# Is a router firmware firewall ok for me?



## neilms (Jul 2, 2012)

I have a router that has a 'built in' firewall apparently. In the past *I* have tr*ied* to install a freebsd FreeBSD firewall as *I* never had the router protection. My question is, do you advise me to still install a firewall on my PCs or is my security enough for a home user?


----------



## wblock@ (Jul 2, 2012)

Router firmware can be okay.  The most common holes are that people don't change the default admin passwords.  ("What admin password?" is the common response.)  Upgrade it to the latest manufacturer version, or replace with third-party like OpenWRT or Tomato.


----------



## neilms (Jul 2, 2012)

wblock@ said:
			
		

> Router firmware can be okay.  The most common holes are that people don't change the default admin passwords.  ("What admin password?" is the common response.)  Upgrade it to the latest manufacturer version, or replace with third-party like OpenWRT or Tomato.



That is exactly right - when *I* first got my new modem / router *I* was not familar with it and didn*'*t know about the default password change - until months after when some joker logged onto it via the html port. Nowdays the the ISP puts a sticker on the modem to change the password straight away!


----------



## wblock@ (Jul 2, 2012)

It would be interesting to find out the percentage of people that actually change the password due to the sticker.  I'd guess it's certainly under 20%, and probably under 10%.  Would be nice if the router didn't allow WAN access until that was changed.


----------



## Deleted member 30996 (Jul 4, 2012)

neilms said:
			
		

> My question is, do you advise me to still install a firewall on my PCs or is my security enough for a home user?



I would advise you to enable the pf firewall even though you are behind the router.

Add these lines to your /etc/rc.conf as root:


```
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
```

You'll need to create your /etc/pf.conf file and save it as root. You can get by with as few as 2 basic rules, but here are what I use:


```
### A macro for the external interface
ext_if = "fxp0"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default block everything rule
block all

### Pass loopback
set skip on lo0

### Block spoofy d00ds
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

### Block all IPv6
block in quick inet6 all
block out quick inet6 all

### Block fingerprinting
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF

### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
```

You'll need to specify your own external interface. If you don't know what it is you can run ifconfig to find out.

If you've got an old computer sitting around you might even consider turning it into a pfSense firewall. I run one between my router and FreeBSD boxes and still get entries in my logs even though the router acts as a firewall, though it's no doubt a lot older than yours.


----------



## throAU (Jul 5, 2012)

It depends what you are wanting to do.

For normal home use the router firewall is probably fine, so long as you change the password and make sure the firmware is up to date.

If you are on a fast connection (ethernet) or want to do "tricky" things with your firewall rule-sets, the processor in your FreeBSD machine is likely much faster at processing firewall rules than the router will be.

Trying to run a fast link on a "home user" grade router may result in the router being a bottleneck - most of them are fairly slow in comparison (CPU wise), with fairly limited memory.


But - if you're just running a typical home-style xDSL connection and not doing anything exotic, the router will handle it just fine.


----------



## gkontos (Jul 5, 2012)

Like the others said, the real danger comes from the services that you expose. For home use any basic router with build-in fw will work fine.

If you want to learn PF then you can start from here. 

My general suggestion, avoid using complex rules and TCP/IP fingerprinting unless you *REALLY* know what you are doing.


----------



## Deleted member 30996 (Jul 5, 2012)

I only offered the rules I use in case OP wanted to use them, neither they or anyone else is under any obligation to do so.

If there was a syntax error they wouldn't load:


```
# pfctl -s all
No ALTQ support in kernel
ALTQ related functions disabled
FILTER RULES:
scrub in on msk0 all fragment reassemble
block drop all
block drop in quick on msk0 inet from any to 255.255.255.255
block drop in log quick on msk0 inet from 10.0.0.0/8 to any
block drop in log quick on msk0 inet from 172.16.0.0/12 to any
block drop in log quick on msk0 inet from 192.168.0.0/16 to any
block drop in log quick on msk0 inet from 255.255.255.255 to any
block drop in quick on msk0 proto tcp all flags FPU/FSRPAUEW
block drop in quick on msk0 proto tcp all flags FSRPAUEW/FSRPAUEW
block drop in quick on msk0 proto tcp all flags FSRAU/FSRPAUEW
block drop in quick on msk0 proto tcp all flags /FSRPAUEW
block drop in quick on msk0 proto tcp all flags SR/SR
block drop in quick on msk0 proto tcp all flags FS/FS
block drop quick proto tcp from any port = 0 to any
block drop quick proto tcp from any to any port = 0
block drop in quick inet6 all
block drop out quick inet6 all
block drop quick proto udp from any port = 0 to any
block drop quick proto udp from any to any port = 0
pass out on msk0 proto tcp all flags S/SA modulate state
pass out on msk0 proto udp all keep state
pass out on msk0 proto icmp all keep state

INFO:
Status: Enabled for 1 days 07:47:33           Debug: Urgent

State Table                          Total             Rate
  current entries                        0               
  searches                          462631            4.0/s
  inserts                             7954            0.1/s
  removals                            7954            0.1/s
Counters
  match                              10132            0.1/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start             6000 states
adaptive.end              12000 states
src.track                     0s

LIMITS:
states        hard limit    10000
src-nodes     hard limit    10000
frags         hard limit     5000
tables        hard limit     1000
table-entries hard limit   200000

OS FINGERPRINTS:
700 fingerprints loaded
```

The fingerprinting rules didn't even come into play in my pf.yesterday log:


```
block drop in quick on msk0 proto tcp all flags FPU/FSRPAUEW [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
block drop in quick on msk0 proto tcp all flags FSRPAUEW/FSRPAUEW [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
block drop in quick on msk0 proto tcp all flags FSRAU/FSRPAUEW [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
block drop in quick on msk0 proto tcp all flags /FSRPAUEW [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
block drop in quick on msk0 proto tcp all flags SR/SR [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
block drop in quick on msk0 proto tcp all flags FS/FS [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
```

And the only downside I've seen to using them is they block some portions of my own nmap scans.


----------



## gkontos (Jul 5, 2012)

@Trihexagonal,

My apologies if my comments offended you. 

I didn't mean to offend you. I have worked my way up from layer 1 to 7 during the past few years and during that time I have seen a lot of issues regarding firewalls. I have worked with CISCO firewalls that where loaded with 50000 ACEs and I have come to one conclusion.

When you build a network firewall you start by processing your most used rules first. 

You exercise some sort of anti spoofing, you take advantage of some special characteristics of the fw engine, a good example of PF is synproxy state. You log all traffic except junk and you try to keep your rules simple and easy to maintain.

You don't rely on a network firewall for port scans. That is a job for a network IDS. 

And of course, the most important is that the danger always comes from the services that you expose.

Best Regards,

George


----------



## Deleted member 30996 (Jul 5, 2012)

No problem.  I'm behind a router and pfSense firewall so my FreeBSD box logs are pretty boring anyway, though some stuff does make it past my router. 

I developed a love for firewalls running ConSeal PC Firewall on my Win98 box and like having the pf firewall going.


----------

