Solved

Linksys Wrt54G How to block services?

Posted on 2011-02-19
15
1,971 Views
Last Modified: 2012-05-11
WRT54G – Access Restrictions – Blocked Services – Add/Edit Service  

I want to block everything inbound but http,https, and dns.  
How do you do it?  I see add, modify,delete, apply, cancel, and close buttons but no block button.

I see just two fields listed to block ports. Do you select the service you want to block and then click save and do the for each service you want to block?

Do you delete the service from the list?  Then do you add it back to the list to enable it?
Or is it done under Application and Gaming?  
I've read some doc's on Linksys's site about the Wrt54G setup and config, but I'm not understanding how you block these services.

And, are there logs you can check for accepts, drops, etc?

Here's the help.
Blocked Services: You may choose to block access to certain services. Click Add/Edit Services to modify these settings. Blocked Services: You may choose to block access to certain services. Click Add/Edit Services to modify these settings.


0
Comment
Question by:Westez
  • 5
  • 5
  • 2
  • +2
15 Comments
 
LVL 11

Assisted Solution

by:epichero22
epichero22 earned 50 total points
ID: 34935742
HTTP is port 80, HTTPS is port 443, and DNS is port 53 I believe.  


I know that the home routers, such as what you have, don't let you specifically control access in all possible ways like an advanced router will, like Cisco.  Try blocking those ports and experimenting with different combinations to see what works.  
0
 

Expert Comment

by:milksie
ID: 34935749
In the WRT45GS there is a tab labelled "Access Restrictions"   In that section there is a "Blocked Services" subsection where you can use drop-down lists to select various services to be blocked and a button to add more blocked items.   When you've included everything you want to block be sure to click "Save Settings" at the bottom or navigating away will lose your config.  

In looking at specs online the WRT54G and WRT54GS are identical except for the "S" for speedbooster feature.   So the config interface should have these same options.
0
 
LVL 6

Assisted Solution

by:yjchong514
yjchong514 earned 50 total points
ID: 34936169
Cool video tutorial
http://www.woopid.com/video/1/Block-Services-on-a-Linksys-Router

Good Luck!

Rgds,

yjchong514
0
 

Author Comment

by:Westez
ID: 34937796
I've watched the tutorial.  

Blocked services has two input boxes with a drop down list to select services from, initially  they are labeled as none.  Are you saying that I can select a service off the list and then save it, and that service is blocked?

If thats the case, do you have to do them one at a time, or can you click on a service to select it, and then click on the next service to select it, and then save it, and multiple services are now disabled?

And is there a way to see which services are blocked and which services are allowed?

Thanks
0
 
LVL 11

Expert Comment

by:epichero22
ID: 34937921
Yes, you can select a service off the list and specify to deny it and it will be blocked.

Just fill out the page with your selections and click Save.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 34939721
--> I want to block everything inbound but http,https, and dns.

Are you sure?   This means that you can't do print/file sharing between the computers on your home network.

You do realize that the "Access Restrictions" is blocking traffic that originates FROM your home PCs.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 250 total points
ID: 34939739
To clarify my point.

Internet <--> WRT54G <--> Your home computers.

The term inbound normally means traffic from the Internet to your computers through the WRT54G.  By default the WRT54G already blocks all inbound traffic to your home comptuers.

The execption to this is:

1) You configure one computer to be a DMZ (Applications and Gaming - DMZ)
2) You configure specific ports to be forwarded to computers on your network (Applications and Gaming - Port Forwarding).

The Access Restrictions page blocks tafffic between your computers.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Assisted Solution

by:milksie
milksie earned 150 total points
ID: 34940780
Now that I've been playing with my WRT54GS, it seems that you cannot block more than two ranges of ports at a time.   You can either select the preconfigured services from the drop down lists, or you can specify your own port ranges by clicking the Add/Edit Service button.   Creating a new range of ports to block with its own unique name that you specify will simply add it to the drop down list.  It will still not let you choose more than two range of ports (services) to block.

These routers have other limits like only being able to block four websites at a time.  You cannot add additional ones.   And the keyword blocking list is limited to six words.   The approach seems to be that they are designed with full access to services assumed with the ability to block a little of this or that.  But it is by no means a fully versatile router with unlimited configurability.

0
 

Author Comment

by:Westez
ID: 34952739
Well when I run a port scan against the router, only port 80 is listening. I've read that by default all the services are blocked, and I'm going to add with the exception of port 80.

Has anyone flashed their firmware with Tomato?  I see the WRT54G is listed in the HCL.  I've heard that it's a lot more feature rich.  May be time to just buy another router.  

0
 
LVL 57

Expert Comment

by:giltjr
ID: 34952796
Where are you running the port scan from: your local network or from the Internet?

Port 80 is used by the router to manage the router.  There should be an option to disable this from the "outside" (Internet/WAN side) so that you can only manage the router from "inside" (intranet/LAN side).

I have not use Tomato, I am using DD-WRT, but not really taking advantage of a lot of stuff.   I needed my WRT54GS to act like a wireless client.
0
 

Author Comment

by:Westez
ID: 34965160
I ran it from the outside using hackerwatch.org, and from the inside using fscan from Foundstone, now McAfee.   Thanks for the tip about DD-WRT, I'd not heard of it before, I just googled it.  What router are you using with it?  

I finally just got broadband in my area and I'm setting up a web server on a test network so I can tinker with things.  I've had the WRT54G for years sitting around gathering dust, waiting for the day for broadband to arrive.  I'm tinkering with it too.  
0
 
LVL 57

Expert Comment

by:giltjr
ID: 34965643
I'm usng a WRT54GS V2.

O.K. from the outside if you see port 80, then you have it configured to allow managment from the Internet.  You should be able to disable this.  I know on mine WRT54GS you could and I beleive the difference between the two (G and GS) is that the GS included SpeedBoost.
0
 

Author Comment

by:Westez
ID: 34970767
giltir - thanks, I don't want to manage it from the Internet, I'll fix that.  I'm going to take a deeper look at DD-WRT and what routers\access points it works with and buy one.

Thanks to all, I'm going to close this, and divide the points.
0
 

Author Closing Comment

by:Westez
ID: 34970835
Thanks guys for having a look and helping me out.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 34971307
Thanks for the points.

Not that I want to discourage you from exploring DD-WRT (or other alternative firmware) unless you want to do something that the standard firmware does not allow I would suggest that you just use what comes with your device.

The only reason I replaced the Linksys firmware was that it did not support being a wireless client and I needed that function.  If I did not need that function, I would still be running the standard firmware.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Join & Write a Comment

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now