Fun with firewalls

I’ve spent more than several hours attempting to configure the firewall on my new ADSL router. This post, I admit, is not likely to win me any prizes for riveting content, but it might be very useful to a few people. Especially given that the forum I’ve been contributing to is poorly indexed by Google. By the way, go up a directory from there and you get the only decent guide to configuring the Alcatel Speedtouch 510 firewall anywhere. Given that ADSL routers are fast heading towards the realm of consumer-level kit, this is pretty shocking, especially given the close-to-useless guide offered by the manufacturer (PDF). Anyway, on with the fun…

The Speedtouch 510 Firewall Guide starts by blocking all incoming and outgoing traffic and then opening ports for specific services. From the little I’ve read, this sounds like a generally accepted Good Thing To Do, although it’s probably more work. After following the guide and opening ports for POP/SMTP email, FTP, web and newsgroup I found the ways to allow ping and NTP:

rule create chain=forward index=0 srcintfgrp=wan prot=icmp icmptype=echo-reply action=accept
rule create chain=forward index=0 srcintfgrp=lan prot=icmp icmptype=echo-request action=accept
rule create chain=forward index=0 srcintfgrp=wan prot=udp srcport=sntp action=accept
rule create chain=forward index=0 srcintfgrp=lan prot=udp dstport=sntp action=accept

I now wanted to allow access for AIM, ICQ and MSN Messenger. I found some resources (listed below) that said what some of those ports might be, e.g. 5190 for AIM. To cut a dull story short, I use Fire on Mac OS X for instant messaging and I just looked at what ports that used (as it kept locking up I had to read these from the preferences file at ~username/Library/Application Support/Fire/Accounts.plist). I ended up with these rules:

rule create chain=forward index=0 srcintfgrp=wan prot=tcp srcport=1863 action=accept
rule create chain=forward index=1 srcintfgrp=lan prot=tcp dstport=1863 action=accept
rule create chain=forward index=2 srcintfgrp=wan prot=tcp srcport=9898 action=accept
rule create chain=forward index=3 srcintfgrp=lan prot=tcp dstport=9898 action=accept
rule create chain=forward index=4 srcintfgrp=wan prot=tcp srcport=5190 action=accept
rule create chain=forward index=5 srcintfgrp=lan prot=tcp dstport=5190 action=accept

I realised however that there are few hard and fast rules when it comes to ports for these things. 5190 is the standard AIM port, and the same for ICQ since AOL bought it. However, while the AIM-compatible iChat uses 5190, Fire defaults to 9898 for its AIM client.

I also wasn’t sure whether these would be TCP or UDP as I’d read that AIM, for example, might use either (basically, the TCP 5190 port is a different port from the UDP 5190). So I duplicated the rules given above only replacing prot=tcp with prot=udp. After a bit of messaging I then used the firewall rule stat command to see which rules had processed data. It turned out that none of the UDP rules had any traffic, so I deleted them.

Here’s some resources I’ve found useful:

I hope that helps someone. I’ve still no idea how to allow traceroute through though…

Comments

  • thanks for this phil! i have the ST570 and foun the manual opaque. haven’t been able to get the fw to let anything through, so still now kazaa for me.

  • I must admit, that after someone posted on the forum I mentioned that the default firewall set-up should be OK for simple single-machine systems, I did revert back to the default settings when I was having problems with some application connecting to the outside world…

  • To allow traceroutes you not only have to allow outbound echo-requests end inbound echo-replies, you also have to allow inbound ICMP:Time Exceeded for a Datagram.

    The firewall you will need to add will then have to be something like this (by icmp type name):

    rule create chain=forward index=0 srcintfgrp=wan prot=icmp icmptype=time-exceeded action=accept

    or (by icmp type number)

    rule create chain=forward index=0 srcintfgrp=wan prot=icmp icmptype=11 action=accept

    I say have to be ‘cause I have not tested this myself.

    Anyway, I hope this helps you with the traceroutes.

    Greetz,
    Michel Sijmons

  • Thanks for this Michel! I resorted to the default settings in the end, as they seemed to work for most things, but I think they still don’t allow traceroute, so I’ll give this a try at some point…

  • Hi Phil,

    Allowing Inbound ICMP: Time Exceeded for a Datagram,
    did it do any good?

    I just did a search on moi and found this unresolved, so just I wondered have you tested this, and does it do any good? (It should!)

    Kreetingz,
    Michel Sijmons

  • I don’t think I ever got round to trying it (I don’t need to traceroute very often!).

    The last fun I had was trying to get iChat AV working, although I’m not sure if the reason connections failed was because of the firewall or not. I think I’ve given up on understanding the blasted thing :(

  • hi ,
    can you help me to enable ping to my wan ip from outside that i get from the isp. i’ve tried with the above settings but still no luck.

    also i want to telnet to the modem from outside.

    i would appreciate your help.

  • Sorry to bother you all - but you seem to know exactly what you are doing (and I don’t)…

    Am I correct in thinking that adjusting individual ports in the 510 firewall will NOT effect the rest of the 510 default firewall settings?

    Or will everything have to be re-set if I start cofigering manually?

    Thank you,

    beaty

  • I tryed to get “the only decent guide…” but i only see “forbidden….”

    Why???

  • Hello
    Thanks for the tips
    I configured my speedtouch 510 as needed, but i can’t get any smtp traffic (regular port 25)
    Any suggestions ?

  • I found some info on how to configure the Speedtouch 510 for iChat on this page:
    http://kindeboerderij.opurk.nl/reacties.php?commentaar=1178&onderwerp=

  • The link mentioned for ‘The Speedtouch 510 Firewall Guide’ (http://www.sdharris.com/speedtouch510/)
    produces a ‘Forbidden’ page (http://www.sdharris.com:81/.cobalt/error/forbidden.html).
    Does anybody know another resource for this famous guide?

  • Bugger, that was invaluable… let’s hope it’s a temporary glitch…

  • Can anyone send a pdf with the page…
    it would be really useful, since it’s forbiden

  • Yes, I’d like to get hold of a copy of that too.

    If anyone manages to get hold of it and is feeling extra helpfull, could they please email it to me at coding_monkey at hotmail dot com? Thanks.

  • Please anyone send me copy of that webpage.. I’m desperate with SpeedTouch 510 firewall settings..

  • hi every one may any one help me on this case plz :

    I have a ftp server on port 6000 behind speedtouch 510
    I configure forwarding to this port to me server
    but I cant access this server from the internet

    I download a cli guide but I cant configure it

    any one plz help me with the right firewall rule

  • Hey guys, check this out:
    http://www.alcateldsl.com/pdf/stprowf_guide.pdf

    it got all what you need

  • That looks very useful, thanks Walied! Nice to have an introduction to all this stuff.

  • Well, although the sdharris guide isn’t there any more, you can still read it by visiting http://web.archive.org/web/20040213191208/www.sdharris.com/speedtouch510/

    Good luck!

    Daryl