DComTalk.com

Okay, I had a $50-off "Reward" card and an additional 15%-off coupon from
Office Depot and I didn't really need anything. So... I bought a Linksys
BEFSX41 Router/Firewall to play with on my 8 machine network at home (4 2003
servers, 4 XP workstations). I already have a "real" network firewall but I
wanted to take a look a this Linksys for possible recommendation to home
users with minimum needs.

Looking for some hints on config of this thing. From what I see, it is easy
enough to block specific protocols and IPs, but how can I block "everything"
(all TCP/UDP ports) and then specify only what I want to allow? Is there a
way to do that on this Linksys?

Thanks,

-Frank

In article <K6OdnepHTI2XcAfenZ2dnUVZ_tWdnZ2d@giganews.com>,
Frank@SPAM2TRASH.com says...

Okay, I had a $50-off "Reward" card and an additional 15%-off coupon from
Office Depot and I didn't really need anything. So... I bought a Linksys
BEFSX41 Router/Firewall to play with on my 8 machine network at home (4 2003
servers, 4 XP workstations). I already have a "real" network firewall but I
wanted to take a look a this Linksys for possible recommendation to home
users with minimum needs.

Looking for some hints on config of this thing. From what I see, it is easy
enough to block specific protocols and IPs, but how can I block "everything"
(all TCP/UDP ports) and then specify only what I want to allow? Is there a
way to do that on this Linksys?

You can, not sure about the SX, enter IP's to be considered Private IP,
these won't be permitted outbound access. Same with Private Ports, ports
that don't get outbound access.

The main reason to purchase this units is the dedicated IPSec tunnel
ability for site to site VPN.

--

spam999free@rrohio.com
remove 999 in order to email me

"Leythos" <void@nowhere.lan> wrote in message
news:ZnDmf.185300$tD4.18960@tornado.ohiordc.rr.com...

In article <K6OdnepHTI2XcAfenZ2dnUVZ_tWdnZ2d@giganews.com>,
Frank@SPAM2TRASH.com says...
Okay, I had a $50-off "Reward" card and an additional 15%-off coupon from
Office Depot and I didn't really need anything. So... I bought a Linksys
BEFSX41 Router/Firewall to play with on my 8 machine network at home (4
2003
servers, 4 XP workstations). I already have a "real" network firewall but
I
wanted to take a look a this Linksys for possible recommendation to home
users with minimum needs.

Looking for some hints on config of this thing. From what I see, it is
easy
enough to block specific protocols and IPs, but how can I block
"everything"
(all TCP/UDP ports) and then specify only what I want to allow? Is there
a
way to do that on this Linksys?

You can, not sure about the SX, enter IP's to be considered Private IP,
these won't be permitted outbound access. Same with Private Ports, ports
that don't get outbound access.

I think the SX may be different. This is the one advertised as a "Broadband
Firewall Router". Near as I can tell, the "SX" is the disignation showing
the Firewall aspect. I can not find the "Private" word anywhere in the
config.

The main reason to purchase this units is the dedicated IPSec tunnel
ability for site to site VPN.

Yes, that is pretty cool. Two VPNs nonetheless.

I got a great deal, since the thing only cost me about $15 LOL.... Figured
I'd learn something about low cost consumer "network firewalls". Hehe...

I am really talking about blocking inbound traffic. It does allow blocking
ranges of ports. So... I would like to block TCP/UDP 1-65536, and then
allow specific ports as an exception. Unfortunately, I cannot find any way
to except ports. Or to make specific pass-through ports. That leaves me
with having to block ranges, for instance, like: 1-19 (allow 20, 21,23 for
ftp), then 24-24 (allow 25 for SMTP), then 26-52 (allow 53 for DNS), etc.
The problem is, the unit does not allow enough fields to get all the way up
to 65536 doing it this way.

Granted, maybe this unit is not designed to provide the capability to run a
server behind it, but really, since it is advertised as a Firewall (yeah, I
know, not certified) it would allow to close all inbound and allow
exceptions. Maybe it does, but I can't figure out how to do it.
Hence, my post :-)

After re-rereading my post, maybe what I could do is just block 1-65536 and
then "forward" the desired ports, even if they are forwarded to the same
port. Would that be the same as "allowing"?

I'm used to "rule based" firewalls.

-Frank

In article <hN6dnVdFm5vwlgbeRVn-gQ@giganews.com>, Frank@SPAM2TRASH.com
says...

"Leythos" <void@nowhere.lan> wrote in message
news:ZnDmf.185300$tD4.18960@tornado.ohiordc.rr.com...
In article <K6OdnepHTI2XcAfenZ2dnUVZ_tWdnZ2d@giganews.com>,
Frank@SPAM2TRASH.com says...
Okay, I had a $50-off "Reward" card and an additional 15%-off coupon from
Office Depot and I didn't really need anything. So... I bought a Linksys
BEFSX41 Router/Firewall to play with on my 8 machine network at home (4
2003
servers, 4 XP workstations). I already have a "real" network firewall but
I
wanted to take a look a this Linksys for possible recommendation to home
users with minimum needs.

Looking for some hints on config of this thing. From what I see, it is
easy
enough to block specific protocols and IPs, but how can I block
"everything"
(all TCP/UDP ports) and then specify only what I want to allow? Is there
a
way to do that on this Linksys?

You can, not sure about the SX, enter IP's to be considered Private IP,
these won't be permitted outbound access. Same with Private Ports, ports
that don't get outbound access.

I think the SX may be different. This is the one advertised as a "Broadband
Firewall Router". Near as I can tell, the "SX" is the disignation showing
the Firewall aspect. I can not find the "Private" word anywhere in the
config.

First things to understand, none of the NAT devices in that category are
"Firewalls" they are simple NAT devices and use NAT as a means to filter
INBOUND and OUTBOUND traffic. Some have a few nice features, but they
are just routers.

The main reason to purchase this units is the dedicated IPSec tunnel
ability for site to site VPN.

Yes, that is pretty cool. Two VPNs nonetheless.

I got a great deal, since the thing only cost me about $15 LOL.... Figured
I'd learn something about low cost consumer "network firewalls". Hehe...

I am really talking about blocking inbound traffic. It does allow blocking
ranges of ports. So... I would like to block TCP/UDP 1-65536, and then
allow specific ports as an exception. Unfortunately, I cannot find any way
to except ports. Or to make specific pass-through ports. That leaves me
with having to block ranges, for instance, like: 1-19 (allow 20, 21,23 for
ftp), then 24-24 (allow 25 for SMTP), then 26-52 (allow 53 for DNS), etc.
The problem is, the unit does not allow enough fields to get all the way up
to 65536 doing it this way.

You misunderstand NAT, all inbound is BLOCKED by default when it's not
solicited. This means that nothing outside that was not first contacted
by an internal node can reach the inside (in the way these devices
implement NAT). So, it's already blocking all 65536 ports inbound.

So, you only need to port map the ports you want to allow inbound.

Granted, maybe this unit is not designed to provide the capability to run a
server behind it, but really, since it is advertised as a Firewall (yeah, I
know, not certified) it would allow to close all inbound and allow
exceptions. Maybe it does, but I can't figure out how to do it.
Hence, my post :-)

Again, NAT Routers, like the simple one you've purchase, only allows
inbound in response to a request from an internal node, or when
explicitly port-forwarded by your own doing in the tables.

After re-rereading my post, maybe what I could do is just block 1-65536 and
then "forward" the desired ports, even if they are forwarded to the same
port. Would that be the same as "allowing"?

Again, you don't have to block anything inbound, it's already part of
how NAT works in these devices. You only have to block OUTBOUND. If you
"WANT" to allow inbound, then you port map from the single PUBLIC IP to
a single internal IP.

I'm used to "rule based" firewalls.

And these devices are not firewalls, they are routers that implement
NAT.


--

spam999free@rrohio.com
remove 999 in order to email me

First things to understand, none of the NAT devices in that category are
"Firewalls" they are simple NAT devices and use NAT as a means to filter
INBOUND and OUTBOUND traffic. Some have a few nice features, but they
are just routers.

Well, I know. I don't want to get into the "what's a real firewall" crap.
This one does have some firewall features though... other than NAT.

I am really talking about blocking inbound traffic.

You misunderstand NAT, all inbound is BLOCKED by default...
...So, it's already blocking all 65536 ports inbound.

Ah... okay. That works for me.

So, you only need to port map the ports you want to allow inbound.

Gotcha.

Again, you don't have to block anything inbound, it's already part of
how NAT works in these devices. You only have to block OUTBOUND.

Okay, that explains the "Blocked Services" fields. I am asked to identify
which services/protocols I want to block (i.e. HTTP, HTTPS, SMTP, FTP, DNS,
IMAP, SNMP, etc. - there are 12 of them). I guess that selection is to block
outbound, although it didn't say inbound or oubound.

If you "WANT" to allow inbound, then you port map from the single
PUBLIC IP to a single internal IP.

Gotcha. Although, in my case, it's from private to private (internal
network). This unit works fine with the outside/inside interafaces both
being private IPs... if you choose.

I'm used to "rule based" firewalls.

And these devices are not firewalls, they are routers that implement
NAT.

Again, no argument there. But I do believe this unit provides adequate
protection for many home users. Better than the typical NAT device since it
has stateful inspection. Just depends on the rest of the security picture
(i.e. risk, cost, value of data, etc.)

-Frank

"Frankster" <Frank@SPAM2TRASH.com> wrote in message
news:K6OdnepHTI2XcAfenZ2dnUVZ_tWdnZ2d@giganews.com...

Okay, I had a $50-off "Reward" card and an additional 15%-off coupon from
Office Depot and I didn't really need anything. So... I bought a Linksys
BEFSX41 Router/Firewall to play with on my 8 machine network at home (4
2003 servers, 4 XP workstations). I already have a "real" network firewall
but I wanted to take a look a this Linksys for possible recommendation to
home users with minimum needs.

Looking for some hints on config of this thing. From what I see, it is
easy enough to block specific protocols and IPs, but how can I block
"everything" (all TCP/UDP ports) and then specify only what I want to
allow? Is there a way to do that on this Linksys?

Thanks,

-Frank

I used to use one of these. I've got to say though that this router, while
a great piece of work, suffers terribly from crappy firmware releases. Ever
since Linksys was purchased by Cisco their firmware releases have just went
to crap. Since you recently purchased it I'll be it came with the 1.50.18
firmware. That firmware is known to have issues. If that is indeed the
firmware you have loaded try running a tracert and see if the router
reboots? Also if you try so set many of the special features you'll find
the router will reboot or crap out as well. Most advanced SX41 users have
determined the most favorable firmwares are either the 1.45.7 or 1.51.00 of
which neither is available from Linksys as they are/were Beta releases.
They, Linksys, are up to like 1.52.06 on the Beta releases now and still are
having issues.

You can try this thread on DSLReports.com and read for yourself:
http://www.dslreports.com/forum/remark, ... ~days=9999

This is just one long thread as there are many others. This thread will at
least point you to where to get a more stable firmware for this router.
From my experience for light home users with little needs it is great. It
simply blocks everything. The one thing I do not like is that it's gets
bogged down with too much P2P traffic but just about any SOHO router will be
affected by this as well.

Again this is a great router. Some users have very little issues as I did
however I didn't use many special settings. Also you might try asking this
question in the Linksys forum at that link.

You can try this thread on DSLReports.com and read for yourself:
http://www.dslreports.com/forum/remark, ... ~days=9999

Yep, I have the firmware version you mentioned (April of '04 - the age
surprised me). Thanks for all the hints. I'll look into it!

-Frank

In article <Fc2dnaClYc0miAbeRVn-ow@giganews.com>, Frank@SPAM2TRASH.com
says...

Again, no argument there. But I do believe this unit provides adequate
protection for many home users. Better than the typical NAT device since it
has stateful inspection. Just depends on the rest of the security picture
(i.e. risk, cost, value of data, etc.)

I always recommend a NAT solution for home users, but not for
businesses. So, we're on the same page.

--

spam999free@rrohio.com
remove 999 in order to email me

On Sat, 10 Dec 2005 12:36:10 -0600, "Jbob" <nobody@SpamCox.net> wrote:

I used to use one of these. I've got to say though that this router, while
a great piece of work, suffers terribly from crappy firmware releases. Ever
since Linksys was purchased by Cisco their firmware releases have just went
to crap. Since you recently purchased it I'll be it came with the 1.50.18

I beg to differ on this point. I bought a BEFSX41 early in the
production cycle & the firmware was crap long before Cisco made an
offer to buy Linksys.

This was a router that could have set the home networking market on
fire. The hardware capabilities are/were phenomenal for the time it
was released. However, crummy firmware held it down and relegated the
SX41 to a footnote in Linksys product history.

I think I still have mine laying around in a box somewhere....

Frankster wrote:

Looking for some hints on config of this thing. From what I see, it is easy
enough to block specific protocols and IPs, but how can I block "everything"
(all TCP/UDP ports) and then specify only what I want to allow? Is there a
way to do that on this Linksys?
-Frank

Have not seen the conf panel myself, but all firewalls operate on
Rules executed in a specific order. When one of them takes 'effect',
the processing is 'executed'.

the LAST rule is usually something like;
deny all to all both in/outbound
the permit rule are place ABOVE this and everything is fine.

example, windows uses a lot of ports on 127.0.0.1 for inter-process
communications, so make it the first rule
allow from/to 127.0.0.1 all ports tcp+udp
similarly, your Private Lan should be safe so
allow from/to 192.168.0.x all ports tcp+udp

now these three get you off to a 'safe start'

--
---
Jeff B (remove the No-Spam to reply)

In article <RrWdnbPZbM1pdADenZ2dnUVZ_tidnZ2d@adelphia.com>, jbeardNo-
Spam1185@adelphia.net says...

Frankster wrote:

Looking for some hints on config of this thing. From what I see, it is easy
enough to block specific protocols and IPs, but how can I block "everything"
(all TCP/UDP ports) and then specify only what I want to allow? Is there a
way to do that on this Linksys?
-Frank


Have not seen the conf panel myself, but all firewalls operate on
Rules executed in a specific order. When one of them takes 'effect',
the processing is 'executed'.

That would be true, but the home user units are not firewalls, they are
NAT devices.

Many firewalls are not using flow-past/through rules, as an example,
some of them allow you to have 10 HTTP rules, and the order doesn't
matter, only the traffic and if the specific details apply.

In the case of the Linksys units, as well as most of the others, you can
only block outbound to "destination" ports in some of them, and it's an
all or nothing type setup.

--

spam999free@rrohio.com
remove 999 in order to email me

Frankster wrote:

Okay, I had a $50-off "Reward" card and an additional 15%-off coupon from
Office Depot and I didn't really need anything. So... I bought a Linksys
BEFSX41 Router/Firewall to play with on my 8 machine network at home (4 2003
servers, 4 XP workstations). I already have a "real" network firewall but I
wanted to take a look a this Linksys for possible recommendation to home
users with minimum needs.

Looking for some hints on config of this thing. From what I see, it is easy
enough to block specific protocols and IPs, but how can I block "everything"
(all TCP/UDP ports) and then specify only what I want to allow? Is there a
way to do that on this Linksys?

Thanks,

-Frank

I had a BFRS linksys something and a linksys WAG something. One had
port forwarding issues, the other needed resetting often and I think
had port forwarding issues. Both were new. Emailed a friend asking
what makes he find ok, mentioned the linksys port forwarding isues to
him, he said he has had the same prob with linksys routers.

I am considering going back to getting a DLink, though most people say
they are rubbish, my experience hasn't been too terrible.


At least linksys will take back the broken router. I spent ages on tech
support before they concluded that it was buggered. My friend
experienced the same thing, with the same make(diff model obviously).
Linksys is now on my shit list, even if it's on nobody elses!