firewall on RT-N16 using shibby

Discussion in 'Tomato Firmware' started by vjeko, Sep 18, 2013.

  1. vjeko

    vjeko Reformed Router Member

    I may have posted "newbie-firewall-on-rt-n16.69035" on the networking forum
    "by mistake" as it's more specific to setting up a firewall via tomato
    (well shibby tomato-K26USB-1.28.RT-MIPSR2-112-AIO.trx to be more precise).
    I'm a bit in the deep end as my linux knowledge is non existant and my networking
    knowledge is minimal.

    I've got the RT-N16 with shibby firmware behind a modem/router(as modem)
    and am not sure if I need to add any basic firewall rules etc. to have
    minimal level of security.

    The problem is I don't know exactly how to proceed - any pointers at all
    would be appreciated.
  2. Marcel Tunks

    Marcel Tunks Networkin' Nut Member

    The default firewall (active) and remote access settings (disabled) in Tomato are fine for most users as long as you don't download and run things that you shouldn't, such as apps from unknown sources. If you can't trust yourself or the users on your network then you may consider disabling UPnP and forwarding ports manually for devices and applications that need it.

    Is there a specific issue that you are trying to solve?
  3. vjeko

    vjeko Reformed Router Member

    Marcel, I guess I'm a bit overwhelmed by my lack of knowledge - on Windows I have
    an old Kerio software firewall and understand the basics and on the modem
    there used to be some firewall activation, but with Linux and
    the router settings I have, I'm not sure if this is covering the basics:
    Firewall-Respond to ICMP ping= OFF
    NAT Loopback = ALL
    NAT target = MASQUERADE
    Multicast-Enable IGMPproxy = OFF
    Enable Udpxy = OFF
    Remote access = OFF

    Is the best way to "dive" into the Linux/further networking to
    go through Linux Networking guides and setup some pc
    with a router/firewall distribution ?
  4. Marcel Tunks

    Marcel Tunks Networkin' Nut Member

    TBH most of the people in this forum have a lot more security knowledge than I do, but here's a good place to start:

    NAT loopback is the first issue. For now you can switch to loopback only on forwarded ports or possibly disable it. Take some time to read about netfilter, NAT, and loopback. Your other settings are fine for now.

    Firewall for personal use can be a set it and forget it process with "right" settings. If you are hosting websites or allowing remote access though, then it becomes a constant process of adjusting parameters, intrusion detection, monitoring breakage of applications, and other concerns. That's what you're paying for when you hire someone to host a website.

    Jumping right into a Linux or BSD firewall distribution might be a bit challenging. Start by understanding each feature in Tomato firewall first. Don't forget about port forwarding, DMZ, UPnP, remote access (eg SSH) etc... They're not in the firewall tab but they are highly relevant. The advanced stuff can wait until you've learned the basics.
  5. vjeko

    vjeko Reformed Router Member

    OK, thanks will follow your suggestions
  6. mstombs

    mstombs Network Guru Member

    Be careful, a nat router with packet filtering is NOT a replacement for a PC anti-virus and firewall. It may protect your network from unwanted probes from the internet, but does nothing to prevent malicious software being downloaded over secure links (email attachments etc), and then running and communicating out onto the internet. By default the router allows anything back-in that is related to established outgoing connections, and does nothing about communication between local machines.

    NAT loopback is not a security feature - it just allows you to access local servers from local machines using the WAN internet IP address.
    Marcel Tunks likes this.
  7. Marcel Tunks

    Marcel Tunks Networkin' Nut Member

    Great points, but a question: I've read before that a compromised user/machine on the internal network could make use of the loopback interface to sniff packets and gather info to compromise the system's security (open ports, etc..), but these claims seem to come with no evidence and nobody seems to take the time to refute them.

    I guess we're making complementary statements here: router firewall does not mean network security. There are items in the Firewall configuration tab that are not strictly security features, but there are many configuration options on the router and client devices and user behavior issues that are not part of the firewall but are critical to network security.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice