|
|
|
Hi,
Is there a way to enable the firewall on this product? There is default rule but setting that to block immediately blocks all traffic. Is there any option just to block incoming packets? The user guide mentions a NAT checkbox on that page but I don't have that. I'm on the latest firmware.
Thanks.
|
|
|
Most (?) inbound packets will be dropped anyway as all your client machines are hiding behind NAT (presumably) and if anything comes inbound without a client request then the router won't know where to send it and so it will be dropped.
You are better setting the default action to pass and then specifically making deny/block rules on traffic you don't want on the filter setup page, based on what you have said. The default action of block will block anything unless you have specifically allowed it. This is overkill and too much maintenance for the average home user (myself included). I agree it is not the best worded or layed out GUI in the world.
Zen 8000 Pro
Edited by Pipexer (Tue 18-Mar-14 23:10:31)
|
|
|
Draytek firewalls have a firewall rule that is "Block If No Further Match". Follow that with allow rules to achieve the level of filtering your want.
You can specify that the rule is for traffic originating on the WAN destined for the LAN.
That leaves outgoing traffic unaffected,
So leave the General Setup default rule as Pass and go to; Firewall > Filter Setup
Go to Default Data Filter, which is Filter Set 2, Rule 1
Under "Direction" choose WAN -> LAN/RT/VPN
Source IP Any
Destination IP Any
Service Type Any
Application/Action Block immediately if no further match
Now enable Filter Set 2, Rule 2 and explicitly allow any services you wish to run.
Does that help?
Edited by caffn8me (Tue 18-Mar-14 23:43:52)
|
|
Register (or login) on our website and you will not see this ad.
|
|
|
|
I did try that but it appears to be ignored when I do a port scan from an outside connection.
What is strange is some ports are blocked but the rest show as closed.
It seems it is more interested in blocking LAN traffic to itself than WAN as settings I believe would work end up locking me out of the router entirely.
|
|
|
Do you have routed IP addresses on your LAN or are you using NAT?
If you are using NAT and aren't enabling port forwarding or a DMZ host you can't port scan anything on the LAN. All you'll see is the router's external WAN address.
Have you disabled all the VPN services? L2TP/SSL/IPSec/PPTP? These will show by default as ports on an external port scan if not disabled.
|
|
|
|
I'm using NAT. I'm aware that internal IPs cannot be seen from the WAN.
It is just strange that I can't completely block ports as I could on other brands. Ironically I can achieve what I want but the opposite way, I can block LAN clients from accessing internet ports. Ideally I would like the firewall to drop incoming packets but allow all outgoing.
I did indeed notice that and have subsequently disabled them.
|
|
|
For what it's worth, I have two Draytek routers and they have both passed external PCI-DSS compliance scans so the security is reasonably good 
If you enable DoS Defense [sic] you can enable port scan detection which should disconnect the offending source.
I'll run an nmap scan against one of the Drayteks with DoS Defence turned off and see what ports are listed. It may take a while.....
|
|
|
|
Thanks for your help.
Host is up (0.034s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
53/tcp filtered domain
80/tcp filtered http
443/tcp filtered https
2869/tcp filtered unknown
7777/tcp filtered unknown
7778/tcp filtered unknown
That's what mine is currently, it would appear the firewall is filtering some ports but then leaving 991 closed, why can it not filter all?
|
|
|
|
Post deleted by faite
|
|
|
Ports 21,22,23,80 and 443 can all be used for remote administration. Have you explicitly disabled remote management for these protocols?
|
|
|
Excellent 
I haven't got nmap running yet. It seems not to like Mavericks and my laptop is in another room.
|
|
|
|
It was too good to be true. Somehow that again blocked outgoing traffic, but only with new connections. Chrome still worked, but other applications did not. Disabled DoS and they started working again.
I'm still at square one. I do have the remote management disabled I believe.
|
|
|
One of the limitations of the Draytek firewall is that it doesn't allow blocking traffic to the WAN from outside the WAN in the rule sets.
I'll scan later tonight and let you know which ports I can see on mine.
|
|
|
|
So what I'm trying to achieve (and have done so on every other brand of router) can't be done on DrayTeks?
Odd definition of a firewall.
|
|
|
I haven't found a way of blocking specific external IP addresses from accessing the WAN interface - any or all ports.
You also can't disable Telnet, FTP, SSH, HTTP and HTTPS administrative access to the router from internal LAN clients by disabling those protocols or firewall policies. If, for example, you have a staff LAN/VLAN and an admin LAN/VLAN and only want computers on the admin network to be able to access the admin pages of the router you're stuffed.
Another bug which irks me is that when you add local admin users they log into the router using their own name and password but the syslog only logs "admin" as the user. You also can't rename the default admin account.
I'm still getting to grips with a few things!
On the whole, I'm very pleased with the Drayteks but there are a few things which haven't been thought through.
Edited by caffn8me (Wed 19-Mar-14 01:05:49)
|
|
|
|
They aren't the easiest interfaces I've found. I got it for my upcoming fibre install and I'm not one to use ISP provided hardware.
On previous routers, everything was filtered unless I specifically opened a port, so to have it the other way around is a little disconcerting, especially considering if I have UPnP enabled that shows as open. This was never the case on others.
I'll just work with NAT as that will offer some protection.
Thanks anyway.
|
|
|
At least you'll be able to use the router without an external modem for fibre
|
|
|
|
|
|
|
Thank you, restricting by MAC address looks as if it will help but I'll have to test it and see if it works as the 2850 and 2860 are somewhat different.
|
|
|
|
Thanks. These seem to be just blocking LAN clients from the router administration. I gave these two a try anyway and ports are still not filtered.
I understand that there is NAT protection, but it is not a firewall.
|
|
|
Have you disabled all the VPN services? L2TP/SSL/IPSec/PPTP? These will show by default as ports on an external port scan if not disabled.
Yes, that one has caught me out before. Naughty, as they are enabled by default!
Zen 8000 Pro
|
Pages in this thread: 
Print Thread
deleted
