CopperJet 820 Firewall

From Exterior Memory
Jump to: navigation, search
This article was written in January 2006, and last updated in May 2009. My CopperJet broke down, and I no longer own this device. This article is no longer updated, and may be outdated.

CopperJet Firewall Configuration

There is no extensive manual on how to configure the CopperJet 820 ADSL modem, but a good starting point is http://www2.internl.net/servicedesk/beveiliging/CJT-Firewall/index.it

The Security level option is never explained. If it is changed, a standard set of rules is placed in the current firewall policies. Any previous rules are lost. So the recommended course of action is to once set the security level, and then never touch it again, but manually change the firewall policy.

This is how I configured my firewall:

security enable
security add interface ethernet-0 internal
security add interface ppp-0 external
firewall set IDS MaxPING 100
firewall set IDS MaxICMP 200
firewall set IDS victimprotection enable
firewall enable IDS
firewall add policy wantolan external-internal blockonly-val
firewall enable

This policy will block all ports by default, and apply the rules to all IP addresses. The command firewall add portfilter allows you to enable ports. In addition, the command firewall add validator allows you to completly block a certain IP address, overriding the portfilters.

Example configuration

Note: the first matching rule is applied. So earlier defined rules override the last (catch all) rules. To make it confusing, in the webinterface the last defined rule is shown on top. So the catch-all rule with port 1024-65535 is defined last, but shown first.

This is an example firewall which allows some ports and protocols:

firewall clear portfilters wantolan

firewall add portfilter icmp       wantolan protocol  1 both
firewall add portfilter ipv6to4    wantolan protocol 41 both
firewall add portfilter gre-pptp   wantolan protocol 47 both
firewall add portfilter ftp        wantolan tcp   21   21 outbound
firewall add portfilter ssh        wantolan tcp   22   22 both
firewall add portfilter dns        wantolan udp   53   53 both
firewall add portfilter http       wantolan tcp   80   80 both
firewall add portfilter ntp        wantolan udp  123  123 both
firewall add portfilter imap       wantolan tcp  143  143 both
firewall add portfilter https      wantolan tcp  443  443 both
firewall add portfilter smtps      wantolan tcp  465  465 both
firewall add portfilter smtp       wantolan tcp  587  587 both
firewall add portfilter imaps      wantolan tcp  993  993 both
firewall add portfilter openvpn    wantolan udp 1194 1994 both
firewall add portfilter msn        wantolan tcp 1863 1863 both
firewall add portfilter aim        wantolan tcp 5190 5190 both
firewall add portfilter msn-file   wantolan tcp 6891 6900 both
firewall add portfilter tcp-out    wantolan tcp 1024 65535 outbound
firewall add portfilter udp-out    wantolan udp 1024 65535 outbound

firewall list portfilters wantolan

sys config save

Note: I disabled port 25 (SMTP). Instead, port 587 (submission) should be used.

See also Well known ports and Config:Firewall