CopperJet 820 Firewall

CopperJet Firewall Configuration
There is no extensive manual on how to configure the CopperJet 820 ADSL modem, but a good starting point is http://www2.internl.net/servicedesk/beveiliging/CJT-Firewall/index.it

The Security level option is never explained. If it is changed, a standard set of rules is placed in the current firewall policies. Any previous rules are lost. So the recommended course of action is to once set the security level, and then never touch it again, but manually change the firewall policy.

This is how I configured my firewall:

security enable security add interface ethernet-0 internal security add interface ppp-0 external firewall set IDS MaxPING 100 firewall set IDS MaxICMP 200 firewall set IDS victimprotection enable firewall enable IDS firewall add policy wantolan external-internal blockonly-val firewall enable

This policy will block all ports by default, and apply the rules to all IP addresses. The command firewall add portfilter allows you to enable ports. In addition, the command firewall add validator allows you to completly block a certain IP address, overriding the portfilters.

Example configuration
Note: the first matching rule is applied. So earlier defined rules override the last (catch all) rules. To make it confusing, in the webinterface the last defined rule is shown on top. So the catch-all rule with port 1024-65535 is defined last, but shown first.

This is an example firewall which allows some ports and protocols:

firewall clear portfilters wantolan firewall add portfilter icmp      wantolan protocol  1 both firewall add portfilter ipv6to4   wantolan protocol 41 both firewall add portfilter gre-pptp  wantolan protocol 47 both firewall add portfilter ftp       wantolan tcp   21   21 outbound firewall add portfilter ssh       wantolan tcp   22   22 both firewall add portfilter dns       wantolan udp   53   53 both firewall add portfilter http      wantolan tcp   80   80 both firewall add portfilter ntp       wantolan udp  123  123 both firewall add portfilter imap      wantolan tcp  143  143 both firewall add portfilter https     wantolan tcp  443  443 both firewall add portfilter smtps     wantolan tcp  465  465 both firewall add portfilter smtp      wantolan tcp  587  587 both firewall add portfilter imaps     wantolan tcp  993  993 both firewall add portfilter openvpn   wantolan udp 1194 1994 both firewall add portfilter msn       wantolan tcp 1863 1863 both firewall add portfilter aim       wantolan tcp 5190 5190 both firewall add portfilter msn-file  wantolan tcp 6891 6900 both firewall add portfilter tcp-out   wantolan tcp 1024 65535 outbound firewall add portfilter udp-out   wantolan udp 1024 65535 outbound firewall list portfilters wantolan sys config save

Note: I disabled port 25 (SMTP). Instead, port 587 (submission) should be used.

See also Well known ports and Config:Firewall