Speedstream SE565 Firewall
I have a Siemens Gigaset SE565 dsl. This is an ADSL modem which is also know under the name SpeedStream SE565 series "Residential ADSL2+ Gateway". What's in a name.
Contents
Webinterface
The webinterface is crappy. It attempt to add security by deep packet inspection, log-in junk which doesn't make sense, etc. In short, a regular home use device. Thankfully you can turn most options off.
Password
Apparently this device does have trouble with special characters in passwords. For example, if you try to put a dash (-) in a password, you get a message "invalid password", without explanation why it was invalid.
If you are locked out, you may reset the device (it has a factory reset button on the back). The default network settings for the Gigaset modem are: IP Address:192.168.254.254 with subnet mask:255.255.255.0. The first time you connect to it, it should give you a wizard where you can set the password of the admin account.
Firewall
I recommend you configure the firewall in two steps:
- Configure the firewall using he webinterface
- Optionally automatically read the log file to monitor the results
XSH telnet
It is possible to telnet to the device. Telnet is considered insecure, but it is only possible to reach is from the internal network, not from the external network.
If you like to script things, use the telnet interface, along with some expect scripts.
Reading the rules
show ipfw rules does the trick:
xsh> show ipfw rules No. SI/F I/F Dir Access Prot Source IP/Netmask Port-spec Destination IP/Netmask Port-spec Flags ----- ----- ----- --- ------ ---- ----------------- --------- ------------------------- --------- ----- [ 2202] any any in deny TCP 0.0.0.0/0.0.0.0 any -> 127.0.0.1/255.255.255.255 = 53 E [ 2204] any any in permit UDP 0.0.0.0/0.0.0.0 any -> 127.0.0.1/255.255.255.255 = 53 ES [ 2206] any any in deny UDP 0.0.0.0/0.0.0.0 any -> 127.0.0.1/255.255.255.255 = 53 E [ 2222] any any in permit ICMP 0.0.0.0/0.0.0.0 any -> 127.0.0.1/255.255.255.255 any E [ 2224] any any in permit TCP 0.0.0.0/0.0.0.0 any -> 127.0.0.1/255.255.255.255 = 23 E [ 2226] any any in permit TCP 0.0.0.0/0.0.0.0 any -> 127.0.0.1/255.255.255.255 = 21 D
The layout is crappy; it does not contain line breaks, but it is doable to parse it anyway. The output also contains the state of current connections. I will ignore those for now.
Observe that not all rules are enabled. This is shown in the Flags section. E means enabled, D means disabled, see bellow.
Flags:
| Flag | Meaning |
|---|---|
| E | Enabled |
| D | Disabled |
| S | Inspect packets matching this rule only if they arrived on a LAN source interface. |
| P | Protected. These rules are hard-coded and can not be altered or removed. |
| R | Reserved. ? |
| N | NAT rule |
Setting the rules
You can set and query the existing configuration using the cfg command:
xsh> cfg ipfw
ipfw
dip = 0.0.0.0
dtim = 0
dmac = 00:00:00:00:00:00
den = n [y,n]
en = n [y,n]
dhrl = n
lev = cust [off,int1,int2,low,med,high,cust,icsa]
rule#[0..255]
rn = 21
lev = off [off,low,med,high,cust,icsa,all]
sif = "any"
dif = "any"
dir = out [in,out]
acc = per [per,deny]
prot = 256
sip = 0.0.0.0
smsk = 0.0.0.0
sop = none [none,lt,eq,gt,rng]
spo1 = 0
spo2 = 0
dip = 0.0.0.0
dmsk = 0.0.0.0
dop = none [none,lt,eq,gt,rng]
dpo1 = 0
dpo2 = 0
icmp = 0
dis = n
hid = n
ptct = y
log = n
sl = n
ts = n
ls = n
You can also query a specific entry:
xsh> cfg ipfw{lev
lev = cust [off,int1,int2,low,med,high,cust,icsa]
or set a specific entry:
xsh> cfg ipfw{lev=cust
After you have set the rules, you still need to save them. It seems that the changes are only affective after a reboot, so you must reboot as well.:
xsh> cfg save xsh> do reboot
Interpreting the Rules in Telnet Interface
Now, you will wonder were all the individual rules are. For example, above we saw rules 2202, 2204, 2206, etc. Here, there is only rule, "rn = 21". What's this?
It turns out that you have to explicitly ask for each rule:
xsh> cfg ipfw{rule#93
rule#93
rn = 2202
lev = cust [off,low,med,high,cust,icsa,all]
sif = "any"
dif = "any"
dir = in [in,out]
acc = deny [per,deny]
prot = 6
sip = 0.0.0.0
smsk = 0.0.0.0
sop = none [none,lt,eq,gt,rng]
spo1 = 0
spo2 = 0
dip = 127.0.0.1
dmsk = 255.255.255.255
dop = eq [none,lt,eq,gt,rng]
dpo1 = 53
dpo2 = 0
icmp = 0
dis = n
hid = n
ptct = n
log = n
sl = n
ts = n
ls = n
So there can only be 256 rule entries (rule#0 to rule#255), and rule entry #93 happens to contain rule number 2202. There does not seem the be a good way to know where a certain rule number is stored, and the webinterface will automatically sort the rules so the location may change as you add, delete or modify rules. Rule entry #0, shown by default, contains rule number 21.
show ipfw rules does only show rules for the active level. So if the level is set to "custom", it will not show rules for the "med" level. On the other hand, show ipfw rules does show the hard-coded "protected" rules (2222, 2224 and 2226), which are not shown cfg ipfw.
While the webinterface is arguably even worse design then the telnet interface, I still recommend that you use the webinterface to set rules, since settings in the telnet interface are not immediately in effect, like they are in the webinterface. Also, setting the firewall using the telnet interface brings the risk to lock yourself out, by just adding a rule "don't allow traffic to the modem", turning your ADSL modem in a nice expensive brick.
The table gives the meaning of each parameter in the telnet interface:
| Field | Meaning | Allowed Values |
|---|---|---|
| rule# | rule entry number | 0...255 |
| rn | rule number | 0..99999 |
| lev | valid for level | off,low,med,high,cust,icsa,all |
| sif | source interface | any, lo0, br0, en0, en1, en2, en3, oa0 |
| dif | destination interface | any, lo0, br0, en0, en1, en2, en3, oa0 |
| dir | direction of traffic | in,out |
| acc | accept (permit/deny) | per,deny |
| prot | protocol | 0..256 (256 means "any protocol") |
| sip | source IP | IPv4 address (e.g. 192.0.2.113) |
| smsk | source IP mask | IPv4 netmask (e.g. 255.255.255.0) |
| sop | source port comparison | none,lt,eq,gt,rng |
| spo1 | source port | 0..65535 |
| spo2 | source port 2 (for ranges) | 0..65535 |
| dip | destination IP | IPv4 address (e.g. 192.0.2.113) |
| dmsk | destination IP mask | IPv4 netmask (e.g. 255.255.255.0) |
| dop | destination port comparison | none,lt,eq,gt,rng |
| dpo1 | destination port | 0..65535 |
| dpo2 | destination port 2 (for ranges) | 0..65535 |
| icmp | ICMP type | 0..32767 (bit mask of 15 possible ICMP types. The bit order is not the same as the ICMP type value.) |
| dis | disabled | y/n |
| hid | hidden | y/n |
| ptct | protected | y/n |
| log | log matching packets | y/n |
| sl | stateless | y/n |
| ts | Check TCP syn packets | y/n |
| ls | only match packets from LAN | y/n |
| -- | protected (protected rules are never shown in the telnet interface!) | n |
Reading the log files
One of the nice things about the Speedstream is that you can decide to log certain firewall triggers. I have not extensively tried this, but it could be useful to log traffic for some catch-all rule for traffic going out, so you know something in your network is doing something strange.
- log authorized, but uncommon traffic
- log unauthorized, and uncommon traffic
You can either use show ipfw log or </tt>show sys log</tt> to show the firewall log entries. The sys log also shows other log entries as well.
xsh> show ipfw log 2009-05-03 12:52:45 GMT E |Firewall |D:19:0 TCP 10.36.30.2:61530 -> 192.0.2.74:80 len=192 id=27148 DF=1 MF=0 byte-off=0 2009-05-03 12:52:46 GMT E |Firewall |D:19:0 TCP 10.36.30.2:61530 -> 192.0.2.74:80 len=192 id=27149 DF=1 MF=0 byte-off=0 2009-05-03 12:52:48 GMT E |Firewall |D:19:0 TCP 10.36.30.2:61530 -> 192.0.2.74:8080 len=192 id=27150 DF=0 MF=0 byte-off=0 2009-05-03 16:47:47 GMT E |Firewall |P:15:3001 ICMP(11) 10.51.26.254:2816 -> 192.0.2.72:45040 len=56 id=0 DF=0 MF=0 byte-off=0 2009-05-03 22:08:59 GMT E |Firewall |P:15:3001 ICMP(3) 172.19.228.194:771 -> 192.0.2.69:52795 len=68 id=899 DF=0 MF=0 byte-off=0 2009-05-04 03:26:37 GMT E |Firewall |P:15:3001 ICMP(8) 192.168.18.172:2048 -> 192.0.2.73:31373 len=44 id=0 DF=1 MF=0 byte-off=0
xsh> show sys log Current System Time: 2009-05-03 13:21:23 GMT Current GMT Time: 2009-05-03 13:21:23 0000-00-00 00:00:01 E |System |Current Mode: Bridge-Router 0000-00-00 00:00:01 E |DSL |Boost DSP 0000-00-00 00:00:03 E |Ethernet |Link 1 Up - 100Base-TX Full Duplex 0000-00-00 00:00:03 E |Ethernet |Link 2 Up - 100Base-TX Full Duplex 0000-00-00 00:00:23 E |DSL |Link up 1 US 1023 DS 7996 (INTL:ADSL2) 0000-00-00 00:00:25 E |PPP |LCP neg PAP 0000-00-00 00:00:25 E |PPP |LCP up 0000-00-00 00:00:32 E |Administration|Telnet server connect from 10.36.30.2 0000-00-00 00:00:37 E |Administration|User <admin> authenticated [1] 2009-05-03 12:52:43 GMT E |SNTP Client |Updated system time from Primary server 192.0.2.12 2009-05-03 12:52:45 GMT E |Firewall |D:19:0 TCP 10.36.30.2:61530 -> 192.0.2.74:80 len=192 id=27148 DF=1 MF=0 byte-off=0 2009-05-03 12:52:46 GMT E |Firewall |D:19:0 TCP 10.36.30.2:61530 -> 192.0.2.74:80 len=192 id=27149 DF=1 MF=0 byte-off=0 2009-05-03 12:52:48 GMT E |Firewall |D:19:0 TCP 10.36.30.2:61530 -> 192.0.2.74:8080 len=192 id=27150 DF=0 MF=0 byte-off=0
I have not yet analysed the meaning of the entries in the log file. In particular I do not yet know which traffic was allowed and what was dropped.
I have not determined the meaning of each property in the rule entry.
See also Well known ports and Config:Firewall
