XB6 Firewall Behaviour

Felgar
Grasshopper
‎2021-09-27 07:20 PM

So for years I've had a Hitron modem bridged to a 3rd party router, but on my 3-level house, the 3rd party router range was never great, particularly on the 5 Ghz channel.  So after learning about the extension pods I made the switch to the BlueCurve XB6 to be able to add an extension pod.  

But now after the initial XB6 setup, I'm trying to restore my old network functionality and have a number of questions that Shaw support can't (or won't) answer.  It's unbelievable to me that they won't support the network configuration on their own router, but hopefully you can all help fill in the gaps...  

The firewall seems to have only Low, Medium, or High settings.  Are the specific traffic rules stated in the configuration page the FULL extent of the open ports?  For instance on Medium, it shows:

Typical Security (Medium)
LAN-to-WAN : Allow all.

WAN-to-LAN : Block as per below and enable IDS.

IDENT (port 113)
ICMP request
Peer-to-peer apps:
kazaa - (TCP/UDP port 1214)
bittorrent - (TCP port 6881-6999)
gnutella- (TCP/UDP port 6346)
vuze - (TCP port 49152-65534)

So is every port besides those OPEN by default, on Medium?  Ideally I would opt for virtually no incoming ports to be open by default.  

Secondly, I assume that the only way to intentionally open an otherwise blocked port is to add it as Port Forward entry???  So then even on high with all incoming traffic blocked, does it know to open the forwarded port?  And lastly, I don't see a way to forward a specified port to a different port on the destination PC?  For instance I've always used an obscure port # for Remote Desktop and then forwarded it to 3389 on my PC.  Is that possible?  Would the best workaround be to change the PC configuration to RDP on that obscure port?

Thanks for doing what should be Shaw's job everyone; really appreciate it. 🙂

 

LAN-to-WAN : Allow all.

WAN-to-LAN : Block as per below and enable IDS.

IDENT (port 113) ICMP request Peer-to-peer apps: kazaa - (TCP/UDP port 1214) bittorrent - (TCP port 6881-6999) gnutella- (TCP/UDP port 6346) vuze - (TCP port 49152-65534)

LAN-to-WAN : Allow all.

WAN-to-LAN : Block as per below and enable IDS.

IDENT (port 113) ICMP request Peer-to-peer apps: kazaa - (TCP/UDP port 1214) bittorrent - (TCP port 6881-6999) gnutella- (TCP/UDP port 6346) vuze - (TCP port 49152-65534)

LAN-to-WAN : Allow all.

WAN-to-LAN : Block as per below and enable IDS.

IDENT (port 113) ICMP request Peer-to-peer apps: kazaa - (TCP/UDP port 1214) bittorrent - (TCP port 6881-6999) gnutella- (TCP/UDP port 6346) vuze - (TCP port 49152-65534)
0 Kudos
Reply
3 Replies

--  So is every port besides those OPEN by default, on Me...

mdk
Legendary Grand Master
‎2021-09-28 08:20 AM

@Felgar --  So is every port besides those OPEN by default, on Medium?  

I hope that the opposite is true, and that those entries are listed for "convenience", namely if you want to use BitTorrent, you would remove that entry, rather than having to do your own research on which ports that you needed to allow.  It's like those web-sites that show "click here to accept all cookies", versus "click here and then select which types of cookies to accept" -- just "one-click" convenience.

I assume that the only way to intentionally open an otherwise blocked port is to add it as Port Forward entry???  

That makes sense, but my cable-modem is the older Hitron. So, I do not know if there is an option on your BlueCurve to open a port for all computers within your home network, rather than just port-forwarding one specific port to just the destination PC.

does it know to open the forwarded port? 

Presumably, the existence of a forwarding "rule" implies that the port is to be open, instead of being blocked.

 

0 Kudos
Reply
Reply
Loading...

@mdk  -- I hope that the opposite is true, and that those...

Felgar
Grasshopper
‎2021-09-28 08:44 AM

@mdk  -- I hope that the opposite is true, and that those entries are listed for "convenience", namely if you want to use BitTorrent, you would remove that entry, rather than having to do your own research on which ports that you needed to allow. 

Yeah I would hope for that too, but you can imagine the frustration when I specifically ask that and the Shaw tech says "sorry, we don't support 3rd-party hardware"...  That list is not something you can add/remove individual items from what I can see; the only info in the configuration page is that on "Medium" setting, it says exactly what I posted.

Hopefully someone else has done a proper investigation of what it's actually doing... I don't have any kind of port scanner running to check myself but maybe it's something that I'll have to get going...  mmgh

0 Kudos
Reply
Reply
Loading...

-- since I have the Hitron cable-modem, not the BlueCurve...

mdk
Legendary Grand Master
‎2021-09-28 01:39 PM

@Felgar -- since I have the Hitron cable-modem, not the BlueCurve, I cannot use the BlueCurve app on my smart-phone. It seems to be the only way to make configuration-changes on the BlueCurve.

In a way, you do have a port-scanner. Your computer will respond to 3389/TCP traffic, if traffic on that port goes "through" an open port on the BlueCurve.  So, from a computer NOT connected to Shaw Internet (or connected wirelessly via the ShawOpen access-point network), make an attempt to connect to that port on your computer. Success? Failure to connect?

 

0 Kudos
Reply
Reply
Loading...
TALK TO US
We're here to help
Chat on Messenger
Direct Message on Twitter