G+_Dan K Posted March 7, 2016 Share Posted March 7, 2016 on my iot router i heard Steve last week talk about blocking all ports but 80 and 443. would i block both udp amd tcp or should i block all udp and only allow port 80 and 443 on tcp Link to comment Share on other sites More sharing options...
G+_Fr. Robert Ballecer, SJ Posted March 7, 2016 Share Posted March 7, 2016 My policy is to whitelist: block EVERYTHING and only whitelist ports as needed. Link to comment Share on other sites More sharing options...
G+_Wolf 68k Posted March 7, 2016 Share Posted March 7, 2016 Most routers have a NAT firewall. Which means the ports are already closed until you open them automatically and then they close automatically. I won't worry about those ports, or any others, unless you were running a server. I don't know exactly what Steve (Gibson on Security Now, I'm assuming) talking about or why. Link to comment Share on other sites More sharing options...
G+_Dan K Posted March 7, 2016 Author Share Posted March 7, 2016 Fr. Robert Ballecer, SJ thanks for the info. doesn't dns connect over udp? Link to comment Share on other sites More sharing options...
G+_Black Merc Posted March 7, 2016 Share Posted March 7, 2016 Wolf 68k Steve was stating a way of accessing iot sub-net from the 'secure' private sub-net in a controlled way of port-forwarding through the primary(gateway) routers Lan. Link to comment Share on other sites More sharing options...
G+_Akira Yamanita Posted March 7, 2016 Share Posted March 7, 2016 Dan K DNS can connect over either TCP or UDP. Most of the time, UDP is used. Link to comment Share on other sites More sharing options...
G+_Dan K Posted March 8, 2016 Author Share Posted March 8, 2016 how would i set that up Link to comment Share on other sites More sharing options...
G+_Ben Reese Posted March 8, 2016 Share Posted March 8, 2016 Steve was taking about blocking all but those for outbound traffic on your IOT router. It could the be placed behind your everything else router and hopefully not affect anything important. You'd probably also need to let DNS (port 53) through as well. I don't know how many dumb routers have firewalls for outbound traffic though. I suppose you could do it if you had DD-WRT or Tomato available. Link to comment Share on other sites More sharing options...
G+_Black Merc Posted March 8, 2016 Share Posted March 8, 2016 Dumb routers do that by default. IoT devices, PC's, tablets, whatever on your Lan, starts any interaction through the router to the internet. If your side don't call for it, it won't come.(Here Lassie!) However, that being said... if your device(s) have something already calling out(malware, virus, trojan, signal to the mother ship), THAT'S when s*** can hit the fan. Its like throwing up a flare, saying "Here I Am!" The three dumb routers idea is to place a simple maze to hinder attacks. Link to comment Share on other sites More sharing options...
G+_Dan K Posted March 8, 2016 Author Share Posted March 8, 2016 unfortunately one of my 3 dumb routers has been doing something weird as stated in my earlier post Link to comment Share on other sites More sharing options...
Recommended Posts