Help with Firewall rules for beginner.

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Help with Firewall rules for beginner.

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Help with Firewall rules for beginner.
Help with Firewall rules for beginner.
2014-01-26 02:08:36
Region : Argentina

Model : TD-W8968

Hardware Version : V2

Firmware Version :

ISP :


Hi First post to the site.

Need advice about the config of the Firewall on W8980.
Bought this modem router Dec 2013. worked out of the box, but didnt understand the firewall setup, currently have web access with Firewall IPv4 and IPv6 enabled and the default set to allow. No other rules are set. So I think every thing will pass through.

Tried to set up with default to deny, and rules to allow computer on LAN to operate certain times during the day-

So added LAN Host to 192.168.1.100 Called "New" Then Saved
added Schedule Description "Daylight", Each Day, 0800 to 2230 Then Saved
added Rule Descript "DayIncom", LAN Host "New", Target WAN host, "Any Host", Schedule "Daylight", Rule "Allow" Direction "In", Status "Enable". Protocall "All"

This to permit only New Computer to access web 0800 - 2230; everything else to be denied

Result is cant access the web, blocked. Putting back to allow and delete the rule unblocks. Something else is missing here ?
Do I have to have another rule which is the same except Direction "Out" ?
Advice pl. Thanks.


Have other ??s but one at a time. Thanks.
  0      
  0      
#1
Options
10 Reply
Re:Help with Firewall rules for beginner.
2014-01-26 09:59:09
Tell us what goal you want to achieve by firewall?
It will be clearer if you can send a screenshot.....
  1  
  1  
#2
Options
Re:Help with Firewall rules for beginner.
2014-01-26 21:00:13
Hi Looking to restrict the connections into and from the PC. Running Win 7; currently the router firewall is set to Allow (default) with no rules set. I want to set the f/wall to restrict inflow to data web pages that I connect to and outflow to prevent unwanted processes 'phoning home'.
1st step for me is to understand how to set up the rule deny (default) all access to the LAN and enable flow (rule1) only to/from 192.168.1.100
2nd step (modified rule1) is to control ports on 192.168.1.100, at present any processes on PC are able to open ports at will.
Dont have any screenshots just yet.
Thanks.
  0  
  0  
#3
Options
Re:Help with Firewall rules for beginner.
2014-01-27 09:12:26
http://www.tp-link.com/en/article/?faqid=467

Check whether the FAQ will help you or not
  0  
  0  
#4
Options
Re:Help with Firewall rules for beginner.
2014-01-29 21:39:20
Thanks, had a look and used the approach.
Made a rule for local host to receive data inbound ok, and
made another rule for the same local host to pass data outward
used same schedule and set the default to Deny access.
Worked Ok but action of router seems impaired, getting a little yellow triangle warning on win 7 toolbar (Network monitor icon) when the router finishes booting. When webpage is loaded in Firefox browser after couple of seconds the warning triangle is gone ?? Flaky ??

Goona give this a rest for now, will try again later.
Thanks for the help.
  0  
  0  
#5
Options
Re:Help with Firewall rules for beginner.
2014-01-30 11:19:01
Please understand that the default router firewall configuration, only allows incoming traffic for connections initiated by your LAN machines.
Your LAN computers only receive internet replies for connections they initiated, so if you don't mess with the router FW, the internet won't mess with you.
The router firewall allows all outgoing traffic to pass, you can control this with outbound rules in the router FW, but the only way to control possible mallware in your computers is with your computers firewall, this way you can configure what applications can or can't goto internet.
With the router firewall you don't know what program is talking to the internet, only what machine, so you can't block mallware.
In the router FW, you will not know the difference between internet explorer connecting to a site and a mallware program that connects to a site in the background.

With the router firewall you can for example block a machine from connecting to some sites, you can also block a machine from going to internet. etc.

EDIT#1:
To make sure internet computers can't see your router neither your LAN computers.
Goto this well known site: https://www.grc.com/default.htm
From the MENU select services-> ShieldsUP.
Then do some of the test there: for example press "Common ports" test and then the other tests.

The site will try to probe your computers and router.
You need to pass all tests.

EDIT#2:
Not related to router firewall, but related to router configuration security.
For the best security make sure you:

In a lot of routers, outside wifi computers can use WPS to enter your network, beside that, WPS uses a small numeric pin:
Wireless->WPS Settings-> Disable

Only allow this auth type/encryption, the others are weak and broken:
Wireless->Wireless Security->
Authentication Type = WPA2/PSK
Encryption: AES
Wireless Password: Choose a big random alphanumeric password
Group Key Update Period: 120 (this auto changes the password after the configured time, lower is better)

Make sure you have all WAN ports closed:
Forwarding -> Virtual Servers -> don't open ports here
Forwarding -> Triggering -> don't open ports here
Forwarding -> DMZ -> Disable

Make sure UPNP is disable, any LAN app can use UPNP to configure your router, it has no authetication.
Forwarding -> UPNP -> Disable

Make sure you change the default router password.
Don't enable the router "Remote Management".

More could be said and done, but this is the minimum security configuration for all routers.
  0  
  0  
#6
Options
Re:Help with Firewall rules for beginner.
2014-02-02 06:40:19
Thanks for the detailed info; understand it better now. Will try the changes. Rgds.
  0  
  0  
#7
Options
.
2014-02-02 07:03:29
hello all,

I read this interesting thread and learnt how to block a computer whose IP is 192.168.1.100 to access the Internet from 00:00 to 06:00.
Now I need the same IP (192.168.1.100) is able to connect to a service (eg.: ntp TCP/123 servers pool) all the time.
Is it possible? How can I do it?

Thank You
  0  
  0  
#8
Options
Re:Help with Firewall rules for beginner.
2014-02-03 04:03:16
There are 2 opposite ways of doing it.

Instructions from the router firewall screen:
"Default Filtering Rules:
1 - Allow the packets not specified by any filtering rules to pass through the device
2 - Deny the packets not specified by any filtering rules to pass through the device
Note: The modem router will first try to match the packet with the enabled filtering rules one by one in the list and apply the first matching rule. If the packet is not specified by any filtering rules in the list, then the Default Filtering Rule will take effect."


This means that we have 2 ways to configure the router firewall:
1- ALLOW mode: All traffic passes, but you can create rules to BLOCK traffic.
2- DENY mode: No traffic passes, but you can create rules to ALLOW traffic to pass.

The Note, says:
a) The rules conditions are tested one by one in list order, until the first matching rule is found and applied.
b) If no rules in the list, match the packet being evaluated, then the default rule will take effect (1-ALLOW mode or 2-DENY mode).


Example#1:
Firewall on with default configuration.
ALLOW mode
No rules

All outgoing traffic passes.
No incoming traffic passes, except replies to connections initiated by your LAN computers.

Example#2:
Same condition of example1, but you can ADD rules to block computer(s)

What you want:
Block your computer from 00:00 to 06:00 to access all internet IP's except the NTP server IPs.

You need 2 rules, to do that:
#1 will block WAN IPs range from [0.0.0.0 ; NTP SERVER IP [
#2 will block WAN IPs range from ] NTP SERVER IP ; 255.255.255.255]
This is not a very pleasing solution.

Example#3:
Firewall in
DENY mode
No rules

No traffic passes, you don't have internet access.

Example#4:
Same conditions to example3, but you add rules to allow:

Rule#1:
Allow your computer from 06:00 to 00:00 to access all internet.

Rule#2:
Allow your computer from 00:00 to 06:00 to access the NTP server IPs or URLs.

Ok, this is better than before.
  0  
  0  
#9
Options
Re:Help with Firewall rules for beginner.
2014-02-03 15:11:11
Thank you Mr.Wolf for your reply.
Now it's more clear firewall configuration for this device.
I understand the rule matching process stops at first match and the order in the list is determining that.
But if I need to add a rule that need matched before others already in the list how can I move it on top?
  0  
  0  
#10
Options
Re:Help with Firewall rules for beginner.
2014-02-03 21:05:54

marchino wrote

Thank you Mr.Wolf for your reply.
Now it's more clear firewall configuration for this device.
I understand the rule matching process stops at first match and the order in the list is determining that.
But if I need to add a rule that need matched before others already in the list how can I move it on top?


W8970 firewall is missing that option :(
Maybe you could email TP-LINK support and ask for it to be implemented ;)
Firewalls need to have an option to move rules position in the list.

I had a WR1043N and it had an option to move rules position in the list.
WR1043N emulator link
In access control->rule menu, we can find the needed MOVE button, missing from the later W8970 model.

Looks like that all their routers have that option, but all their ADSL routers need it implemented :(
  0  
  0  
#11
Options