Currently all operating systems have a pre-installed firewall, but in many cases, we do not have it activated or we do not have it properly configured. The routers that are the brain of the entire network also have a pre-installed and activated firewall, based mainly on iptables because the vast majority of firmwares are based on Linux. Today in this article we are going to show you what configuration options we can find in a firewall for routers, using ASUS routers and also AVM FRITZ! Box, two manufacturers whose firmware is really complete and allows us great configurability.
A very important aspect that we must take into account is that when we have the router’s firewall activated, it is also highly recommended to have a firewall on the PCs, although it is not entirely necessary since we are in a NAT environment, so from the Internet They can access our equipment without having previously opened a port to our PC, or directly open the DMZ to our PC. In the latter case, it is highly recommended to have a firewall installed and configured on your PC, since it will be completely accessible from the Internet.
What is a firewall on a router for?
Thanks to firewalls, we will be able to allow or block incoming and outgoing traffic through the different interfaces of the router, both in the WAN, as well as in the LAN. However, the vast majority of users want to have a firewall on the Internet WAN to control traffic from outside to the router itself.
A firewall in a router, will allow us to block any attempt to access a specific port on the router, that is, if we have open TCP port 22 of the SSH, we can limit the number of simultaneous connections, the number of connections in a certain time, and we can even allow only a certain IP address to access our router’s SSH server.
A very important aspect of a router’s firewalls is that, by default, all communications that start abroad (on the Internet) are rejected (DROP), if they have not been specifically allowed before, so the policy of « deny everything »is the most recommended.
Computers on the LAN are always behind NAT
Currently with IPv4 networks, we use NAT / PAT, so that with the same public IP address, all the computers we have on the LAN can go out to the Internet. An important detail is that all communications that are made from the LAN equipment to the Internet are allowed, that is, a socket is opened on the PC and flows to the destination, and in the NAT table we will have the translation that we have Performed from private IP to public IP, so that when the packet returns, it can be redirected correctly to its destination.
If from the Internet, we try to initiate communication with a LAN computer, we could not directly, unless:
- We have configured a port forwarding (open ports) on the router to that PC.
- We have configured the DMZ to the private IP of the PC in question.
Therefore, any communication from the Internet to the LAN is blocked by default. In addition, it is highly recommended to always disable the UPnP protocol, so that devices cannot open a port on the NAT of the router themselves and be more protected. There are certain devices that open a port permanently on the router, such as some IP cameras, and which would be easily accessible through the Internet.
Firewall configuration options on ASUS routers
ASUS routers incorporate an iptables-based firewall, so we could use the full power of this firewall through the command line, either via telnet or SSH. However, we also have certain configuration options available on the router itself, so that a user with basic knowledge does not have to “touch” the internal firewall.
In the “Firewall” menu, we can activate or deactivate the firewall based on iptables for IPv4 networks and also IPv6 networks, the default configuration is that in both protocols we have the firewall activated, as recommended by security. ASUS allows us to configure a DoS anti-attack system on IPv4 networks, blocking the source IP address if you make several connection attempts, in order to mitigate this type of attack.
Another interesting feature is the possibility of blocking any ping (ICMP Echo-request) that is made in the WAN port of the Internet, this will allow that, if someone from the Internet performs a ping, it is automatically blocked (DROP).
The firewall for IPv6 is in a state of total blocking, in this case the operation is somewhat different since it would also affect the computers on the LAN. In IPv6 networks we do not have NAT, but the PCs have a Global-Unicast IPv6 address, that is, a public IP for each computer, but logically we will be protected by the router’s firewall, where by default all incoming communication (from the Internet to the PC with public IP) is blocked, but it does allow any outgoing communication to have connectivity without problems.
A very interesting option for ASUS routers is the “LAN to WAN Filter”. We have previously indicated that firewalls allow you to control both traffic from the Internet to the router and to the LAN, and vice versa, from the LAN to the Internet. In this case, we will be able to configure the firewall to block the exit of the packets to the WAN from the LAN, we will simply have to enter the IP address of origin, destination, and ports, to add this rule to the firewall and block the outgoing packets.
Although we have not seen it, URL and keyword filtering also make use of the firewall, but with a previous work of name resolution and traffic checking.
Firewall configuration options on AVM FRITZ! Box routers
In the case of AVM routers, we also have a fairly configurable firewall. To access the firewall we must go to the menu with three vertical points, and select “Advanced view”. In the main menu we go to « Internet / Filters «, in this section we will have everything related to the firewall and QoS.
In the “Lists” tab is where we can activate the firewall in stealth mode, to not reply with the echo-reply to any echo-request sent to the WAN port. Other interesting configuration options are blocking port 25, which is the typical one used to send emails without any encryption, AVM allows us to directly block it to protect ourselves. We can also activate NetBIOS filtering and even Teredo, that is, if we do not use these services, it is best to block them for security.
Although it is not the firewall itself, being in a NAT environment can be the case that we have open ports that we are not really using. It is always highly recommended to close any type of port that is not in use, because it could be the gateway for cybercriminals.
The same happens with FRITZ! Box services, if we do not want to “locate” the router and remotely access it via its public IP, the best we can do is disable this access, remember that we could also access via VPN and then access the private IP of the default gateway.
As you can see, we can create several VPN connections, both remote access VPN and Site-to-Site VPN with these AVM routers, all always using the IPsec protocol, currently it does not support either OpenVPN or Wireguard.
Therefore, it is highly recommended that, if our router has services accessible to the Internet, we only have “exposed” those that we are going to use, and not all, because for security it is always necessary to have all ports closed and blocked, except those that do not we have no choice but to open.
Is it necessary to have a firewall on my PC?
All PCs have a firewall activated by default, and with different profiles that we can configure very easily. In the case of Windows 10, we have a total of three profiles with different permissions to allow / deny traffic, specifically we have “Domain network”, “Private network” and “Public network”. We will generally always use these last two.
The configuration of the firewall in “Private network” is to accept incoming connections, since we are in a reliable environment, the configuration of the firewall in “Public network” is to reject incoming connections if we have not previously made the communication.
Do I need to have a firewall activated on my desktop computer? We must bear in mind that we are always (or almost always) working in a NAT environment, so there is no open port on the router by default. In case of opening the DMZ, the use of the firewall is essential, and also in «Public network» mode to block any incoming connection that we have not previously made. In the cases in which we do not have any open port, the Windows firewall will only protect us from connections via the LAN, because they simply cannot reach us from the Internet because they have not opened any port (although you must ensure that UPnP in the router does you have disabled).
If we want to get into the advanced Windows firewall, we simply have to click on “Advanced settings” in the main menu of the firewall, and we will get this menu where we can add different rules:
By default, a large number of programs that we use every day are allowed to accept connections. If we want to add a new rule, we click on “New rule” in the upper right menu. We can also make the same configuration for the exit rules.
As you have seen, it is very important to have the router firewall activated and well configured, another important aspect regarding NAT / PAT, is not to have any open port if we are not using it, much less activate the DMZ to our PC, because that does carry a high risk since all ports are opened except those specifically opened to other computers.
