Newbie: Firewall rules to prevent Internet access/hacks

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Newbie: Firewall rules to prevent Internet access/hacks

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Newbie: Firewall rules to prevent Internet access/hacks
Newbie: Firewall rules to prevent Internet access/hacks
2013-03-23 23:46:40
Region : Others

Model : TD-W8968

Hardware Version : V1

Firmware Version : 0.6.0 1.1 v0005.0 Build 120926 Rel.27100n

ISP : Telkom


Hi there,

I haven't played with network and firewall configs for a number of years now, but I want to configure my new TD-W8968 to block all unsolicited internet traffic/hacks. Any advice appreciated.

Regards
William R.
  0      
  0      
#1
Options
1 Reply
Re:Newbie: Firewall rules to prevent Internet access/hacks
2013-04-01 19:37:20
The basics are covered here: http://www.tp-link.com/en/article/?faqid=467 .

The important thing to do before configuring any firewall rules is backup your router configuration and save it in a location you can find easily.

Figure out what you want to configure first, then design it from there. For example, the link above blocks all internet connections during the night. This might be useful but if you are looking to really close down access to your home network and possible hacking attempts, then you need to close all ports except those needed for specific applications like browsers. Usually it makes sense to keep all ports open for outgoing traffic as it is assumed that any traffic coming from your internet network is going to access legitimate external ports. So, for example, ports 80 and 443 are used for most internet-based connections. Websites like forum.tp-link.com use port 80 whilst banking sites or shopping will use port 443 to allow for encrypted data.

If you are running a web server or want to access your router remotely or use certain applications like bittorrent or Skype or iTunes etc, then you also need to allow traffic to come into your home network on certain ports. A good place to check is here: http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers which you can then search for known port numbers. Depending on your computers at home you normally also have firewalls you can use on a Windows machines, Mac machine or Linux machine for free, which offer added protection.

Before adding enabling the firewall I would setup the rules first.

Under Firewall you have:
Rule
LAN Host
WAN Host
Schedule

Rule is the last thing you want to do to enable the firewall. Have the config file nearby in case you accidentally block yourself from accessing the Internet or your router. You will need to reset it manually by pressing the button in the back and restoring the configuration file.

LAN host is for specific machines within your home network to allow or disallow traffic to or from these machines (laptops, mobile phones, gaming consoles, TV set-top boxes).

WAN host is for specific addresses or sites that you want to block or allow traffic. So for example if you wanted to limit what people could access, you could block a particular website which would require an IP address.

Schedule refers to times you want specific rules to be enabled. So you can prevent any internet traffic during the night when you're sleeping or use it to prevent children from accessing the internet from their computers or mobile phones or gaming consoles at particular times of the day, for example.

To block unsolicited internet traffic you can try the optimum security approach which is to block all incoming traffic first, then open up ports when you need them. If you use port forwarding or virtual servers within your network, then you need to be careful you are not blocking that traffic to those devices. For example if you have a server where you save files and use a Windows computer, you would need to open port 445 (Macs would use 548) to allow mapping drives to the server. If you want to synchronise your computer time to Time Servers, then port 123 needs to be open. If you want to access iTunes then port 3689 needs to be open. Again, these are all for incoming traffic, if you leave outgoing on by default.

So you could specify any LAN host (all laptops, phones, consoles etc) in the IP address range assigned by DHCP as "computers". Then configure the rule to be:

Decription: IN
LAN Host: computers
WAN Host: Any host
Schedule: Any schedule
Action: Deny
Status: Enabled
Direction: In
Protocol: All

Then Enable the firewall and Deny packets that do not follow the rules. This will stop A L L incoming traffic. So as I said, you might then want to allow certain traffic to certain devices like your laptop to allow iTunes when searching for music, so you add a new LAN host to just be the IP address of your laptop with port 3689, then set it up like:

Decription: IN
LAN Host: laptop
WAN Host: Any host
Schedule: Any schedule
Action: Allow
Status: Enabled
Direction: In
Protocol: TCP

Hope that helps.
  0  
  0  
#2
Options