Networking

Avoid intruders on your network: configure the firewall or firewall of the router

Currently all operating systems have a pre-installed firewall, but on many occasions, we do not have it activated or we do not have it properly configured. The routers that are the brain of the entire network, also have a pre-installed and activated firewall, mainly based on iptables because the vast majority of firmwares are based on Linux. Today in RedesZone we are going to show you what configuration options we can find in a firewall for routers, using ASUS routers and also AVM FRITZ! Box, two manufacturers whose firmware is really complete and allows us great configurability.

A very important aspect that we must take into account is that when we have the router’s firewall activated, it is also highly recommended to have a firewall on the PCs, although it is not entirely necessary since we are in a NAT environment, so from the Internet it is not They will be able to access our equipment without having previously opened a port to our PC, or directly open the DMZ to our PC. In the latter case, it is highly recommended to have a firewall installed and configured on our PC, since it will be completely accessible from the Internet.

What is a firewall for in a router?

Thanks to firewalls, we will be able to allow or block incoming and outgoing traffic through the different interfaces of the router, both on the WAN and on the LAN. However, the vast majority of users want to have a firewall on the Internet WAN to control traffic from outside to the router itself. A firewall on a router will allow us to block any attempt to access a certain specific port on the router, that is, if we have TCP port 22 of the SSH open, we can limit the number of simultaneous connections, the number of connections in a certain time, and we can even allow only a certain IP address to access our router’s SSH server.

Having a firmware in the router is very important to be protected correctly, because otherwise, any cybercriminal could communicate without any type of restriction with our router and even violate it to access the home local network, and therefore, our computers from the local network.

A very important aspect of router firewalls is that, by default, all communications that start abroad (on the Internet) are rejected (DROP), if they have not been specifically allowed before, so the policy of « deny all »is the best practice to adequately protect the local network. In the vast majority of firewall and router-oriented operating systems such as pfSense or OPNsense, we have the policy of denying everything implicitly, that is, if we do not have a rule to allow “something”, no traffic will pass, because all the traffic will be denied by default.

This policy is called restrictive policy, but it is the most recommended because it is the one that gives us the greatest protection: by default we prohibit everything, except what we have specifically allowed.

Computers on the LAN are always behind NAT

Currently with IPv4 networks, we make use of NAT / PAT, so that with the same public IP address, all the computers that we have on the LAN can go to the Internet. An important detail is that all communications made from the LAN computers to the Internet are allowed, that is, a socket is opened on the PC and flows to the destination, and in the NAT table we will have the translation that we have made from private IP to public IP, so that when the packet returns, it can be correctly redirected to its destination.

If from the Internet, we try to initiate communication with a computer on the LAN, we could not directly, unless:

  • We have configured a port forwarding (open ports) on the router to that PC.
  • We have configured the DMZ to the private IP of the PC in question.

Therefore, any communication from the Internet to the LAN is blocked by default. In addition, it is highly recommended to always disable the UPnP protocol, so that the devices cannot open a port by themselves in the router’s NAT and be more protected. There are certain devices that permanently open a port on the router, such as some IP cameras, and which would be easily accessible through the Internet. Therefore, a very good security policy is based on:

  • Do not open ports in the «Port forwarding» to computers that do not really need it, of course, never open the DMZ to a certain computer if the latter does not have a firewall, or it is a device such as a console that can need.
  • If we have to open ports, make sure that we are putting the private IP address of the team that really needs it, and add this team in the Static DHCP so that it always gets the same private IP address, and we don’t have that port open to “nothing” or to the wrong equipment.
  • Do not open the DMZ to any computer, and if you need to open it to a certain computer, make sure you set the private IP correctly, and that it is a console or similar computer that needs all ports open.
  • Disable UPnP so that devices do not open ports autonomously, it is recommended to disable it directly on the router to prevent it. It is better to open ports manually because we will have control.

Firewall configuration options on ASUS routers

ASUS routers incorporate a firewall based on iptables, so we could use the full power of this firewall through the command line, either via telnet or SSH. However, we also have certain configuration options available on the router itself, so that a user with basic knowledge does not have to “touch” the internal firewall.

In the “Firewall” menu, we can activate or deactivate the firewall based on iptables for IPv4 networks and also IPv6 networks, the default configuration is that in both protocols we have the firewall activated, as is recommended for security. ASUS allows us to configure a DoS anti-attack system in IPv4 networks, blocking the source IP address if it makes several connection attempts, in order to mitigate this type of attack.

Another interesting feature is the possibility of blocking any ping (ICMP Echo-request) that is made on the Internet WAN port, this will allow that, if someone from the Internet performs a ping, it is automatically blocked (DROP).

The firewall for IPv6 is in a state of total blocking, in this case the operation is somewhat different since it would also affect the computers on the LAN. In IPv6 networks we do not have NAT, but the PCs have a Global-Unicast IPv6 address, that is, a public IP for each computer, but logically we will be protected by the router’s firewall, where by default all incoming communication (from the Internet to the PC with public IP) is blocked, but it does allow any outgoing communication to have connectivity without problems.

A very interesting option of ASUS routers is the “LAN to WAN Filter”. We have previously indicated that firewalls allow you to control both the traffic from the Internet to the router and the LAN, as well as the other way around, from the LAN to the Internet. In this case, we can configure the firewall to block the output of packets to the WAN from the LAN, we will simply have to enter the source IP address, destination, and ports, to add this rule to the firewall and block outgoing packets.

Although we have not seen it, URL and keyword filtering also make use of the firewall, but with a prior work of name resolution and traffic checking.

Firewall configuration options on AVM FRITZ! Box routers

In the case of AVM routers, we also have a fairly configurable firewall. To access the firewall we must go to the menu with three vertical dots, and select «Advanced view». In the main menu we go to ” Internet / Filters “, in this section is where we will have everything related to the firewall and QoS.

The “Lists” tab is where we can activate the firewall in stealth mode, so as not to reply with the echo-reply to any echo-request sent to the WAN port. Other interesting configuration options are the blocking of port 25, which is the typical one used to send emails without any type of encryption, AVM allows us to directly block it to protect ourselves. We can also activate NetBIOS filtering and even Teredo, that is, if we do not use these services, it is best to block them for security.

Although it is not the firewall itself, being in a NAT environment it can be the case that we have open ports that we are not really using. It is always highly recommended to close any type of port that is not in use, because it could be the gateway to cybercriminals.

The same occurs with the FRITZ! Box services, if we do not want to “locate” the router and access it remotely via its public IP, the best we can do is disable this access, remember that we could also access via VPN and later access the private IP of the default gateway.

As you can see, we can create several VPN connections, both remote access VPN as well as Site-to-Site VPN with these AVM routers, all always using the IPsec protocol, currently it does not support either OpenVPN or Wireguard.

Therefore, it is highly recommended that, if our router has services accessible to the Internet, we only have “exposed” those that we are going to use, and not all, because for security reasons it is always necessary to have all ports closed and blocked, except those that are not we have no choice but to open.

Is it necessary to have a firewall on my PC?

All PCs have a firewall activated by default, and with different profiles that we can configure very easily. In the case of Windows 10, we have a total of three profiles with different permissions to allow / deny traffic, specifically we have “Domain network”, “Private network” and “Public network”. Generally we will always use the latter two.

The firewall configuration in “Private network” is to accept incoming connections, since we are in a reliable environment, the firewall configuration in “Public network” is to reject incoming connections if we have not previously made the communication.

Is it necessary to have a firewall activated on my desktop computer? We must bear in mind that we are always (or almost always) working in a NAT environment, so there is no open port on the router by default. In case of opening the DMZ, it is essential to use the firewall, and also in “Public network” mode to block any incoming connection that we have not previously made. In cases where we do not have any open ports, the Windows firewall will only protect us from connections via LAN, because they simply cannot reach us from the Internet as no ports have been opened (although you must make sure that UPnP on the router does so. you have disabled).

If we want to get into the advanced Windows firewall, we simply have to click on «Advanced configuration» in the main menu of the firewall, and this menu will appear where we can add different rules:

By default, a large number of programs that we use daily are allowed to accept connections. If we want to add a new rule, we click on «New rule» in the upper right menu. We can also make the same configuration for the outbound rules.

As you have seen, it is very important to have the router’s firewall activated and well configured, another important aspect regarding NAT / PAT is not to have any open port if we are not using it, much less activate the DMZ to our PC, because that does carry a high risk since all ports are opened except those specifically open to other computers.

Leave a Reply

Your email address will not be published.

Back to top button