Speedstream SE565 Firewall

I have a Siemens Gigaset SE565 dsl. This is an ADSL modem which is also know under the name SpeedStream SE565 series "Residential ADSL2+ Gateway". What's in a name.

Webinterface
The webinterface is crappy. It attempt to add security by deep packet inspection, log-in junk which doesn't make sense, etc. In short, a regular home use device. Thankfully you can turn most options off.

Password
Apparently this device does have trouble with special characters in passwords. For example, if you try to put a dash (-) in a password, you get a message "invalid password", without explanation why it was invalid.

If you are locked out, you may reset the device (it has a factory reset button on the back). The default network settings for the Gigaset modem are: IP Address:192.168.254.254 with subnet mask:255.255.255.0. The first time you connect to it, it should give you a wizard where you can set the password of the admin account.

Firewall
I recommend you configure the firewall in two steps:
 * Configure the firewall using he webinterface
 * Optionally automatically read the log file to monitor the results

XSH telnet
It is possible to telnet to the device. Telnet is considered insecure, but it is only possible to reach is from the internal network, not from the external network.

If you like to script things, use the telnet interface, along with some expect scripts.

Reading the rules
show ipfw rules does the trick:

xsh> show ipfw rules No.   SI/F  I/F   Dir Access Prot Source IP/Netmask Port-spec     Destination IP/Netmask    Port-spec Flags - - -  --- --  - -     - - - [ 2202]   any   any   in   deny  TCP 0.0.0.0/0.0.0.0     any      -> 127.0.0.1/255.255.255.255   =    53  E [ 2204]   any   any   in permit  UDP 0.0.0.0/0.0.0.0     any      -> 127.0.0.1/255.255.255.255   =    53  ES [ 2206]   any   any   in   deny  UDP 0.0.0.0/0.0.0.0     any      -> 127.0.0.1/255.255.255.255   =    53  E [ 2222]   any   any   in permit ICMP 0.0.0.0/0.0.0.0     any      -> 127.0.0.1/255.255.255.255  any       E [ 2224]   any   any   in permit  TCP 0.0.0.0/0.0.0.0     any      -> 127.0.0.1/255.255.255.255   =    23  E [ 2226]   any   any   in permit  TCP 0.0.0.0/0.0.0.0     any      -> 127.0.0.1/255.255.255.255   =    21  D

The layout is crappy; it does not contain line breaks, but it is doable to parse it anyway. The output also contains the state of current connections. I will ignore those for now.

Observe that not all rules are enabled. This is shown in the Flags section. E means enabled, D means disabled, see bellow.

Flags:

Setting the rules
You can set and query the existing configuration using the cfg command:

xsh> cfg ipfw ipfw dip = 0.0.0.0 dtim = 0 dmac = 00:00:00:00:00:00 den = n  [y,n] en = n  [y,n] dhrl = n    lev = cust   [off,int1,int2,low,med,high,cust,icsa] rule#[0..255] rn = 21 lev = off  [off,low,med,high,cust,icsa,all] sif = "any" dif = "any" dir = out  [in,out] acc = per  [per,deny] prot = 256 sip = 0.0.0.0 smsk = 0.0.0.0 sop = none  [none,lt,eq,gt,rng] spo1 = 0 spo2 = 0 dip = 0.0.0.0 dmsk = 0.0.0.0 dop = none  [none,lt,eq,gt,rng] dpo1 = 0 dpo2 = 0 icmp = 0 dis = n        hid = n         ptct = y         log = n         sl = n         ts = n         ls = n

You can also query a specific entry:

xsh> cfg ipfw{lev lev = cust  [off,int1,int2,low,med,high,cust,icsa]

or set a specific entry:

xsh> cfg ipfw{lev=cust

After you have set the rules, you still need to save them. It seems that the changes are only affective after a reboot, so you must reboot as well.:

xsh> cfg save xsh> do reboot

Interpreting the Rules in Telnet Interface
Now, you will wonder were all the individual rules are. For example, above we saw rules 2202, 2204, 2206, etc. Here, there is only rule, "rn = 21". What's this?

It turns out that you have to explicitly ask for each rule:

xsh> cfg ipfw{rule#93 rule#93 rn = 2202 lev = cust  [off,low,med,high,cust,icsa,all] sif = "any" dif = "any" dir = in  [in,out] acc = deny  [per,deny] prot = 6 sip = 0.0.0.0 smsk = 0.0.0.0 sop = none  [none,lt,eq,gt,rng] spo1 = 0 spo2 = 0 dip = 127.0.0.1 dmsk = 255.255.255.255 dop = eq  [none,lt,eq,gt,rng] dpo1 = 53 dpo2 = 0 icmp = 0 dis = n    hid = n     ptct = n     log = n     sl = n     ts = n     ls = n

So there can only be 256 rule entries (rule#0 to rule#255), and rule entry #93 happens to contain rule number 2202. There does not seem the be a good way to know where a certain rule number is stored, and the webinterface will automatically sort the rules so the location may change as you add, delete or modify rules. Rule entry #0, shown by default, contains rule number 21.

show ipfw rules does only show rules for the active level. So if the level is set to "custom", it will not show rules for the "med" level. On the other hand, show ipfw rules does show the hard-coded "protected" rules (2222, 2224 and 2226), which are not shown cfg ipfw.

While the webinterface is arguably even worse design then the telnet interface, I still recommend that you use the webinterface to set rules, since settings in the telnet interface are not immediately in effect, like they are in the webinterface. Also, setting the firewall using the telnet interface brings the risk to lock yourself out, by just adding a rule "don't allow traffic to the modem", turning your ADSL modem in a nice expensive brick.

The table gives the meaning of each parameter in the telnet interface:

Reading the log files
One of the nice things about the Speedstream is that you can decide to log certain firewall triggers. I have not extensively tried this, but it could be useful to log traffic for some catch-all rule for traffic going out, so you know something in your network is doing something strange.
 * log authorized, but uncommon traffic
 * log unauthorized, and uncommon traffic

You can either use show ipfw log or show sys log to show the firewall log entries. The sys log also shows other log entries as well.

xsh> show ipfw log 2009-05-03 12:52:45 GMT E |Firewall     |D:19:0 TCP 10.36.30.2:61530 -> 192.0.2.74:80  len=192  id=27148  DF=1 MF=0  byte-off=0 2009-05-03 12:52:46 GMT E |Firewall     |D:19:0 TCP 10.36.30.2:61530 -> 192.0.2.74:80  len=192  id=27149  DF=1 MF=0  byte-off=0 2009-05-03 12:52:48 GMT E |Firewall     |D:19:0 TCP 10.36.30.2:61530 -> 192.0.2.74:8080  len=192  id=27150  DF=0 MF=0  byte-off=0 2009-05-03 16:47:47 GMT E |Firewall     |P:15:3001 ICMP(11) 10.51.26.254:2816 -> 192.0.2.72:45040  len=56  id=0  DF=0 MF=0  byte-off=0 2009-05-03 22:08:59 GMT E |Firewall     |P:15:3001 ICMP(3) 172.19.228.194:771 -> 192.0.2.69:52795  len=68  id=899  DF=0 MF=0  byte-off=0 2009-05-04 03:26:37 GMT E |Firewall     |P:15:3001 ICMP(8) 192.168.18.172:2048 -> 192.0.2.73:31373  len=44  id=0  DF=1 MF=0  byte-off=0

xsh> show sys log Current System Time: 2009-05-03 13:21:23 GMT Current   GMT Time:  2009-05-03 13:21:23 0000-00-00 00:00:01    E |System        |Current Mode: Bridge-Router 0000-00-00 00:00:01    E |DSL           |Boost DSP 0000-00-00 00:00:03    E |Ethernet      |Link 1 Up - 100Base-TX Full Duplex 0000-00-00 00:00:03    E |Ethernet      |Link 2 Up - 100Base-TX Full Duplex 0000-00-00 00:00:23    E |DSL           |Link up 1 US 1023 DS 7996 (INTL:ADSL2) 0000-00-00 00:00:25    E |PPP           |LCP neg PAP 0000-00-00 00:00:25    E |PPP           |LCP up 0000-00-00 00:00:32     E |Administration|Telnet server connect from 10.36.30.2 0000-00-00 00:00:37    E |Administration|User authenticated [1] 2009-05-03 12:52:43 GMT E |SNTP Client  |Updated system time from Primary server 192.0.2.12 2009-05-03 12:52:45 GMT E |Firewall     |D:19:0 TCP 10.36.30.2:61530 -> 192.0.2.74:80  len=192  id=27148  DF=1 MF=0  byte-off=0 2009-05-03 12:52:46 GMT E |Firewall     |D:19:0 TCP 10.36.30.2:61530 -> 192.0.2.74:80  len=192  id=27149  DF=1 MF=0  byte-off=0 2009-05-03 12:52:48 GMT E |Firewall     |D:19:0 TCP 10.36.30.2:61530 -> 192.0.2.74:8080  len=192  id=27150  DF=0 MF=0  byte-off=0

I have not yet analysed the meaning of the entries in the log file. In particular I do not yet know which traffic was allowed and what was dropped.

I have not determined the meaning of each property in the rule entry.

See also Well known ports and Config:Firewall