Ubiquiti Edgerouter Leaves Open Ports
- 
 I originally posted over here: http://community.spiceworks.com/topic/518864-ubiquiti-edgerouter-external-management however it's been nothing but crickets. Pasted: Due to its low cost and glowing praises in the community, I put in a Ubiquiti Edgerouter at a small client site. It seems that the management interface (web and SSH) were available externally. The only external inbound rules are to allow stateful and drop all. While I was able to force the management interface to listen on the internal interface only via the "set service gui listen address" command, a port scan reveals that the ports are still open. How do I close all external ports? Update: Rebooting the device after the config closed up some of the ports. Remaining open on the external interface are: 21 
 554
 22
 7070
 843How do I get these ports closed? 
- 
 Do you have a firewall rule for the WAN_IN and WAN_LOCAL? Post on the. Ubiquiti forums. There will be the best responses. http://community.ubnt.com Also how are you doing you security test by the way? 
- 
 @JaredBusch said: Do you have a firewall rule for the WAN_IN and WAN_LOCAL? Post on the. Ubiquiti forums. There will be the best responses. http://community.ubnt.com Also how are you doing you security test by the way? In this device's case, it's Internet_In: name Internet_In { default-action drop description "Inbound traffic to firewall from outside" enable-default-log rule 1 { action accept description "Stateful traffic" log disable protocol all state { established enable invalid disable new disable related enable } } rule 2 { action drop log disable protocol all state { established disable invalid enable new disable related disable } }I don't see anything local. A third-party PCI assessment picked it up first, and I'm not privy to their methods. I'm using Nmap. 
- 
 @alexntg 
 The WAN_LOCAL handles traffic from the internet to the router itself.name WAN_LOCAL { default-action drop description "WAN to Router" rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 5 { action accept description "ICMP 50/m" limit { burst 1 rate 50/minute } log enable protocol icmp } rule 6 { action accept description "Accept VPN" ipsec { match-ipsec } log disable protocol all source { address 10.202.253.0/24 } state { established enable invalid disable new enable related enable } } rule 7 { action accept description "Allow OpenVPN" destination { address 12.XXX.239.42/32 port 1193-1194 } log disable protocol udp state { established enable invalid disable new enable related enable } } }
- 
 @alexntg 
 And it is applied on the interface like so:ethernet eth2 { address 12.XXX.239.42/29 address 12.XXX.239.43/29 address 12.XXX.239.44/29 description WAN duplex auto firewall { in { name WAN_IN } local { name WAN_LOCAL } } speed auto traffic-policy { out VoIP } }
- 
 I'll give it a go this weekend when I have hands-on with the device, just in case something should go wrong. 
- 
 Definitely looking to see a follow up on this one. 
- 
 
- 
 @alexntg said: @StrongBad said: Definitely looking to see a follow up on this one. It's not the weekend yet. Did you ever apply the correct firewall rules to the unit? 
- 
 It got backburnered, but I just worked on it this morning. It worked like a charm! 
- 
 @alexntg said: It got backburnered, but I just worked on it this morning. It worked like a charm! Good to hear. This line of equipment is just really really hard to beat for the price and feature set. It still has a way to go to be really user friendly, but it is a solid piece of gear in my opinion. 
- 
 We are about to put one in at home. 
- 
 For home use, check out the Sophos UTM Home Edition. It's a full=featured UTM for home. 
- 
 @JaredBusch said: @alexntg said: It got backburnered, but I just worked on it this morning. It worked like a charm! Good to hear. This line of equipment is just really really hard to beat for the price and feature set. It still has a way to go to be really user friendly, but it is a solid piece of gear in my opinion. I picked it up for a small 15-person company that has minimal requirements other than PCI (they process card payments online). While they're tiny, there was a gap between the home-edition devices and business-class devices in regard to filtering outbound traffic. Ubiquiti seems to fill that niche. 
- 
 @alexntg I much prefer using stuff that is more applicable for business. Sophos pulls that "no prices" stuff. From what I can see it is about 600% the price of the Ubiquiti. 
- 
 @scottalanmiller said: @alexntg I much prefer using stuff that is more applicable for business. Sophos pulls that "no prices" stuff. From what I can see it is about 600% the price of the Ubiquiti. The pricing for the home edition is publicly posted: 
 http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspxAs far as "business" pricing, most of the major equipment vendors operate that way (Cisco, Palo Alto, Sonicwall). They're all either "Contact Sales" or "Find a Reseller". It's a traditional channel business model. Would I like to see a flat price? Certainly, but it doesn't happen. 
- 
 @scottalanmiller said: @alexntg I much prefer using stuff that is more applicable for business. Sophos pulls that "no prices" stuff. From what I can see it is about 600% the price of the Ubiquiti. There's no comparison in feature set. Aside for niche uses, the Ubiquiti is missing most of the features of a modern business-grade network security appliance. You're getting more than 600% of the features. 
- 
 @alexntg said: There's no comparison in feature set. Aside for niche uses, the Ubiquiti is missing most of the features of a modern business-grade network security appliance. You're getting more than 600% of the features. The EdgeMax Router line is not a Network Security Appliance. It is a router. Do not mix up the device's purpose. 
- 
 @alexntg said: @scottalanmiller said: @alexntg I much prefer using stuff that is more applicable for business. Sophos pulls that "no prices" stuff. From what I can see it is about 600% the price of the Ubiquiti. The pricing for the home edition is publicly posted: 
 http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspxAs far as "business" pricing, most of the major equipment vendors operate that way (Cisco, Palo Alto, Sonicwall). They're all either "Contact Sales" or "Find a Reseller". It's a traditional channel business model. Would I like to see a flat price? Certainly, but it doesn't happen. It's free for software, but not the appliance. VyOS is free too. 



