The Technicolor TG582n is a relatively inexpensive router designed for ADSL service. It can also be configured for PPP over Ethernet service, meaning that it is also usable with VDSL. It can also handle IPv6.
Many routers include a firewall, and sometimes you can set it up from the web interface. For IPv4 at least, this is meant to be possible with the TG582n, but it never worked well for me, always hanging when I tried to add a rule.
The instructions available from Technicolor, and also from Andrews & Arnold who supplied my router, were quite difficult to work with. Some of the options mentioned are only appropriate with NAT, which is not enabled on mine and these examples assume it is not going to be.
To design any firewall configuration to do what you want, you first need to be sure what that is. Then, it makes sense to code it from the ground up, not trying to reuse any of the default. This, in the end, is how I did it, and what has led to me making these recommendations on how to proceed:
Decide on the services you intend to be able to control. If you start from “closed”, these will be the ones you want to be open. Telnet to the router, log in as you would from the web interface, then type:
:expr list
This will list the known expressions, some of which may match the services you wish to run. An example from mine is that http was there to start with – proto=6 (which means tcp) and dst-prt=80.
If you've got any services you want to control for which no expression exists, you will need to add them. You can have multiple expressions under the same name, if that is helpful. For example, if you run an XMPP server that uses the following TCP ports: 5222, 5223, 5229, 5269, 7070, 7443 and 7777, you could enter the following:
:expr add name=xmpp type=serv proto=tcp dstport=5222 dstportend=5223 :expr add name=xmpp type=serv proto=tcp dstport=5229 :expr add name=xmpp type=serv proto=tcp dstport=5269 :expr add name=xmpp type=serv proto=tcp dstport=7070 :expr add name=xmpp type=serv proto=tcp dstport=7443 :expr add name=xmpp type=serv proto=tcp dstport=7777
Find the IP addresses (v4 and v6, if appropriate) of all the systems you want to be destinations for outside traffic, other than for any services which you want to go to all of them. Add expressions for these. The examples below assume your server is best known to you as “server1”:
:expr add name=server1 type=ip addr=192.168.4.17 :expr add name=server1 type=ip addr=2001:db8::c0a8:411
Create a new firewall level – call it what you like and describe it how you like, thus:
:firewall level add name=Normal text=”How I like the firewall set normally” policy=drop
This will create a chain called “forward_level_Normal”, for example. It is in this chain that you will add your rules.
This ruleset assumes that you will allow any traffic from your LAN out, and any xmpp traffic from the WAN to server1 in, but deny all other traffic from the WAN:
:firewall rule add chain=forward_level_Normal srcintf=lan action=accept :firewall rule add chain=forward_level_Normal srcintf=wan serv=xmpp dstip=server1 action=accept :firewall rule add chain=forward_level_Normal srcintf=wan action=deny
Each of these rules will be assigned an index number. If later you want to insert a rule before an existing rule, include “index=2”, for example, to insert the new rule before the existing rule 2.
In order to enable the firewall level you have created, it is probably easiest to go to the homepage of your router, then click “Firewall”, “Configure”, choose the level there and click “Apply”.
When you need to drop traffic from an abusing network, first create an expression to match it, like this:
:expr add name=abusers type=ip addr=10.1.0.0/16
then add a rule to block it:
:firewall rule add chain=forward_level_Normal index=2 srcintf=wan srcip=abusers action=drop
If you need to drop more, just add an expression for the IP range with the name “abusers”.
Once you have set your firewall up, check from time to time that none of the rules have been deleted, especially if your router has restarted – I lost one rule and an expression associated with it two days running. It did stick eventually.
Please remember that these are just examples. I am sure you can come up with far more than I have gone into here, but this is how you get started.
The IP addresses above are only examples... the IPv4 ones are both private address space and therefore won't be out on the Internet generally, and 2001:db8::/32 is specifically reserved for use in documentation.