How the Linksys Router/Firewall Works
Most Linksys routers/firewalls rely on simple NAT routing and basic port filtering to control the flow of traffic through the router. Depending on the direction of the traffic flow, a different filtering methodology is applied.
Filtering Traffic from External Sources
Linksys adheres to the minimalist approach to filtering when it comes to filtering traffic from external sources. By default, all traffic that originates from an external host is blocked by the router/firewall unless it is specifically permitted. This policy ensures that only the traffic you explicitly permit is allowed to access protected resources. Linksys provides three methods of explicitly permitting traffic:
- Port-range forwarding
- Port triggering
- DMZ forwarding
Port-range forwarding is the classic port-forwarding configuration that most firewalls and routers implement. With port-range forwarding, you enter the starting and ending port that should be permitted, select the appropriate transport protocol (TCP, UDP, or both), and specify the IP address of the internal host that is providing the specified service. Doing so causes the router to take all traffic received on the external interface that is destined to the specified ports and forward the traffic to the internal host. Unfortunately, there is no way to specify which external hosts should be allowed to access the internal resources, so you are forced to allow all external resources access, or allow none at all. In many cases (for example, a Simple Message Transfer Protocol [SMTP] server), you want all external hosts to be able to access the server, so this is not a problem. If you have an FTP server that you only want certain external hosts to access, however, you really need to implement a firewall other than the Linksys router. Figure 5-2 illustrates how port-range forwarding works with an internal host running a web server.
Figure 5-2 Port-Range Forwarding
In Figure 5-2, the router is configured to allow port forwarding for TCP port 80 to the internal web server (HostA) located at IP address 10.1.1.100. The process works like this:
- The router receives a packet destined to its external IP address using TCP port 80.
- The router forwards the response to the internal web server (HostA), keeping the source IP address of the original external host (HostB) unchanged.
- This allows the web server (HostA) to know that it needs to respond to the external host (HostB), the reply to which the router will then translate using NAT, causing the external host (HostB) to think it has been communicating with the router the whole time.
Port triggering forwards traffic to internal hosts in a similar manner to how port-range forwarding works, with one important difference. Port triggering does not forward any traffic to an internal host until that internal host has initiated some form of traffic for an external destination. When that occurs, the port triggering mechanism automatically allows traffic to be forwarded to the host that initiated the trigger condition.
Port triggering is used primarily to support applications that attempt to communicate with hosts using different ports than what they were contacted on. A common example of this is many gaming applications. For example, Unreal Tournament uses UDP ports 7777 through 7779 to communicate between hosts, but uses port 27900 to communicate with the central game server. Using port forwarding, you would need to potentially permit all of those ports, all the time, to allow a host to run the application. With port triggering, you can configure the router to open ports 7777 through 7779 only after an internal host has attempted to connect to something on the external network using port 27900.
DMZ forwarding is the most insecure of all filtering methods from external sources because it applies absolutely no filtering. The host still resides behind NAT, but the router will allow all traffic from external sources to access the host in a completely unfiltered and unrestricted manner. For all intents and purposes, you might as well not even have a firewall.
Filtering Traffic from Internal Sources
Filtering of traffic from internal sources breaks with the minimalist approach and applies a terribly flawed filtering philosophy to the router. The router allows all traffic from internal sources, blocking only the traffic that is explicitly defined. The reason for this "backward" implementation speaks to the heart of the debate over security and functionality.
The vast majority of home users do not know what a port is, much less what they should or should not be filtering. By allowing all traffic by default, Linksys ensures that the router/firewall is easy to set up, with little to no configuration required to allow access to external resources. This easy setup dramatically saves technical support costs. Unfortunately, this insecure method of implementation allows all traffic to exit the network (for example, allowing a back door that has been installed on the user's computer to send sensitive information to a host on the Internet or allowing a virus/worm to propagate to external hosts). Because it is so easy to implement, however, ease has won out over security.
Linksys generally supports three levels of filtering of traffic from internal sources:
- By IP address
- By port range
- By MAC address
In all instances, any IP addresses, destination port numbers, or MAC addresses specified will not be allowed to access external hosts.