DrayTek 2760n firewall

Hi,

Is there a way to enable the firewall on this product? There is default rule but setting that to block immediately blocks all traffic. Is there any option just to block incoming packets? The user guide mentions a NAT checkbox on that page but I don't have that. I'm on the latest firmware.

Thanks.

Most (?) inbound packets will be dropped anyway as all your client machines are hiding behind NAT (presumably) and if anything comes inbound without a client request then the router won't know where to send it and so it will be dropped.

You are better setting the default action to pass and then specifically making deny/block rules on traffic you don't want on the filter setup page, based on what you have said. The default action of block will block anything unless you have specifically allowed it. This is overkill and too much maintenance for the average home user (myself included). I agree it is not the best worded or layed out GUI in the world.

Edited by Pipexer (Tue 18-Mar-14 23:10:31)

Draytek firewalls have a firewall rule that is "Block If No Further Match". Follow that with allow rules to achieve the level of filtering your want.

You can specify that the rule is for traffic originating on the WAN destined for the LAN.

That leaves outgoing traffic unaffected,

So leave the General Setup default rule as Pass and go to; Firewall > Filter Setup

Go to Default Data Filter, which is Filter Set 2, Rule 1

Under "Direction" choose WAN -> LAN/RT/VPN

Source IP Any
Destination IP Any
Service Type Any

Application/Action Block immediately if no further match

Now enable Filter Set 2, Rule 2 and explicitly allow any services you wish to run.

Does that help?

Edited by caffn8me (Tue 18-Mar-14 23:43:52)

I did try that but it appears to be ignored when I do a port scan from an outside connection.

What is strange is some ports are blocked but the rest show as closed.

It seems it is more interested in blocking LAN traffic to itself than WAN as settings I believe would work end up locking me out of the router entirely.

Do you have routed IP addresses on your LAN or are you using NAT?

If you are using NAT and aren't enabling port forwarding or a DMZ host you can't port scan anything on the LAN. All you'll see is the router's external WAN address.

Have you disabled all the VPN services? L2TP/SSL/IPSec/PPTP? These will show by default as ports on an external port scan if not disabled.

I'm using NAT. I'm aware that internal IPs cannot be seen from the WAN.

It is just strange that I can't completely block ports as I could on other brands. Ironically I can achieve what I want but the opposite way, I can block LAN clients from accessing internet ports. Ideally I would like the firewall to drop incoming packets but allow all outgoing.

I did indeed notice that and have subsequently disabled them.

For what it's worth, I have two Draytek routers and they have both passed external PCI-DSS compliance scans so the security is reasonably good

If you enable DoS Defense [sic] you can enable port scan detection which should disconnect the offending source.

I'll run an nmap scan against one of the Drayteks with DoS Defence turned off and see what ports are listed. It may take a while.....

Thanks for your help.

Host is up (0.034s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
53/tcp filtered domain
80/tcp filtered http
443/tcp filtered https
2869/tcp filtered unknown
7777/tcp filtered unknown
7778/tcp filtered unknown

That's what mine is currently, it would appear the firewall is filtering some ports but then leaving 991 closed, why can it not filter all?

Post deleted by faite

Ports 21,22,23,80 and 443 can all be used for remote administration. Have you explicitly disabled remote management for these protocols?