SAR715 Support Pages: Firewall ConfigurationWhat are the benefits of using the firewall?The SAR715's built-in firewall is able to restrict both incoming and outgoing traffic. Most users of the router will have a NAT setup, and as a result, the router's firewall will provide no greater protection where incoming traffic is concerned. However, the firewall will prevent unauthorised outgoing traffic, which can help stop viruses, Trojans, and spyware from making outbound connections. In essence, the firewall provides peace of mind, and is well worth setting up as it can generally be left untouched once configured. How do I enable the firewall and set the desired security level?I have found that the easiest way to setup the firewall is via the router's CLI (Command Line Interface) which can be accessed using Telnet or an equivalent tool. In Windows, this can be achieved by navigating to Start > Run and typing telnet://192.168.7.1 (where 192.168.7.1 is the router's default IP address. If you have altered this (which many will have) then use the amended address. Please note: the router will require authentication before allowing access to the CLI options. What follows is the commands required to configure the firewall. These commands should be input into Telnet (or equivalent) followed by the <Enter> key to run the command. Once authenticated, the first step is to enable the firewall, which is disabled by default. firewall enable The security level must now be set. My recommendation would be to set it at its highest level (high) although it can also be set at medium or low. A description of the differences between the levels can be found on page 207 of the CLI manual. firewall set securitylevel high The firewall is now enabled and the security level has been set. All that remains is to setup the firewall rules, which will allow certain incoming/outgoing connections based on ports, and deny any that do not have a rule. How do I setup the firewall rules now that the firewall is enabled?Before I begin to discuss the way in which this is achieved, I will introduce the commands used to add and delete firewall rules. To add a firewall rule: firewall add portfilter <name> <policy name> <protocol> <start port> <end port> <direction> To delete a firewall rule: firewall delete portfilter <name> <policy name> An explanation of the above options are as follows:
What are the most common rules used?FTP (File Transfer Protocol)By default, the router has a rule for FTP (File Transfer Protocol) but it allows no incoming or outgoing connections. Therefore, we must remove this rule and re-create it in order to allow outgoing connections. If you are running an FTP server, you will allow want to allow incoming connections, but generally, users will only require outbound. Some passive FTP clients will require a firewall trigger, details of which can be found further down. firewall delete portfilter hei_ftp pex_in firewall add portfilter hei_ftp pex_in tcp 21 21 outbound NNTP (Network News Transfer Protocol)In the newer versions of firmware, an entry exists for NNTP (Network News Transfer Protocol) as used by news readers, such as Outlook Express. By default, it is set to allow no outgoing connections. Firstly, determine if the rule exists: firewall list portfilters pex_in If an entry exists, delete it: firewall delete portfilter hei_nntp pex_in If it does not, then create one, unless you do not use a news reader application: firewall add portfilter hei_nntp pex_in tcp 119 119 outbound HTTPS (HyperText Transfer Protocol [Secure])The HTTPS protocol is commonly used when browsing, and an entry does not exist by default, so you will more than likely wish to create one: firewall add portfilter hei_https pex_in tcp 443 443 outbound How do I save the firewall rules?Remember that once you have added/deleted port filters, you must save the configuration, otherwise all will be lost when the router is restarted: system config save How do I create rules for other ports?In order to create other rules, use exactly the same method as outlined, giving the rule a unique name and the correct protocol and port numbers. Other common rules that are created are:
There is a thread on the Solwise Forum that covers the firewall aspect of the SAR715 in depth. How do I list my current firewall rules?firewall list portfilter pex_in What are firewall triggers?Firewall triggers allow the router to open ports for incoming connections, e.g. for MSN Messenger, FTP, and NetMeeting, without having to compromise security by leaving ports permanently open for incoming connections. In the web interface, navigate to Advanced Configuration and then to Security. At the bottom of the window, select Security Trigger Configuration, then click New Trigger. MSN Messenger
NetMeeting
To allow incoming NetMeeting calls, you must also add a port forwarding rule for TCP 1720 pointing to the IP address of the computer in question. File Transfer Protocol (FTP)
|
|
