From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lennier.cc.vt.edu (lennier.cc.vt.edu [198.82.162.213]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id 8AD3021F149 for ; Fri, 12 Oct 2012 21:02:06 -0700 (PDT) Received: from dagger.cc.vt.edu (dagger.cc.vt.edu [198.82.163.114]) by lennier.cc.vt.edu (8.13.8/8.13.8) with ESMTP id q9D41YcW030233 for ; Sat, 13 Oct 2012 00:01:34 -0400 Received: from mail-oa0-f43.google.com (EHLO mail-oa0-f43.google.com) ([209.85.219.43]) by dagger.cc.vt.edu (MOS 4.3.3-GA FastPath queued) with ESMTP id WUI68470; Sat, 13 Oct 2012 00:01:34 -0400 (EDT) Received: by mail-oa0-f43.google.com with SMTP id k1so4483332oag.16 for ; Fri, 12 Oct 2012 21:01:34 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-gm-message-state; bh=ipAg5j08B1VuYFKFzXCM1enNbWEZWU3fIvcggmTqPeU=; b=nta05i2XQE5ipxTJfueBFmYEslC/xP2cUc9s0U/FrRb9O3gRxqloSZ1s0rDe9vCn9y qrIhXwaJSSSa1EpCx02N+foxowLN0Kypug9Ok8P2BKeOmq3Ny8yxQreIQXpvwDMpwQsz O5TbldTVgwTP9otZX9PCtG9lPL156yB+CW8Wge1ziis8CEFVr121h1IkO8xnUio8MZ2M v89EMgid+DiqIlCW8HlkzkFjey3LkdmNMjVfwILkqfAM7a4nvi8n9WepQrtMx2LA/jRT D3SXDdjYdwclQ2eSzh5BtDyDUJCuQLUhjV9b2Ew9wkPcEf86YYTt/kAU3gAMWpc2OS68 GvxQ== MIME-Version: 1.0 Received: by 10.182.172.74 with SMTP id ba10mr4999018obc.83.1350100893928; Fri, 12 Oct 2012 21:01:33 -0700 (PDT) Received: by 10.76.142.161 with HTTP; Fri, 12 Oct 2012 21:01:33 -0700 (PDT) In-Reply-To: References: <6CE74534-FA74-422A-8718-92855EA77BEA@kendrickonline.org> Date: Fri, 12 Oct 2012 23:01:33 -0500 Message-ID: From: Kai Yang To: Shannon Kendrick Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Gm-Message-State: ALoCoQkTHyZMJvRvcJ2OF9sjTzZ42XOF0z1NfajYpTKOUsF3mrAryEUE6nROqDTdj8Q15TeR4s7s X-Mirapoint-Received-SPF: 209.85.219.43 mail-oa0-f43.google.com yangk@vt.edu 4 softfail X-Junkmail-Status: score=10/50, host=dagger.cc.vt.edu X-Junkmail-Signature-Raw: score=unknown, refid=str=0001.0A02020A.5078E79E.0091,ss=1,re=0.000,fgs=0, ip=0.0.0.0, so=2011-07-25 19:15:43, dmn=2011-05-27 18:58:46, mode=single engine X-Junkmail-IWF: false Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] How to close default open firewall ports in 3.3.8 X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Oct 2012 04:02:07 -0000 Hi, It is simple with the web interface. In Firewall, General Settings tab look for the zone section. In that section, drop all incoming packets coming from wan to lan and guest. This is all that ShieldsUp tests for. Regards, Kai On Fri, Oct 12, 2012 at 9:22 PM, Shannon Kendrick wrote: > I'm still struggling to understand the firewall configuration. My goal is= to use CeroWRT (with Codel) as my primary router, and I'm not comfortable = having any ports open to the WAN even if they are filtered. I'm using the = free ShieldsUP!! port scanner hosted at grc.com to check for open ports. I = would be nice if someone with expertise on the firewall rules could add to = the wiki, or better yet a video on youtube that describes how to configure = the rules. > Thanks > Shannon Kendrick > > On Oct 10, 2012, at 1:22 PM, Dave Taht wrote: > >> Several ports are open, but filtered, using various means. Does this >> tool not show filtered? >> >> For example, rsync and ssh are enabled but the default settings in >> /etc/xinetd.conf prohibit access via any but your internal private >> ips. >> >> Telnet and ftp ports (not services) are enabled, but are there to >> trigger sensors to disable other services in the advent of an attack >> from inside or outside of your firewall. >> >> You can close ports more fully to the outside world via the gui, >> editing /etc/config/firewall and/or do finer grained access control >> via /etc/xinetd.conf and /etc/xinetd.d/ >> >> The web port (80) defaults open, the web configuration port (81) does >> not. The intent here is to enable you to put up your own local web >> pages. >> >> See the onboard and wiki documentation for more details. >> >> Thx for trying cerowrt! >> >> On Wed, Oct 10, 2012 at 8:44 AM, Shannon Kendrick >> wrote: >>> What's the best resource for learning how to configure the firewall to = close the ports that are open by default? I installed 3.3.8-26 "sugarland"= into a brand new WNDR3800 to be used as my home router, and I immediately = ran ShieldsUp!! (grc.com) and noticed open ports. However, I'm at a loss a= s to how to close them. >>> Thanks, >>> Shannon Kendrick >>> _______________________________________________ >>> Cerowrt-devel mailing list >>> Cerowrt-devel@lists.bufferbloat.net >>> https://lists.bufferbloat.net/listinfo/cerowrt-devel >> >> >> >> -- >> Dave T=E4ht >> >> Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscri= be.html > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel