline.org> To: Dave Taht X-Mailer: Apple Mail (2.1283) Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] How to close default open firewall ports in 3.3.8 X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Oct 2012 02:22:46 -0000 I'm still struggling to understand the firewall configuration. My goal = is to use CeroWRT (with Codel) as my primary router, and I'm not = comfortable having any ports open to the WAN even if they are filtered. = I'm using the free ShieldsUP!! port scanner hosted at grc.com to check = for open ports. I would be nice if someone with expertise on the = firewall rules could add to the wiki, or better yet a video on youtube = that describes how to configure the rules. Thanks Shannon Kendrick On Oct 10, 2012, at 1:22 PM, Dave Taht wrote: > Several ports are open, but filtered, using various means. Does this > tool not show filtered? >=20 > For example, rsync and ssh are enabled but the default settings in > /etc/xinetd.conf prohibit access via any but your internal private > ips. >=20 > Telnet and ftp ports (not services) are enabled, but are there to > trigger sensors to disable other services in the advent of an attack > from inside or outside of your firewall. >=20 > You can close ports more fully to the outside world via the gui, > editing /etc/config/firewall and/or do finer grained access control > via /etc/xinetd.conf and /etc/xinetd.d/ >=20 > The web port (80) defaults open, the web configuration port (81) does > not. The intent here is to enable you to put up your own local web > pages. >=20 > See the onboard and wiki documentation for more details. >=20 > Thx for trying cerowrt! >=20 > On Wed, Oct 10, 2012 at 8:44 AM, Shannon Kendrick > wrote: >> What's the best resource for learning how to configure the firewall = to close the ports that are open by default? I installed 3.3.8-26 = "sugarland" into a brand new WNDR3800 to be used as my home router, and = I immediately ran ShieldsUp!! (grc.com) and noticed open ports. = However, I'm at a loss as to how to close them. >> Thanks, >> Shannon Kendrick >> _______________________________________________ >> Cerowrt-devel mailing list >> Cerowrt-devel@lists.bufferbloat.net >> https://lists.bufferbloat.net/listinfo/cerowrt-devel >=20 >=20 >=20 > --=20 > Dave T=E4ht >=20 > Fixing bufferbloat with cerowrt: = http://www.teklibre.com/cerowrt/subscribe.html