1. Home
  2. Networking Firewalls
  3. linksys wrt54g router seems to leak.

linksys wrt54g router seems to leak.

This can probably be considered a newbie kind of question.

I have a linksys wrt54g broadband router (firmware version 3.03.6). Right ow, I have wireless disabled because I don't need it.

I have firewall protection enabled. My knowledge about this is limited, but my impression is that enabling the firewall prevents unsolicited internet traffic from getting past the router into my home network.

I also have McAFee Personal Firewall Plus (v 7.1) running on this PC. The firewall log tells me that McAFee is blocking occasional connection attempts.

---------------------------------------------------------------------- Here are a some recent samples:

-- A computer at ichart1.finance.vip.re4.yahoo.com has attempted an unsolicited connection to TCP port 1862 on your computer. TCP port 1862 is commonly used by the "techra-server" service or program.

-- A computer at bs1b1.ads.vip.re2.yahoo.com has attempted an unsolicited connection to TCP port 1859 on your computer.

--A computer at dl00053.lunarpages.com has attempted an unsolicited connection to TCP port 1790 on your computer. TCP port 1790 is commonly used by the "Narrative Media Streaming Protocol" service or program.

--A computer at IP Address 64.95.25.214 has attempted an unsolicited connection to TCP port 2925 on your computer. TCP port 2925 is commonly used by the "Firewall Redundancy Protocol" service or program.

------------------------------------------

Some of these appear benign enough; I can't figure some of them out.

My question is how and why do they get through the hardware firewall?

I've tried to research this, but have yet to find the right place to look.

Reply to me directly or post to the group if you can and will offer an answer. If I should be asking some other group, let me know.

Thanks.

Reply to
CJWertz
Loading thread data ...

Good.

It's supposed to, yes.

Were you looking at yahoo finance at the time?

This doesn't look terribly good. :-\\

For comparison, in my software firewall log, I see nothing but source IP's from my LAN, localhost, and hosts on the network to which I VPN (via software vpn client on my pc).

Turn your router over. What hardware version is it? v1/2/3/4/5?

Now, some older ones IIRC were simple packet filters where pushing some packets past them was relatively easy--doing something useful with them was harder though, complicated by the NAT issue. Later models implemented stateful packet inspection which improved things further. Now, are you using the default IP address range or did you reassign it? Has your router been hacked-- if you login to its admin interface, have hosts on your lan perhaps been added to the DMZ (hence sitting right on the 'net)? There are vulnerabilities on those wrt54g boxes out there and if you've never updated the firmware, you might have been hit by the script kiddies. Cross site scripting attacks are also possible agains the admin login interface, bypassing any security and allowing router access.

Best Regards,

Reply to
Todd H.

You can also post to alt.internet.wireless as there are some free 3rd party firmware for the wrt54g that may have better FW capabilities.

Use Wallwatcher if you can (free) to watch the traffic to and from the router.

formatting link

Reply to
Mr. Arnold

Yes, I had been looking at Yahoo finance. This might somehow explain some of the log entries I see, but it only explains some of them.

I've been speculating that these connection attempts somehow reflect something that "hitchhikes" on a connection I make to some particular site, but I don't know enough to know if that can be.

I have v 3

The doc says this router does the stateful packet inspection.

I haven't reassigned any I addresses. Should I be looking into this?

Nothing is in a dmz.

I do have remote administration disabled.

I guess I'd better look into updating the firmware.

I'm wondering if I should reset to all the defaults and start over making the changes I've made. Essentially, I did the things the "book" recommends: change password, change ssid, and so on; most of these effect wireless which I now have turned off.

I still wish i could understand this better.

Reply to
CJWertz

It'd take some time for me to delve into, and someone more in a web programming realm would have a better answer, but depending onthe page and such, it wouldn't be unusual for some ajax or an applet of some sort to be responsible for those connections and them being legitimately ignored by the hardware device.

Good--that router can run a full version of dd-wrt firmware if you choose to go that route.

Good.

There is malware and scripting code out on the web that will look for popular routers at their default address and attempt to exploit them. The WRT is very common. I'd consider at least changing the subnet range to something else within RFC 1918 private address space (10.x.x.x, 192.168.x.x, 172.16-31.x.x), and/or for bonus points moving it off the .1 host address. That is only an obscurity measure, though, but can be part of "defense in depth."

Good!

I don't have all the answers here for you either. It'd require more time and information than we have here to get to a root cause as to why these particular things got past the router and hit your desktop firewall.

It does make a great case in point to use against those who think desktop firewall software is "redundant if you have border protection."

Best Regards,

Reply to
Todd H.

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.