RV016 firewall policies via telnet (rules, chains, etc.)

lsilva · ‎11-04-2011

Hello,

I am having some troubles finding information about how to configure firewall policies (rules, chains, etc.) via telnet on a RV016.

The reason for that is that i keep getting some log entries "connection refused - policy violation" and "blocked" even with my firewall wide open (only allow rules on all interfaces, SPI and block wan request disabled, multicast and https enabled, etc.... ). Also, with these exact same rules, i can only connect via PPTP with the firewall disabled. The minute i tick the enable option the tunnel never gets to authentication phase.

I then started reading OpenRG manual and many things are quite similar, but some other entries are missing from that manual (maybe some changes made by cisco???).

I am trying to figure out some service ids, chains (e.g. the rv016 has some rules redirecting to chains 10, 100, 200 but i can not find them anywhere), and so on. I have only one rv016 and about 60 connections to it so i can not experiment that much without having the whole company on my neck with internet problems.

Is there any manual that can be sent to me, publicly or privately (lsilva@auditmark.com), or config file via busybox shell that i can access to understand this better?

Thanks in advance and hope some one from cisco can give me a hand on this.

Luís Silva

germaurice · ‎11-29-2011

Hi Luis, as you I have "connection refused - policy violation" logs even firewall rules are allowing them.

I have SPI enabled, because it insures you that outcoming connections can go back through the firewall to your host.

I have all security features and multicast passthrough deactivated.

I'm interested if anyone can explain why we have this kind of behavior even if rules are allowing them.

The firmware i'm using is v4.0.4.02-tm

Thanks in advance.

lsilva · ‎12-02-2011

Hi,

I gave up trying to configure a secure firewall with this router. The Web Interface is no good and the telnet options are not documented anywhere (as we are not supposed to tamper with it).

As I have everyone connected via that router I can not afford but a few hours to experiment with it so I found the answers to my problems and stopped there, and am now using other firewall.

First, forget about the firewall rules in the web interface. Activate telnet access according to http://www.linksysinfo.org/index.php?threads/enabling-telnetd-on-the-rv042-rv082-and-rv016.16069/

and access the router via telnet. I recommend you to read the firewall settings of this manual (http://wildcat.espix.org/doc/bbox2/various/openrg_configuration_guide.pdf) which is the OS cisco uses in this router (with some features left out).

You will find two firewall settings areas via telnet: /nk/fw and /fw.

I set the /fw/enabled option to 0 (disabled).

I left the /nk/fw section activated but removed the default firewall rules (the ones which are greyed out in the webinterface; use the command rg_conf_del nk/fw/rule/[0,1,2,3,....] for the respective rule)

This way the firewall is wide open and I barely get connection refused, the internet speed is equal to other routers, vpn connections can get in. You can still use the web interface to configure website blocking (via url or keyword), but firewall rules themselves don't seem to work.

The disabled section (/fw) has several policies for access,deny and jumps. I suspect that if you study it and experiment with it you will be able to understand what does what and configure the firewall correctly. I managed to lock the router by removing a rule and had to do a hard reset to get access to it again.

If you find any new info, please post it here too, so we can do what cisco doesn't seem to care.