Phil Gyford


Thursday 14 November 2002

PreviousIndexNext Fun with firewalls

I’ve spent more than several hours attempting to configure the firewall on my new ADSL router. This post, I admit, is not likely to win me any prizes for riveting content, but it might be very useful to a few people. Especially given that the forum I’ve been contributing to is poorly indexed by Google. By the way, go up a directory from there and you get the only decent guide to configuring the Alcatel Speedtouch 510 firewall anywhere. Given that ADSL routers are fast heading towards the realm of consumer-level kit, this is pretty shocking, especially given the close-to-useless guide offered by the manufacturer (PDF). Anyway, on with the fun…

The Speedtouch 510 Firewall Guide starts by blocking all incoming and outgoing traffic and then opening ports for specific services. From the little I’ve read, this sounds like a generally accepted Good Thing To Do, although it’s probably more work. After following the guide and opening ports for POP/SMTP email, FTP, web and newsgroup I found the ways to allow ping and NTP:

rule create chain=forward index=0 srcintfgrp=wan prot=icmp icmptype=echo-reply action=accept
rule create chain=forward index=0 srcintfgrp=lan prot=icmp icmptype=echo-request action=accept
rule create chain=forward index=0 srcintfgrp=wan prot=udp srcport=sntp action=accept
rule create chain=forward index=0 srcintfgrp=lan prot=udp dstport=sntp action=accept

I now wanted to allow access for AIM, ICQ and MSN Messenger. I found some resources (listed below) that said what some of those ports might be, e.g. 5190 for AIM. To cut a dull story short, I use Fire on Mac OS X for instant messaging and I just looked at what ports that used (as it kept locking up I had to read these from the preferences file at ~username/Library/Application Support/Fire/Accounts.plist). I ended up with these rules:

rule create chain=forward index=0 srcintfgrp=wan prot=tcp srcport=1863 action=accept
rule create chain=forward index=1 srcintfgrp=lan prot=tcp dstport=1863 action=accept
rule create chain=forward index=2 srcintfgrp=wan prot=tcp srcport=9898 action=accept
rule create chain=forward index=3 srcintfgrp=lan prot=tcp dstport=9898 action=accept
rule create chain=forward index=4 srcintfgrp=wan prot=tcp srcport=5190 action=accept
rule create chain=forward index=5 srcintfgrp=lan prot=tcp dstport=5190 action=accept

I realised however that there are few hard and fast rules when it comes to ports for these things. 5190 is the standard AIM port, and the same for ICQ since AOL bought it. However, while the AIM-compatible iChat uses 5190, Fire defaults to 9898 for its AIM client.

I also wasn’t sure whether these would be TCP or UDP as I’d read that AIM, for example, might use either (basically, the TCP 5190 port is a different port from the UDP 5190). So I duplicated the rules given above only replacing prot=tcp with prot=udp. After a bit of messaging I then used the firewall rule stat command to see which rules had processed data. It turned out that none of the UDP rules had any traffic, so I deleted them.

Here’s some resources I’ve found useful:

I hope that helps someone. I’ve still no idea how to allow traceroute through though…


thanks for this phil! i have the ST570 and foun the manual opaque. haven't been able to get the fw to let anything through, so still now kazaa for me.

Posted by azeem on 17 November 2002, 9:42 pm | Link

I must admit, that after someone posted on the forum I mentioned that the default firewall set-up should be OK for simple single-machine systems, I did revert back to the default settings when I was having problems with some application connecting to the outside world...

Posted by Phil Gyford on 17 November 2002, 9:50 pm | Link

To allow traceroutes you not only have to allow outbound echo-requests end inbound echo-replies, you also have to allow inbound ICMP:Time Exceeded for a Datagram.

The firewall you will need to add will then have to be something like this (by icmp type name):

rule create chain=forward index=0 srcintfgrp=wan prot=icmp icmptype=time-exceeded action=accept

or (by icmp type number)

rule create chain=forward index=0 srcintfgrp=wan prot=icmp icmptype=11 action=accept

I say have to be 'cause I have not tested this myself.

Anyway, I hope this helps you with the traceroutes.

Michel Sijmons

Posted by Michel Sijmons on 10 February 2003, 9:36 pm | Link

Thanks for this Michel! I resorted to the default settings in the end, as they seemed to work for most things, but I think they still don't allow traceroute, so I'll give this a try at some point...

Posted by Phil Gyford on 11 February 2003, 12:14 pm | Link

Hi Phil,

Allowing Inbound ICMP: Time Exceeded for a Datagram,
did it do any good?

I just did a search on moi and found this unresolved, so just I wondered have you tested this, and does it do any good? (It should!)

Michel Sijmons

Posted by Michel Sijmons on 22 August 2003, 12:17 am | Link

I don't think I ever got round to trying it (I don't need to traceroute very often!).

The last fun I had was trying to get iChat AV working, although I'm not sure if the reason connections failed was because of the firewall or not. I think I've given up on understanding the blasted thing :(

Posted by Phil Gyford on 22 August 2003, 12:28 am | Link

hi ,
can you help me to enable ping to my wan ip from outside that i get from the isp. i've tried with the above settings but still no luck.

also i want to telnet to the modem from outside.

i would appreciate your help.

Posted by MILTON on 15 November 2003, 8:48 am | Link

Sorry to bother you all - but you seem to know exactly what you are doing (and I don't)...

Am I correct in thinking that adjusting individual ports in the 510 firewall will NOT effect the rest of the 510 default firewall settings?

Or will everything have to be re-set if I start cofigering manually?

Thank you,


Posted by beaty on 17 December 2003, 4:46 pm | Link

I tryed to get "the only decent guide..." but i only see "forbidden...."


Posted by Jon on 29 October 2004, 9:39 pm | Link

Thanks for the tips
I configured my speedtouch 510 as needed, but i can't get any smtp traffic (regular port 25)
Any suggestions ?

Posted by gon on 19 March 2005, 9:22 pm | Link

I found some info on how to configure the Speedtouch 510 for iChat on this page:

Posted by Mats on 16 September 2005, 10:17 pm | Link

The link mentioned for 'The Speedtouch 510 Firewall Guide' (
produces a 'Forbidden' page (
Does anybody know another resource for this famous guide?

Posted by Oscar E. Bosje on 22 September 2005, 1:18 pm | Link

Bugger, that was invaluable... let's hope it's a temporary glitch...

Posted by Phil Gyford on 22 September 2005, 5:48 pm | Link

Can anyone send a pdf with the page...
it would be really useful, since it's forbiden

Posted by PsycoMen on 24 October 2005, 7:41 pm | Link

Yes, I'd like to get hold of a copy of that too.

If anyone manages to get hold of it and is feeling extra helpfull, could they please email it to me at coding_monkey at hotmail dot com? Thanks.

Posted by cm on 10 November 2005, 9:25 pm | Link

Please anyone send me copy of that webpage.. I'm desperate with SpeedTouch 510 firewall settings..

Posted by MaJaLeS on 8 December 2005, 4:33 pm | Link

hi every one may any one help me on this case plz :

I have a ftp server on port 6000 behind speedtouch 510
I configure forwarding to this port to me server
but I cant access this server from the internet

I download a cli guide but I cant configure it

any one plz help me with the right firewall rule

Posted by GTI on 3 April 2006, 10:35 pm | Link

Hey guys, check this out:…

it got all what you need

Posted by Walied Youssry on 29 June 2006, 1:28 am | Link

That looks very useful, thanks Walied! Nice to have an introduction to all this stuff.

Posted by Phil Gyford on 29 June 2006, 8:19 am | Link

Well, although the sdharris guide isn't there any more, you can still read it by visiting…

Good luck!


Posted by Daryl on 22 July 2006, 6:30 pm | Link

Commenting is disabled on posts once they’re 30 days old.