How to lock down external access to our network

[Smokeshow]

So we have implemented a Zeroshell router here at the office using the latest beta version (11). We just discovered a pretty major issue: Anybody is able to access our entire network if they are using the same ISP as us. All they would have to do is change their default gateway to be our routers WAN address, and then they would be able to access any of our computers as if they were on the local network.

Here is how I have the box setup:

ETH00 (WAN):

IP: 12.34.56.78
Subnet Mask: 255.255.255.0

ETH01 (LAN):

IP: 192.168.0.2
Subnet Mask: 255.255.255.0

I have NAT enabled on ETH00. The Default gateway is set as 12.34.56.1. RIP is disabled, and everything in my Routing Table is there automatically (except the default gateway which comes up as static).

Does anyone have any suggestions on how to close this gaping hole?

Thanks in advance 🙂

[bbozo]

In Firewall (left menu)

In INPUT, and FORWARD chains you need to add rules

INPUT
input interface:ETH00
Connection State NEW (chech it)
Action DROP

FORWARD
input interface:ETH00
output int.: ETH01
Connection State NEW (chech it)
Action DROP

be carefull when you are working with firewall you could lock yourself out.
also very important is the sequence where this rules will be……

[Smokeshow]

Okay, that definitely works. However, now it looks like I will probably have to create a firewall rule for each and every one of my port forwards. Is there any way around that?

Also, I’m kinda new to administering a firewall & router of this type. Are there any good websites out there that I could read up on this stuff and get a little better acquainted with it?

[zevlag]

Smokeshow, did you find some good references?

[Author]

Posts