It seems that some of the statements made in my original posting were not fully accurate. First off, I've been told that P642R's used over PPPoE -are- vulnerable, unless SUA is disabled too. I have no means to verify this, so I am unsure whether this is the end of the story. Second, I stated that setting up SUA Server rules does not work. This is plain wrong, it -does-, yet for some reason my initial attempt to do so failed. It seems that SUA Server rules take precedence over the local admin services after all. One possible workaround for the exposed ports is in fact to set up SUA Server rules for ports 21 and 23 which point to a non-existant IP address. This is in fact an easier solution than correcting and applying the filter rules (see below), if not the most clean. Thanks to all those who pointed these details out to me. Peter Gutmann <pgut001at_private> wrote: > It works, but portions of the filter setup process are severely > underdocumented. You need to be very careful about chaining > rules together, so that the filter sets have to end with a > "Check next rule" action for everthing but the last filter set. > If you end with a Drop/Forward action, the filter does exactly > that without checking further rules. You are indeed right. The preconfigured rules TELNET_WAN and FTP_WAN both have match action Drop and non-match action Forward in factory defaults. Which means chaining them together within a filter list will fail. Which in turn means that ZyXEL did not only choose to not apply the filters, but also set them up in such a way that they need to be modified in order to apply them both successfully. Thanks for pointing this out. Cheers, Dan -- Daniel Roethlisberger <danielat_private> PGP Key ID 0x8DE543ED with fingerprint 6C10 83D7 2BB8 D908 10AE 7FA3 0779 0355 8DE5 43ED
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 17:20:47 PDT