Technical Discussion
  >> DSL Hardware Discussion


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | (show all)   Print Thread
Standard User faite
(learned) Tue 18-Mar-14 22:50:01
Print Post

DrayTek 2760n firewall


[link to this post]
 
Hi,

Is there a way to enable the firewall on this product? There is default rule but setting that to block immediately blocks all traffic. Is there any option just to block incoming packets? The user guide mentions a NAT checkbox on that page but I don't have that. I'm on the latest firmware.

Thanks.
Standard User Pipexer
(eat-sleep-adslguide) Tue 18-Mar-14 23:08:50
Print Post

Re: DrayTek 2760n firewall


[re: faite] [link to this post]
 
Most (?) inbound packets will be dropped anyway as all your client machines are hiding behind NAT (presumably) and if anything comes inbound without a client request then the router won't know where to send it and so it will be dropped.

You are better setting the default action to pass and then specifically making deny/block rules on traffic you don't want on the filter setup page, based on what you have said. The default action of block will block anything unless you have specifically allowed it. This is overkill and too much maintenance for the average home user (myself included). I agree it is not the best worded or layed out GUI in the world.

Zen 8000 Pro

Edited by Pipexer (Tue 18-Mar-14 23:10:31)

Standard User caffn8me
(knowledge is power) Tue 18-Mar-14 23:29:08
Print Post

Re: DrayTek 2760n firewall


[re: Pipexer] [link to this post]
 
Draytek firewalls have a firewall rule that is "Block If No Further Match". Follow that with allow rules to achieve the level of filtering your want.

You can specify that the rule is for traffic originating on the WAN destined for the LAN.

That leaves outgoing traffic unaffected,

So leave the General Setup default rule as Pass and go to; Firewall > Filter Setup

Go to Default Data Filter, which is Filter Set 2, Rule 1

Under "Direction" choose WAN -> LAN/RT/VPN

Source IP Any
Destination IP Any
Service Type Any

Application/Action Block immediately if no further match

Now enable Filter Set 2, Rule 2 and explicitly allow any services you wish to run.

Does that help?

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Tue 18-Mar-14 23:43:52)


Register (or login) on our website and you will not see this ad.

Standard User faite
(learned) Tue 18-Mar-14 23:32:32
Print Post

Re: DrayTek 2760n firewall


[re: Pipexer] [link to this post]
 
I did try that but it appears to be ignored when I do a port scan from an outside connection.

What is strange is some ports are blocked but the rest show as closed.

It seems it is more interested in blocking LAN traffic to itself than WAN as settings I believe would work end up locking me out of the router entirely.
Standard User caffn8me
(knowledge is power) Tue 18-Mar-14 23:47:50
Print Post

Re: DrayTek 2760n firewall


[re: faite] [link to this post]
 
Do you have routed IP addresses on your LAN or are you using NAT?

If you are using NAT and aren't enabling port forwarding or a DMZ host you can't port scan anything on the LAN. All you'll see is the router's external WAN address.

Have you disabled all the VPN services? L2TP/SSL/IPSec/PPTP? These will show by default as ports on an external port scan if not disabled.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User faite
(learned) Tue 18-Mar-14 23:54:45
Print Post

Re: DrayTek 2760n firewall


[re: caffn8me] [link to this post]
 
I'm using NAT. I'm aware that internal IPs cannot be seen from the WAN.

It is just strange that I can't completely block ports as I could on other brands. Ironically I can achieve what I want but the opposite way, I can block LAN clients from accessing internet ports. Ideally I would like the firewall to drop incoming packets but allow all outgoing.

I did indeed notice that and have subsequently disabled them.
Standard User caffn8me
(knowledge is power) Wed 19-Mar-14 00:07:15
Print Post

Re: DrayTek 2760n firewall


[re: faite] [link to this post]
 
For what it's worth, I have two Draytek routers and they have both passed external PCI-DSS compliance scans so the security is reasonably good wink

If you enable DoS Defense [sic] you can enable port scan detection which should disconnect the offending source.

I'll run an nmap scan against one of the Drayteks with DoS Defence turned off and see what ports are listed. It may take a while.....

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User faite
(learned) Wed 19-Mar-14 00:15:05
Print Post

Re: DrayTek 2760n firewall


[re: caffn8me] [link to this post]
 
Thanks for your help.

Host is up (0.034s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
53/tcp filtered domain
80/tcp filtered http
443/tcp filtered https
2869/tcp filtered unknown
7777/tcp filtered unknown
7778/tcp filtered unknown

That's what mine is currently, it would appear the firewall is filtering some ports but then leaving 991 closed, why can it not filter all?
Standard User faite
(learned) Wed 19-Mar-14 00:26:38
Print Post

Re: DrayTek 2760n firewall *DELETED*


[re: caffn8me] [link to this post]
 
Post deleted by faite
Standard User caffn8me
(knowledge is power) Wed 19-Mar-14 00:27:54
Print Post

Re: DrayTek 2760n firewall


[re: faite] [link to this post]
 
Ports 21,22,23,80 and 443 can all be used for remote administration. Have you explicitly disabled remote management for these protocols?

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Pages in this thread: 1 | 2 | 3 | (show all)   Print Thread

Jump to