As mentioned in the other article (Linux: Ready for prime time?), I recently changed ISPs which meant that I had to change my routers as well (previous one was provisioned by my previous ISP). So I got hold of a Netgear RT314 router / gateway. RT314 BTW is an old and EOL product. Still its reviews are very good and it is said to be blazing fast. I need to check on that claim over a period of time, but still it should be good for me.

I tried configuring the router and the first thing that struck me as a con was that it was projecting the ports on the router as CLOSED instead of STEALTH (check http://www.grc.com for definitions) on a port scan. Which meant that theoretically, any person would be able to verify that there was a computer at my IP address and it was responding and launch attack against it, take over and do nasty things. Not good for me.

I checked the internet on how to block all the ports but could not come close to an authoritative answer. The router also has firewall technology built in so it should be blocking all those ports by default (default-deny) unless I asked it to pass traffic. Here it was doing exactly the opposite. Passing traffic by default (default-allow) unless I told it to block. The closest I got to an answer on how to do it was to forward all the ports to an non-existing IP address on my internal LAN (http://www.scotsnewsletter.com/04.htm#review1). That would be a very limiting and asking task. But as I noticed that this was for model FR314 and not RT314. In fact netgear claimed that they had taken care of the stealth issue in RT314. So I got thinking. Maybe this was something I could fix. I noticed that the firmware version on my router was v3.22 and netgear has released some more. The latest (and I suspect the last) was v3.25. So I went ahead and got it (http://kbserver.netgear.com/release_notes/d100167.asp). However, on that page they mention that this is not a critical update and should not be done if router is working properly. However in my opinion this is a critical update as it directly impacts the security of your network by exposing it to outside world.

Anyway, I got hold of the file and the next question was how do I update it. I don't have a serial cable and neither does my laptop has a serial port. After a brief search on the netgear knowledge base, I found the solution (http://kbserver.netgear.com/kb_web_files/n100447.asp). One of the biggest upgrade is improved web management interface and ability to specify port ranges for port forwarding. I completed the upgrade and did a port scan again before doing the port forwarding. And indeed all the ports were shown as stealth. I also did a port scan using nmap / Advanced port scanner remotely and it also showed all ports as blocked. So now I could open ports as necessary instead of blocking ports. This is much more secure and a best practice.