Speedstream SE565 Firewall

From Exterior Memory
Jump to: navigation, search
This article was written in May 2009, and last updated in January 2010. This article is no longer updated, and may be outdated.

I have a Siemens Gigaset SE565 dsl. This is an ADSL modem which is also know under the name SpeedStream SE565 series "Residential ADSL2+ Gateway". What's in a name.

Webinterface

The webinterface is crappy. It attempt to add security by deep packet inspection, log-in junk which doesn't make sense, etc. In short, a regular home use device. Thankfully you can turn most options off.

Password

Apparently this device does have trouble with special characters in passwords. For example, if you try to put a dash (-) in a password, you get a message "invalid password", without explanation why it was invalid.

If you are locked out, you may reset the device (it has a factory reset button on the back). The default network settings for the Gigaset modem are: IP Address:192.168.254.254 with subnet mask:255.255.255.0. The first time you connect to it, it should give you a wizard where you can set the password of the admin account.

Firewall

I recommend you configure the firewall in two steps:

  • Configure the firewall using he webinterface
  • Optionally automatically read the log file to monitor the results

XSH telnet

It is possible to telnet to the device. Telnet is considered insecure, but it is only possible to reach is from the internal network, not from the external network.

If you like to script things, use the telnet interface, along with some expect scripts.

Reading the rules

show ipfw rules does the trick:

xsh> show ipfw rules                                                 
  No.    SI/F  I/F   Dir Access Prot Source IP/Netmask Port-spec     Destination IP/Netmask    Port-spec Flags 
 -----  ----- -----  --- ------ ---- ----------------- ---------     ------------------------- --------- -----
[ 2202]   any   any   in   deny  TCP 0.0.0.0/0.0.0.0     any      -> 127.0.0.1/255.255.255.255   =    53  E
[ 2204]   any   any   in permit  UDP 0.0.0.0/0.0.0.0     any      -> 127.0.0.1/255.255.255.255   =    53  ES
[ 2206]   any   any   in   deny  UDP 0.0.0.0/0.0.0.0     any      -> 127.0.0.1/255.255.255.255   =    53  E
[ 2222]   any   any   in permit ICMP 0.0.0.0/0.0.0.0     any      -> 127.0.0.1/255.255.255.255  any       E
[ 2224]   any   any   in permit  TCP 0.0.0.0/0.0.0.0     any      -> 127.0.0.1/255.255.255.255   =    23  E
[ 2226]   any   any   in permit  TCP 0.0.0.0/0.0.0.0     any      -> 127.0.0.1/255.255.255.255   =    21  D

The layout is crappy; it does not contain line breaks, but it is doable to parse it anyway. The output also contains the state of current connections. I will ignore those for now.

Observe that not all rules are enabled. This is shown in the Flags section. E means enabled, D means disabled, see bellow.

Flags:

Flag Meaning
E Enabled
D Disabled
S Inspect packets matching this rule only if they arrived on a LAN source interface.
P Protected. These rules are hard-coded and can not be altered or removed.
R Reserved. ?
N NAT rule


Setting the rules

You can set and query the existing configuration using the cfg command:

xsh> cfg ipfw
ipfw
    dip = 0.0.0.0
    dtim = 0
    dmac = 00:00:00:00:00:00
    den = n   [y,n]
    en = n   [y,n]
    dhrl = n
    lev = cust   [off,int1,int2,low,med,high,cust,icsa]
    rule#[0..255]
        rn = 21
        lev = off   [off,low,med,high,cust,icsa,all]
        sif = "any"
        dif = "any"
        dir = out   [in,out]
        acc = per   [per,deny]
        prot = 256
        sip = 0.0.0.0
        smsk = 0.0.0.0
        sop = none   [none,lt,eq,gt,rng]
        spo1 = 0
        spo2 = 0
        dip = 0.0.0.0
        dmsk = 0.0.0.0
        dop = none   [none,lt,eq,gt,rng]
        dpo1 = 0
        dpo2 = 0
        icmp = 0
        dis = n
        hid = n
        ptct = y
        log = n
        sl = n
        ts = n
        ls = n

You can also query a specific entry:

xsh> cfg ipfw{lev
    lev = cust   [off,int1,int2,low,med,high,cust,icsa]

or set a specific entry:

xsh> cfg ipfw{lev=cust

After you have set the rules, you still need to save them. It seems that the changes are only affective after a reboot, so you must reboot as well.:

xsh> cfg save
xsh> do reboot

Interpreting the Rules in Telnet Interface

Now, you will wonder were all the individual rules are. For example, above we saw rules 2202, 2204, 2206, etc. Here, there is only rule, "rn = 21". What's this?

It turns out that you have to explicitly ask for each rule:

xsh> cfg ipfw{rule#93
rule#93
    rn = 2202
    lev = cust   [off,low,med,high,cust,icsa,all]
    sif = "any"
    dif = "any"
    dir = in   [in,out]
    acc = deny   [per,deny]
    prot = 6
    sip = 0.0.0.0
    smsk = 0.0.0.0
    sop = none   [none,lt,eq,gt,rng]
    spo1 = 0
    spo2 = 0
    dip = 127.0.0.1
    dmsk = 255.255.255.255
    dop = eq   [none,lt,eq,gt,rng]
    dpo1 = 53
    dpo2 = 0
    icmp = 0
    dis = n
    hid = n
    ptct = n
    log = n
    sl = n
    ts = n
    ls = n

So there can only be 256 rule entries (rule#0 to rule#255), and rule entry #93 happens to contain rule number 2202. There does not seem the be a good way to know where a certain rule number is stored, and the webinterface will automatically sort the rules so the location may change as you add, delete or modify rules. Rule entry #0, shown by default, contains rule number 21.

show ipfw rules does only show rules for the active level. So if the level is set to "custom", it will not show rules for the "med" level. On the other hand, show ipfw rules does show the hard-coded "protected" rules (2222, 2224 and 2226), which are not shown cfg ipfw.

While the webinterface is arguably even worse design then the telnet interface, I still recommend that you use the webinterface to set rules, since settings in the telnet interface are not immediately in effect, like they are in the webinterface. Also, setting the firewall using the telnet interface brings the risk to lock yourself out, by just adding a rule "don't allow traffic to the modem", turning your ADSL modem in a nice expensive brick.

The table gives the meaning of each parameter in the telnet interface:

Field Meaning Allowed Values
rule# rule entry number 0...255
rn rule number 0..99999
lev valid for level off,low,med,high,cust,icsa,all
sif source interface any, lo0, br0, en0, en1, en2, en3, oa0
dif destination interface any, lo0, br0, en0, en1, en2, en3, oa0
dir direction of traffic in,out
acc accept (permit/deny) per,deny
prot protocol 0..256 (256 means "any protocol")
sip source IP IPv4 address (e.g. 192.0.2.113)
smsk source IP mask IPv4 netmask (e.g. 255.255.255.0)
sop source port comparison none,lt,eq,gt,rng
spo1 source port 0..65535
spo2 source port 2 (for ranges) 0..65535
dip destination IP IPv4 address (e.g. 192.0.2.113)
dmsk destination IP mask IPv4 netmask (e.g. 255.255.255.0)
dop destination port comparison none,lt,eq,gt,rng
dpo1 destination port 0..65535
dpo2 destination port 2 (for ranges) 0..65535
icmp ICMP type 0..32767 (bit mask of 15 possible ICMP types. The bit order is not the same as the ICMP type value.)
dis disabled y/n
hid hidden y/n
ptct protected y/n
log log matching packets y/n
sl stateless y/n
ts Check TCP syn packets y/n
ls only match packets from LAN y/n
-- protected (protected rules are never shown in the telnet interface!) n

Reading the log files

One of the nice things about the Speedstream is that you can decide to log certain firewall triggers. I have not extensively tried this, but it could be useful to log traffic for some catch-all rule for traffic going out, so you know something in your network is doing something strange.

  • log authorized, but uncommon traffic
  • log unauthorized, and uncommon traffic

You can either use show ipfw log or </tt>show sys log</tt> to show the firewall log entries. The sys log also shows other log entries as well.

xsh> show ipfw log
2009-05-03 12:52:45 GMT E |Firewall      |D:19:0 TCP 10.36.30.2:61530 -> 192.0.2.74:80  len=192  id=27148  DF=1 MF=0  byte-off=0
2009-05-03 12:52:46 GMT E |Firewall      |D:19:0 TCP 10.36.30.2:61530 -> 192.0.2.74:80  len=192  id=27149  DF=1 MF=0  byte-off=0
2009-05-03 12:52:48 GMT E |Firewall      |D:19:0 TCP 10.36.30.2:61530 -> 192.0.2.74:8080  len=192  id=27150  DF=0 MF=0  byte-off=0
2009-05-03 16:47:47 GMT E |Firewall      |P:15:3001 ICMP(11) 10.51.26.254:2816 -> 192.0.2.72:45040  len=56  id=0  DF=0 MF=0  byte-off=0
2009-05-03 22:08:59 GMT E |Firewall      |P:15:3001 ICMP(3) 172.19.228.194:771 -> 192.0.2.69:52795  len=68  id=899  DF=0 MF=0  byte-off=0
2009-05-04 03:26:37 GMT E |Firewall      |P:15:3001 ICMP(8) 192.168.18.172:2048 -> 192.0.2.73:31373  len=44  id=0  DF=1 MF=0  byte-off=0
xsh> show sys log
Current System Time:  2009-05-03 13:21:23 GMT
Current    GMT Time:  2009-05-03 13:21:23
0000-00-00 00:00:01     E |System        |Current Mode: Bridge-Router
0000-00-00 00:00:01     E |DSL           |Boost DSP
0000-00-00 00:00:03     E |Ethernet      |Link 1 Up - 100Base-TX Full Duplex
0000-00-00 00:00:03     E |Ethernet      |Link 2 Up - 100Base-TX Full Duplex
0000-00-00 00:00:23     E |DSL           |Link up 1 US 1023 DS 7996 (INTL:ADSL2)
0000-00-00 00:00:25     E |PPP           |LCP neg PAP
0000-00-00 00:00:25     E |PPP           |LCP up
0000-00-00 00:00:32     E |Administration|Telnet server connect from 10.36.30.2
0000-00-00 00:00:37     E |Administration|User <admin> authenticated [1]
2009-05-03 12:52:43 GMT E |SNTP Client   |Updated system time from Primary server 192.0.2.12
2009-05-03 12:52:45 GMT E |Firewall      |D:19:0 TCP 10.36.30.2:61530 -> 192.0.2.74:80  len=192  id=27148  DF=1 MF=0  byte-off=0
2009-05-03 12:52:46 GMT E |Firewall      |D:19:0 TCP 10.36.30.2:61530 -> 192.0.2.74:80  len=192  id=27149  DF=1 MF=0  byte-off=0
2009-05-03 12:52:48 GMT E |Firewall      |D:19:0 TCP 10.36.30.2:61530 -> 192.0.2.74:8080  len=192  id=27150  DF=0 MF=0  byte-off=0

I have not yet analysed the meaning of the entries in the log file. In particular I do not yet know which traffic was allowed and what was dropped.

I have not determined the meaning of each property in the rule entry.

See also Well known ports and Config:Firewall