Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: theosib
theosib Author
User level: Level 1
20 points

How to enable firewall in AEBS (or Time Capsule) to silently ignore unauthorized port access?

I have to use my Time Capsule as my internet gateway for NAT and DHCP. (I used to use the Cable Modem, but Time Warner wants to nickle-and-dime me for basic features like port forwarding.)


Anyhow, I'm noticing something peculiar about the built-in firewall. Normally, with a firewall disabled, if someone tries to connect to a port with no listener, they'll get connection refused. If the firewall is enabled, then the device with the firewall simply doesn't even respond, and the connection attempt eventually times out. The reason for this is that by dropping unauthorized connection attempts silently, it makes it harder to do port scanning. If you try to connect, and there's no response, you don't know that the device is there; if it refuses the connection, then you can start wardialing to see what ports are open.


I tested this with my Time Capsule. With forwarding set up, if I make an external connection to a forwarded port, it works correctly. If I make an external connection to a port not being forwarded, there is an explicit refusal ("No route to host", it says). This makes me really nervous.


Is there a way to set up the TC so that its firewall silently ignores anything unauthorized, like a normal firewall does?


Thanks.

Posted on Sep 10, 2013 9:38 AM

Reply
Question marked as Best reply
User profile for user: Tesserax
Tesserax
User level: Level 10
148,661 points

Posted on Sep 10, 2013 9:47 AM

Is there a way to set up the TC so that its firewall silently ignores anything unauthorized, like a normal firewall does?

Sorry, but no. This is not a feature of the Apple routers. If this is important to you, I would recommend that you use a router that offers this feature, like those provided by Cisco.


Interestingly, Apple provides this feature on their Macs, but not their routers.

View in context
4 replies
Question marked as Best reply
User profile for user: Tesserax
Tesserax
User level: Level 10
148,661 points

Sep 10, 2013 9:47 AM in response to theosib

Is there a way to set up the TC so that its firewall silently ignores anything unauthorized, like a normal firewall does?

Sorry, but no. This is not a feature of the Apple routers. If this is important to you, I would recommend that you use a router that offers this feature, like those provided by Cisco.


Interestingly, Apple provides this feature on their Macs, but not their routers.

Reply
User profile for user: theosib
theosib Author
User level: Level 1
20 points

Sep 10, 2013 9:49 AM in response to theosib

I found a temporary work-around. Under "Network > Network Options", there is an option to "Enable default host at:". I'm guessing that this would be the DMZ host. If I enable that and provide an internal IP address outside of the DHCP range, then unathorized accesses are routed to this nonexistant machine.


My worry there is that now, all unathorized accesses will turn into extra traffic on my internal network, broadcasting on my wireless, etc. (because the switches don't know the route to the host, they have no choice but to send out on every leg of the network).


So I'm hoping we can find a proper solution to this.


Thanks.

Reply

How to enable firewall in AEBS (or Time Capsule) to silently ignore unauthorized port access?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up