Your forum username:
Do you already have an account?
Forgot your password?
  • Log in or Sign up

    Welcome to Sky User - The Unofficial Support Forum for everything Sky! - Proudly helping over 63k members.


    Results 1 to 1 of 1

    Handy Firewall Rules

    This is a discussion on Handy Firewall Rules within the Sky Router forums, part of the Sky Broadband help category; Hi, As a PC Engineer, I'm familiar with setting up Firewalls. As such, I'm starting this thread so that I ...

    1. #1
      h8ball's Avatar
      h8ball is offline Sky User Member
      Exchange: Wallsend
      Broadband ISP: Max
      Sky TV:
      Join Date
      Feb 2007
      Thanked 0 Times in 0 Posts

      Handy Firewall Rules


      As a PC Engineer, I'm familiar with setting up Firewalls. As such, I'm starting this thread so that I can share some handy Firewall rules you can use with your Sky Router.

      Advanced users, please feel free to contribute any rules you've created if you think others will find them useful in better securing their systems.

      The first two rules I'll share with you are what I term GLOBAL LOCKOUT rules, which should go at the TOP of your rule lists, i.e. ABOVE any other rules:-

      Outgoing LOCKOUT
      Position in List: 1
      Enabled: No
      Service Name: Any(All)
      Action: Block Always
      LAN Users: Any
      WAN Servers: Any
      Log: Always

      Incoming LOCKOUT
      Position in List: 1
      Enabled: No
      Service Name: Any(All)
      Action: BLOCK always
      LAN Server IP Address: Any
      WAN Users: Any
      Log: Never

      These rules are normally Disabled to allow any rules AFTER them to be processed as normal. If Enabled, though, they force the Sky Router to behave in exactly the same way a Software Firewall does when you activate its "STOP all traffic" option. They're then ALWAYS matched FIRST, overriding ALL other rules, and will block ALL Internet access in one fell swoop!

      This is a VERY useful feature to have when you detect a malware infection (virus, trojan or spyware) INSIDE your network and suspect that it MAY be sending confidential details OUT to a remote server (i.e. Identity Theft). Enabling these two rules will STOP any and ALL remote network traffic entering OR leaving your local network, effectively LOCKING OUT Internet access in BOTH directions while you find and destroy the malware infection!

      Note that the Outgoing LOCKOUT rule is Always logged, so you can monitor the Routers log to find out WHAT target "home sites" the malware is trying to contact. This allows you to make a note of the target IP addresses in the log and add them to the Router's Block Sites keyword list. That way, if you're ever re-infected by the same malware again, the Router will automatically BLOCK it from contacting the same "home sites" it tried last time!

      I know it's a simple matter to STOP all Internet access by either powering the Router OFF or disconnecting its Modem line. However, this will "drop" your always-on connection to Sky's ISP network, and you MAY experience problems with the Router subsequently "failing to authenticate" with your local Sky ISP Server once it's back on-line! The advantage of using GLOBAL LOCKOUT rules is that you DON'T need to power OFF or disconnect anything.


      For anyone having difficulty figuring out HOW the Sky Router Firewall rules actually work, here's a quick run-down:-

      1. Incoming traffic triggers Incoming rule processing, and Outgoing traffic triggers Outgoing rule processing.

      2. Rules in the list are ALWAYS processed one at a time, from top to bottom.

      3. The FIRST rule "match" causes THAT rule's Action to be taken, after which rule processing STOPS!

      4. If there's NO match with any added rule, the default rule will ALWAYS match (it's designed to catch ALL traffic).

      5. The default Incoming rule is BLOCK ALL, which prevents ANY unsolicited traffic from getting IN. Any rules you add to this list will normally be ALLOW rules which override the default rule.

      6. The default Outgoing rule does the opposite, ALLOW ALL, which allows ALL traffic on your network OUT onto the Internet. Any rules you add to this list will normally be BLOCK rules, again to override the default rule.

      Note: If you're wondering HOW traffic gets IN when the default INcoming rule is BLOCK ALL, it's because the incoming side of ANY Firewall ALWAYS allows SOLICITED traffic ONLY. When local Device A (on your network) sends a request to remote Device B (on the Internet), the request packet's header contains Source=A, Target=B, i.e. A is requesting (or SOLICITING) replies from B. The Firewall then KNOWS that reply packets are EXPECTED from B back to A and will ONLY allow them IN if their headers contain Source=B, Target=A!

      Hope this helps.
      Last edited by h8ball; 08-02-07 at 10:30 PM.

    2. Advertisement


    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    SkyUser - Copyright © 2006-2014. SatDish and NewsreadeR | SkyUser is in no way affiliated with Sky Broadband / BSkyB