Okay, I had a $50-off "Reward" card and an additional 15%-off coupon from Office Depot and I didn't really need anything. So... I bought a Linksys BEFSX41 Router/Firewall to play with on my 8 machine network at home (4 2003 servers, 4 XP workstations). I already have a "real" network firewall but I wanted to take a look a this Linksys for possible recommendation to home users with minimum needs.
Looking for some hints on config of this thing. From what I see, it is easy enough to block specific protocols and IPs, but how can I block "everything" (all TCP/UDP ports) and then specify only what I want to allow? Is there a way to do that on this Linksys?
You can, not sure about the SX, enter IP's to be considered Private IP, these won't be permitted outbound access. Same with Private Ports, ports that don't get outbound access.
The main reason to purchase this units is the dedicated IPSec tunnel ability for site to site VPN.
I think the SX may be different. This is the one advertised as a "Broadband Firewall Router". Near as I can tell, the "SX" is the disignation showing the Firewall aspect. I can not find the "Private" word anywhere in the config.
Yes, that is pretty cool. Two VPNs nonetheless.
I got a great deal, since the thing only cost me about $15 LOL.... Figured I'd learn something about low cost consumer "network firewalls". Hehe...
I am really talking about blocking inbound traffic. It does allow blocking ranges of ports. So... I would like to block TCP/UDP 1-65536, and then allow specific ports as an exception. Unfortunately, I cannot find any way to except ports. Or to make specific pass-through ports. That leaves me with having to block ranges, for instance, like: 1-19 (allow 20, 21,23 for ftp), then 24-24 (allow 25 for SMTP), then 26-52 (allow 53 for DNS), etc. The problem is, the unit does not allow enough fields to get all the way up to 65536 doing it this way.
Granted, maybe this unit is not designed to provide the capability to run a server behind it, but really, since it is advertised as a Firewall (yeah, I know, not certified) it would allow to close all inbound and allow exceptions. Maybe it does, but I can't figure out how to do it. Hence, my post :-)
After re-rereading my post, maybe what I could do is just block 1-65536 and then "forward" the desired ports, even if they are forwarded to the same port. Would that be the same as "allowing"?
First things to understand, none of the NAT devices in that category are "Firewalls" they are simple NAT devices and use NAT as a means to filter INBOUND and OUTBOUND traffic. Some have a few nice features, but they are just routers.
You misunderstand NAT, all inbound is BLOCKED by default when it's not solicited. This means that nothing outside that was not first contacted by an internal node can reach the inside (in the way these devices implement NAT). So, it's already blocking all 65536 ports inbound.
So, you only need to port map the ports you want to allow inbound.
Again, NAT Routers, like the simple one you've purchase, only allows inbound in response to a request from an internal node, or when explicitly port-forwarded by your own doing in the tables.
Again, you don't have to block anything inbound, it's already part of how NAT works in these devices. You only have to block OUTBOUND. If you "WANT" to allow inbound, then you port map from the single PUBLIC IP to a single internal IP.
And these devices are not firewalls, they are routers that implement NAT.
Well, I know. I don't want to get into the "what's a real firewall" crap. This one does have some firewall features though... other than NAT.
Ah... okay. That works for me.
Gotcha.
Okay, that explains the "Blocked Services" fields. I am asked to identify which services/protocols I want to block (i.e. HTTP, HTTPS, SMTP, FTP, DNS, IMAP, SNMP, etc. - there are 12 of them). I guess that selection is to block outbound, although it didn't say inbound or oubound.
Gotcha. Although, in my case, it's from private to private (internal network). This unit works fine with the outside/inside interafaces both being private IPs... if you choose.
Again, no argument there. But I do believe this unit provides adequate protection for many home users. Better than the typical NAT device since it has stateful inspection. Just depends on the rest of the security picture (i.e. risk, cost, value of data, etc.)
I used to use one of these. I've got to say though that this router, while a great piece of work, suffers terribly from crappy firmware releases. Ever since Linksys was purchased by Cisco their firmware releases have just went to crap. Since you recently purchased it I'll be it came with the 1.50.18 firmware. That firmware is known to have issues. If that is indeed the firmware you have loaded try running a tracert and see if the router reboots? Also if you try so set many of the special features you'll find the router will reboot or crap out as well. Most advanced SX41 users have determined the most favorable firmwares are either the 1.45.7 or 1.51.00 of which neither is available from Linksys as they are/were Beta releases. They, Linksys, are up to like 1.52.06 on the Beta releases now and still are having issues.
You can try this thread on DSLReports.com and read for yourself:
formatting link
This is just one long thread as there are many others. This thread will at least point you to where to get a more stable firmware for this router. From my experience for light home users with little needs it is great. It simply blocks everything. The one thing I do not like is that it's gets bogged down with too much P2P traffic but just about any SOHO router will be affected by this as well.
Again this is a great router. Some users have very little issues as I did however I didn't use many special settings. Also you might try asking this question in the Linksys forum at that link.
I beg to differ on this point. I bought a BEFSX41 early in the production cycle & the firmware was crap long before Cisco made an offer to buy Linksys.
This was a router that could have set the home networking market on fire. The hardware capabilities are/were phenomenal for the time it was released. However, crummy firmware held it down and relegated the SX41 to a footnote in Linksys product history.
I think I still have mine laying around in a box somewhere....
Have not seen the conf panel myself, but all firewalls operate on Rules executed in a specific order. When one of them takes 'effect', the processing is 'executed'.
the LAST rule is usually something like; deny all to all both in/outbound the permit rule are place ABOVE this and everything is fine.
example, windows uses a lot of ports on 127.0.0.1 for inter-process communications, so make it the first rule allow from/to 127.0.0.1 all ports tcp+udp similarly, your Private Lan should be safe so allow from/to 192.168.0.x all ports tcp+udp
That would be true, but the home user units are not firewalls, they are NAT devices.
Many firewalls are not using flow-past/through rules, as an example, some of them allow you to have 10 HTTP rules, and the order doesn't matter, only the traffic and if the specific details apply.
In the case of the Linksys units, as well as most of the others, you can only block outbound to "destination" ports in some of them, and it's an all or nothing type setup.
I had a BFRS linksys something and a linksys WAG something. One had port forwarding issues, the other needed resetting often and I think had port forwarding issues. Both were new. Emailed a friend asking what makes he find ok, mentioned the linksys port forwarding isues to him, he said he has had the same prob with linksys routers.
I am considering going back to getting a DLink, though most people say they are rubbish, my experience hasn't been too terrible.
At least linksys will take back the broken router. I spent ages on tech support before they concluded that it was buggered. My friend experienced the same thing, with the same make(diff model obviously). Linksys is now on my shit list, even if it's on nobody elses!
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.