GL-AR750 firewall is visible on Internet

tl;dr the GL-AR750 “Creta” firewall is visible on the Internet, for unsolicited packets from the Internet to the WAN, those packets should be DROPped instead of REJECT

My GL-AR750 is being used as an Internet gateway (Network Mode Router)
Using GRC ShieldsUp! GRC | ShieldsUP! — Internet Vulnerability Profiling   , I can test that my device is visible on the Internet. Among the first 1024 ports (option All Service Ports), nearly all ports are CLOSED (they should be all be STEALTH). And the device responds to pings. This means my device is replying to anonymous devices on the Internet. This invites many problems.

In the underlying firewall rules, unsolicited packets from the WAN should by default go to target DROP. Currently, they are going to target REJECT. ICMP pings should be DROP

Using firmware OpenWrt 19.07.8 r11364-ef56c85848 / LuCI openwrt-19.07 branch git-21.18e9.23240-7b931da

Why do you think stealth/drop is better than closed/reject?

There are people who want to know if the device or a specific port is available.
In case of a monitoring it is another situation if the device is closed than it is unavailable.

I was able to change general policies from REJECT to DROP.

Using the Advanced interface (the LuCI special install package),
navigate to NetworkGeneral SettingsFirewall - Zone SettingsZones.
Zone wan has Input = drop, Output = accept, Forward = drop, :white_check_mark: Masquerading.

This now passes the Shields Up! test.

1 Like