I am not responsible if your devices send you back in time, explodes, implodes, bricks or flies into space from the use of any software I put up.


Tuesday, June 10, 2014

OpenWRT on GRC ShieldsUP

This post will describe how to configure your Openwrt Router to pass the GRC ShieldsUP test.

By default Openwrt is already safe but GRC has certain assumptions on what it means to be secured.

Their test requires the Router to behave as follows
  1. Drop all unsolicited packets sliently
  2. Do not respond to pings
So we need to make the following adjustments

As shown below make the default policy 'drop'
We also need to make the internet facing policy to drop
However if you have a separated guest network it is ok to set it to reject because it is not internet facing.

We also need to set our Router to ignore WAN pings
However we still want to be able to ping internet host like Google etc to ensure that we can still test our connectivity.
Instead of deleting the rule we change it to accept only echo-reply.
When we ping internet routers and servers we send echo-request ICMP packets to them and they reply with echo-reply ICMP packets.
What this change does is if any internet systems try to ping the router by sending echo-request packets it is dropped sliently but we send the packets and receive replies it is accepted.
However this is assuming that internet systems will not spoof an echo-reply packet to our router which may not be true.

No comments: