Hi. I have a ASUS router running Advanced Tomato. It's been fun to tinker with. I usually don't even enable WIFI, but I am enabling WIFI. I am wondering if I should enable WIFI on the Xfinity router, or the tomato router which is after the xfinity modem/router. I see a lot of annoying traffic from the Xfinity router in wireshark. Not sure which route would be more secure.
Are they chained? Asus plugged into Xfinity? If yes, then Asus should be blocking unsolicited inbound trash. I would enable wifi on Asus, the internal router. Just setup the keyphrase and good password. And MAC address filters if you so wish. But some of this depends on what else is hooked up. Xfinity might need to access your TV I suppose.
Yes Asus is plugged into xfinity. Thanks. As a total scattershot, noob approach, I put this iptables firewall 'script' into tomatos built in firewall location. I'm sure it may be horrendous and cancels out its own rules? # Base policy :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # Don't attempt to firewall internal traffic on the loopback device. iptables -A INPUT -i lo -j ACCEPT # Continue connections that are already established or related to an established # connection. iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Drop non-conforming packets, such as malformed headers, etc. iptables -A INPUT -m conntrack --ctstate INVALID -j DROP # Block remote packets claiming to be from a loopback address. iptables -4 -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP iptables -6 -A INPUT -s ::1/128 ! -i lo -j DROP # Drop all packets that are going to broadcast, multicast or anycast address. iptables -4 -A INPUT -m addrtype --dst-type BROADCAST -j DROP iptables -4 -A INPUT -m addrtype --dst-type MULTICAST -j DROP iptables -4 -A INPUT -m addrtype --dst-type ANYCAST -j DROP iptables -4 -A INPUT -d 224.0.0.0/4 -j DROP # Chain for preventing SSH brute-force attacks. # Permits 10 new connections within 5 minutes from a single host then drops # incomming connections from that host. Beyond a burst of 100 connections we # log at up 1 attempt per second to prevent filling of logs. iptables -N SSHBRUTE iptables -A SSHBRUTE -m recent --name SSH --set iptables -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[SSH-brute]: " iptables -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP iptables -A SSHBRUTE -j ACCEPT # Chain for preventing ping flooding - up to 6 pings per second from a single # source, again with log limiting. Also prevents us from ICMP REPLY flooding # some victim when replying to ICMP ECHO from a spoofed source. iptables -N ICMPFLOOD iptables -A ICMPFLOOD -m recent --set --name ICMP --rsource iptables -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: " iptables -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP iptables -A ICMPFLOOD -j ACCEPT iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p tcp -s 192.168.1.22 -m tcp --dport 22 -j ACCEPT iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -P OUTPUT ACCEPT iptables -P INPUT DROP