It seems like a good idea, since we have now access (again) to the router, try to do our best to lock out the provider, and avoid further remote configurations / upgrades.
This is what I did, feel free to find other methods and add a comment to this post :)
- Activate the firewall, and block – with a specific rule – port 4567 (is used for remote control)
- Delete the firewall rule that allows access – via telnet – from a specific list of networks, but write down those networks (these are the networks from which the provider connects to do remote maintenance)
- Create a static route for every network noted in the previous step, redirecting to a non-existing gateway (ie. 0.0.0.0)
A note on the last point: when you restart the router, it will fail to connect to the ACS (remote configuration) server. This is a nice thing, but because of this the ‘Fastweb’ led will remain red, and the ‘Ethernet’ and ‘WiFi’ leds will remain off. This is just aesthetic: wireless and wired network works perfectly.
Usual disclaimer: these are not general purpose instructions – I cannot guarantee it will work for you. Use them at your own risk.
