How to stealth the router

This is how I stealthed all ports on my router, according to the Probe My Ports/Shields Up test on www.grc.com

When you are logged in to the router go to the IP Filter screen, under the Services tab. You need to make sure that the Private and Public Default Actions are as shown in the picture below. Make sure that Private Default Action is set to Accept. This is quite important, as if set to deny you will lock yourself out from being able to access the router.

Public and Private Default Actions

Then click the Add button at the bottom of the screen. You will then get the window pictured below. This is the IP Filter screen filled in to stealth all ports on the router. Below the picture is a more detailed description of everything.

Adding an IP Filter screen

1 - Rule ID can be set to any number. If there is more than one rule, they are processed in the order of their Rule ID, from lowest to highest. For this reason it is best to increment the rule ID's by 5, or 10 so there is room to add more rules between existing ones in the future. In the example I have set the Rule ID to 10, as it is the first rule I have entered.

2 - Action should be set to do whatever you want to happen to any packet meeting the critera of the rule. In this case we want to accept packets that meet the criteria.

3 - Direction. Set this to Outgoing, so that all traffic originating from your LAN is allowed out.

4&5 - Interface. You can make a rule only apply to traffic that is of a certain protocol. We want this rule to apply to everything, so set both of these to All.

6 - Log Option. You can decide if you want the log to keep a record of each time the rule is used. For this rule it is probably best set to Disable, as otherwise your Log will be huge!

7 - Security Level. Choose which security levels you wish this rule to be active at. This entirely depends on if you use the security level feature or not. I don't. I always have it set on low, and so only need this rule to be active on low. If however you do use the Security Levels, then tick all the boxes.

8 - Blacklist Status. Set this to disables, as you don't need it.

9 - Log Tag. This is so you get a little description in the log telling you about the rule, rather than just getting the rule number. No point putting anything here, as we have disabled logging for this rule.

10 - Start and End Time. This is so you can set rules to be active only at certain times. This rule needs to be running all the time, so leave the settings as they are.

11 - Source and Destination IP Addresses. This is so that the rule can be set to be used only when packets come from certain IP addresses. We want this to apply to all traffic, so leave them set to any.

12 - Protocol. The rule can be limited to certain protocols. Again, leave this set to any so that all traffic uses this rule.

13 - Apply Stateful Inspection. This is the important option. You MUST tick it. With this rule, and the other settings mentioned later, we are allowing outgoing traffic, but blocking all incoming traffic. However, we need some things to get back, otherwise you wouldn't be able to access anything on the internet!. What this does is look at all incoming packets. It compares them to what has gone out from the router. If an incoming packet relates to a packet that went out from the router, then it is allowed in. If however it encounters a packet that is not related to an outgoing packet then it ignores it, and does not even reply with a port closed message. This is how the ports are stealthed.
In version 1.37 of the firmware, this option is called Store State. It does EXACTLY the same thing.

14 - Source/Desp Ports & TCP Flag. These are more options to narrow down specific traffic to be affected by the rule. These cannot be changed, as we have set Protocol (12) to any.

15 - ICMP. Again, these options let you narrow down specific traffic. Leave them set as they are.

16 - The Packet Size option lets you limit the rule to packets of a certain size. Just leave this and the other settings as they are.

17 - TOD Rule Status. Set this to enabled so that the rule is active.

Now click submit, and the rule will be added. We then need to change a few things on the main IP Filter screen, as shown below.

Screen showing a list of IP Filters

Security Level - This is how the online help describes this setting. "This setting determines which IP Filter rules take effect, based on the security level specified in each rule. For example, when High is selected, only those rules that are assigned a security value of High will be in effect. The same is true for the Medium and Low settings. When None is selected, IP Filtering is disabled."

Public Default Action - This refers to the WAN, or Internet side of the router. Set it to deny, so that nothing is allowed in from the internet, unless a certain rule lets it in, for example the rule above.

Private Default Action - This refers to the LAN side of the router. This MUST be set to Accept. If you don't make sure of this, you may end up blocking LAN access to the router config pages..

DMZ Default Action - Leave this set as it is..

Once you are sure it is working, remember to Commit the changes to the memory, on the Admin tab.

One thing to remember is that when you now create NAT rules to forward ports you will need corresponding IP Filter rules to 'open' up the ports so that the NAT rules will work.