ASUS router IP Filter FAQ
This document describes the IP Filter facilities on the ASUS router, so
far as I understand them.
This is based on my experiences with an ASUS
AAM6000EV router, firmware revision 71146a1, connecting to
Eclipse Internet.
FAQ
- What is IP Filter?
IP Filter is a simple inbound
packet-filtering firewall for the ASUS router.
- What does "a simple inbound packet-filtering firewall"
mean?
If you are asking that question, then maybe you should be using
NAT.
- Is documentation available for IP Filter?
- There are the
Additional setup instructions for the Asus ADSL
router IP Filter function written by Solwise. These describe how IP Filter
should work once the bugs are fixed.
- If the router is configured to use NAT, do I need to enable IP
Filter?
No, because NAT will prevent all unsolicited inbound access to
your LAN hosts, except where you specifically configure your router to allow
it.
- If the router is configured in bridged mode (non-NAT), do I need
to enable IP Filter?
I would strongly advise you to use IP Filter to at
least prevent access to your router's configuration from the Internet - see
my notes about this.
Alternatively you can
disable the
router configuration by http and telnet, if the bugs in IP
Filter mean that running IP Filter is not possible.
- Can I rely on IP Filter to protect my LAN hosts, without any other
firewall?
No! Not in my opinion, anyway. IP Filter has some key
limitations which preclude it from being suitable as the only protection
from hackers for your hosts:-
- The bugs in the current firmware mean that
you lose any protection if you have a power failure.
- There are loads of ports in Windows that are open invitations to
hackers if you are not running a firewall. Ditto Linux or Unix, though you have
more control over which services you run and you get firewall software
(iptables or ipchains) with it.
Also, many Internet applications and
services have protocols which are quite complicated to control with a
firewall.
However, IP Filter is not very sophisticated e.g. you can't
filter outbound packets, you can't filter based on whether a TCP packet is a
request or a response, it's not stateful, etc., which means it can't always
distintinguish harmful IP traffic from that which it must allow in order to
enable you to run your applications and services.
Multiple lines of defence minimise the chances of unwanted
intrusions, and IP Filter is a line of defence - but it is not
adequate on its own. I would not consider running any host that
was directly routable from the Internet without a decent firewall. [If you are
running NAT then it is a different matter.]
When it comes to protecting
your router, however, then IP Filter is all you've got. It is
essential to protect the router from being reconfigured by anyone on the
Internet who guesses your user name and password - which many people will have
probably left on their widely known default values. Someone reconfiguring your
router does not mean they've hacked into your computers. But it does mean a
hacker can switch off all the firewall rules and / or switch off your Intenet
access. Hence in my
ASUS router bridged setup it advises you both to
change the user name and password, and to prevent access to the router with
IP Filter.
- How do I enable IP Filter?
You need to check the IP
Filter check box in the channel configuration. Then save and reset the
router.
- Where do I find the IP Filter configuration?
From the
router's web interface, select Network Service then IP
Filter.
- Can I configure IP Filter from the command line interface (telnet
or serial cable)?
No.
- Can IP Filter filter outbound (from the LAN) packets?
Not,
so far as I can see - it's just for filtering inbound packets.
- Can IP Filter filter inbound (from the Internet) packets going to
the LAN?
Yes.
- Can IP Filter filter inbound (from the Internet) packets going to
the router?
Yes. This is very important for preventing access from
hackers to the router's configuration.
- Can IP Filter packets going from the LAN to the router?
Not
so far as I can see - it's just for filtering inbound (Internet to LAN)
packets.
- How are IP Filter rules arranged?
- First you create Rules. A Rule consists of a
combination of Source IP and Source Mask, Destination IP
and Destination Mask, and Port and Protocol.
For
filtering inbound packets coming from the Internet to your LAN or router (the
only situation where I have seen IP Filter work), the Source IP and
Source Mask must be outside of your LAN's subnet. To specify "everyone",
enter 0.0.0.0 for both; to specify a particular IP address, enter that
address into Source IP, and set the Source Mask to
255.255.255.255.
Similarly, the Destination IP and
Destination Mask must be within your LAN's subnet. You can specify every
host on your LAN by entering your LAN's address and netmask into these.
The
Protocol (TCP, UDP, ICMP or ALL) and
Port together specify the service whose packets are to be
filtered.
The Port is the destination port number on the host(s) on
the LAN.
If you want to block all access to a host from the Internet then
you can set the Port to 0 and the Protocol to ALL.
However, this will effectively block both outbound and inbound access to the
host as is this will also block inbound packets which are responses to outbound
ones. Also, you can't block all access to the router, since the router needs to
communicate with your ISP (DNS, etc.).
- Then you add the Rules that you have created to
Groups. You can add several Rules to each Group. You also
specify whether the Policy for each Group is to allow or
deny any packets matching any of the Rules within the
Group.
- Finally you set which Groups are to be applied to each
Channel.
- In what order are IP Filter rules applied?
When you add
Groups to a Channel, they are always listed in order of the
Group Number, regardless of the order in which they are added. So I
suspect that the rules are applied in order of the Group Number, which
is also the point at which the Policy (allow or deny) is
specified. However, I haven't specifically tested this yet. Has anyone
tested this?
Also, due to the bugs in IP Filter, it
is very risky having rules that rely on packets being allowed instead of
denied. If every Policy is deny, then the order is not important,
and this becomes a non-question.
- Do I have to click SAVE for IP Filter rules to be
applied?
No, I don't think so. However, there's no harm in it, and it
might do some good, so I always tend to press SAVE at the end.
- Do I have to reset the router for IP Filter rules to be
applied?
No, they're active once you've submitted them. In fact, don't
reset the router after entering IP Filter rules, since there are
bugs in IP Filter that will render them useless.
- What does IP Filter do when a packet breaks the filtering
rules?
It appears to reject the packet with an ICMP Type 3 (Destination
Unreachable Error). This is the same as when inbound packets arrive when the
router is configured for NAT. It would be more hacker-unfriendly if it just
dropped the packet silently, instead of advertising the presence of a
host.
- Are there any known bugs in IP
Filter?
Yes! In particular, if you router is reset (either deliberately,
or because of a power failure, etc.), then:-
- It forgets which Groups were assigned to each
Channel. In simple terms, the router will not apply any of the firewall
rules after it has been reset i.e. you have no firewall. Woops!
- The Policy for all Groups is set to deny. In
simple terms, the router will change any firewall rules that are of type
allow after it has been reset i.e. when you enable IP Filter again, it
may have changed your firewall rules. Woops! Though at least it's safer than
setting them all to allow.
- If you enable IP Filter, then it appears that packets
which are not TCP, UDP or ICMP are dropped by the router. In particular, this
may prevent the router from working with certain forms of Virtual Private
Networking (VPN) which make use of these other packet types. If this is a
problem then you may have to
disable the
router configuration by http and telnet instead of using IP
Filter.
Last modified 16/03/2002.