ASUS router IP Filter FAQ

This document describes the IP Filter facilities on the ASUS router, so far as I understand them.

This is based on my experiences with an ASUS AAM6000EV router, firmware revision 71146a1, connecting to Eclipse Internet.

FAQ

1. What is IP Filter?
   IP Filter is a simple inbound packet-filtering firewall for the ASUS router.
2. What does "a simple inbound packet-filtering firewall" mean?
   If you are asking that question, then maybe you should be using NAT.
3. Is documentation available for IP Filter?
4. There are the Additional setup instructions for the Asus ADSL router IP Filter function written by Solwise. These describe how IP Filter should work once the bugs are fixed.
5. If the router is configured to use NAT, do I need to enable IP Filter?
   No, because NAT will prevent all unsolicited inbound access to your LAN hosts, except where you specifically configure your router to allow it.
6. If the router is configured in bridged mode (non-NAT), do I need to enable IP Filter?
   I would strongly advise you to use IP Filter to at least prevent access to your router's configuration from the Internet - see my notes about this. Alternatively you can disable the router configuration by http and telnet, if the bugs in IP Filter mean that running IP Filter is not possible.
7. Can I rely on IP Filter to protect my LAN hosts, without any other firewall?
   No! Not in my opinion, anyway. IP Filter has some key limitations which preclude it from being suitable as the only protection from hackers for your hosts:-
   • The bugs in the current firmware mean that you lose any protection if you have a power failure.
   • There are loads of ports in Windows that are open invitations to hackers if you are not running a firewall. Ditto Linux or Unix, though you have more control over which services you run and you get firewall software (iptables or ipchains) with it.
     Also, many Internet applications and services have protocols which are quite complicated to control with a firewall.
     However, IP Filter is not very sophisticated e.g. you can't filter outbound packets, you can't filter based on whether a TCP packet is a request or a response, it's not stateful, etc., which means it can't always distintinguish harmful IP traffic from that which it must allow in order to enable you to run your applications and services.
   Multiple lines of defence minimise the chances of unwanted intrusions, and IP Filter is a line of defence - but it is not adequate on its own. I would not consider running any host that was directly routable from the Internet without a decent firewall. [If you are running NAT then it is a different matter.]
   When it comes to protecting your router, however, then IP Filter is all you've got. It is essential to protect the router from being reconfigured by anyone on the Internet who guesses your user name and password - which many people will have probably left on their widely known default values. Someone reconfiguring your router does not mean they've hacked into your computers. But it does mean a hacker can switch off all the firewall rules and / or switch off your Intenet access. Hence in my ASUS router bridged setup it advises you both to change the user name and password, and to prevent access to the router with IP Filter.
8. How do I enable IP Filter?
   You need to check the IP Filter check box in the channel configuration. Then save and reset the router.
9. Where do I find the IP Filter configuration?
   From the router's web interface, select Network Service then IP Filter.
10. Can I configure IP Filter from the command line interface (telnet or serial cable)?
    No.
11. Can IP Filter filter outbound (from the LAN) packets?
    Not, so far as I can see - it's just for filtering inbound packets.
12. Can IP Filter filter inbound (from the Internet) packets going to the LAN?
    Yes.
13. Can IP Filter filter inbound (from the Internet) packets going to the router?
    Yes. This is very important for preventing access from hackers to the router's configuration.
14. Can IP Filter packets going from the LAN to the router?
    Not so far as I can see - it's just for filtering inbound (Internet to LAN) packets.
15. How are IP Filter rules arranged?
    
    • First you create Rules. A Rule consists of a combination of Source IP and Source Mask, Destination IP and Destination Mask, and Port and Protocol.
      For filtering inbound packets coming from the Internet to your LAN or router (the only situation where I have seen IP Filter work), the Source IP and Source Mask must be outside of your LAN's subnet. To specify "everyone", enter 0.0.0.0 for both; to specify a particular IP address, enter that address into Source IP, and set the Source Mask to 255.255.255.255.
      Similarly, the Destination IP and Destination Mask must be within your LAN's subnet. You can specify every host on your LAN by entering your LAN's address and netmask into these.
      The Protocol (TCP, UDP, ICMP or ALL) and Port together specify the service whose packets are to be filtered.
      The Port is the destination port number on the host(s) on the LAN.
      If you want to block all access to a host from the Internet then you can set the Port to 0 and the Protocol to ALL. However, this will effectively block both outbound and inbound access to the host as is this will also block inbound packets which are responses to outbound ones. Also, you can't block all access to the router, since the router needs to communicate with your ISP (DNS, etc.).
    • Then you add the Rules that you have created to Groups. You can add several Rules to each Group. You also specify whether the Policy for each Group is to allow or deny any packets matching any of the Rules within the Group.
    • Finally you set which Groups are to be applied to each Channel.
16. In what order are IP Filter rules applied?
    When you add Groups to a Channel, they are always listed in order of the Group Number, regardless of the order in which they are added. So I suspect that the rules are applied in order of the Group Number, which is also the point at which the Policy (allow or deny) is specified. However, I haven't specifically tested this yet. Has anyone tested this?
    Also, due to the bugs in IP Filter, it is very risky having rules that rely on packets being allowed instead of denied. If every Policy is deny, then the order is not important, and this becomes a non-question.
17. Do I have to click SAVE for IP Filter rules to be applied?
    No, I don't think so. However, there's no harm in it, and it might do some good, so I always tend to press SAVE at the end.
18. Do I have to reset the router for IP Filter rules to be applied?
    No, they're active once you've submitted them. In fact, don't reset the router after entering IP Filter rules, since there are bugs in IP Filter that will render them useless.
19. What does IP Filter do when a packet breaks the filtering rules?
    It appears to reject the packet with an ICMP Type 3 (Destination Unreachable Error). This is the same as when inbound packets arrive when the router is configured for NAT. It would be more hacker-unfriendly if it just dropped the packet silently, instead of advertising the presence of a host.
20. Are there any known bugs in IP Filter?
    Yes! In particular, if you router is reset (either deliberately, or because of a power failure, etc.), then:-
    • It forgets which Groups were assigned to each Channel. In simple terms, the router will not apply any of the firewall rules after it has been reset i.e. you have no firewall. Woops!
    • The Policy for all Groups is set to deny. In simple terms, the router will change any firewall rules that are of type allow after it has been reset i.e. when you enable IP Filter again, it may have changed your firewall rules. Woops! Though at least it's safer than setting them all to allow.
    • If you enable IP Filter, then it appears that packets which are not TCP, UDP or ICMP are dropped by the router. In particular, this may prevent the router from working with certain forms of Virtual Private Networking (VPN) which make use of these other packet types. If this is a problem then you may have to disable the router configuration by http and telnet instead of using IP Filter.

Last modified 16/03/2002.