Template:Networking rutos manual firewall: Difference between revisions
Template:Networking rutos manual firewall (view source)
Revision as of 10:51, 19 May 2022
, 19 May 2022no edit summary
No edit summary |
Gytispieze (talk | contribs) No edit summary |
||
(43 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
{{Template:Networking_rutos_manual_fw_disclosure | {{Template: Networking_rutos_manual_fw_disclosure | ||
| fw_version = {{{series}}} | | fw_version ={{Template: Networking_rutos_manual_latest_fw | ||
| | | series = {{{series}}} | ||
| name = {{{name}}} | |||
}} | |||
}} | }} | ||
{{#ifeq: {{{series}}} | RUT9 |<br><i><b>Note</b>: <b>[[{{{name}}} Firewall (legacy WebUI)|click here]]</b> for the old style WebUI (FW version {{Template: Networking_rutos_manual_latest_fw | series = RUT9XX}} and earlier) user manual page.</i>|}} | |||
{{#ifeq: {{{series}}} | RUT2 |<br><i><b>Note</b>: <b>[[{{{name}}} Firewall (legacy WebUI)|click here]]</b> for the old style WebUI (FW version {{Template: Networking_rutos_manual_latest_fw | series = RUT2XX}} and earlier) user manual page.</i>|}} | |||
==Summary== | |||
{{{name}}} devices use a standard Linux iptables package as its <b>firewall</b>, which uses routing chains and policies to facilitate control over inbound and outbound traffic. | |||
This chapter of the user manual provides an overview of the Firewall page for {{{name}}} devices. | |||
{{Template:Networking_rutos_manual_basic_advanced_webui_disclaimer | {{Template:Networking_rutos_manual_basic_advanced_webui_disclaimer | ||
Line 12: | Line 17: | ||
}} | }} | ||
==General | ==General Settings== | ||
The <b>General Settings</b> section is used to configure the main policies of the device's firewall. The figure below is an example of the General Settings section and the table below provides information on the fields contained in that section: | The <b>General Settings</b> section is used to configure the main policies of the device's firewall. The figure below is an example of the General Settings section and the table below provides information on the fields contained in that section: | ||
Line 25: | Line 30: | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td> | <td>Drop invalid packets</td> | ||
<td>off | on; | <td>off | on; default: <b>off</b></td> | ||
<td> | <td>If enabled, a "Drop" action will be performed on packets that are determined to be invalid.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td> | <td>Automatic helper assignment</td> | ||
<td>off | on; | <td>off | on; default: <b>on</b></td> | ||
<td>If | <td>Automatically assigns conntrack helpers based on traffic protocol and port. If turned off, conntrack helpers can be selected for each zone.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Input</td> | <td>Input</td> | ||
<td>Reject | Drop | Accept; | <td>Reject | Drop | Accept; default: <b>Reject</b></td> | ||
<td>Default action<span class="asterisk">*</span> of the INPUT chain if a packet does not match any existing rule on that chain.</td> | <td>Default action<span class="asterisk">*</span> of the INPUT chain if a packet does not match any existing rule on that chain.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Output</td> | <td>Output</td> | ||
<td>Reject | Drop | Accept; | <td>Reject | Drop | Accept; default: <b>Accept</b></td> | ||
<td>Default action<span class="asterisk">*</span> of the OUTPUT chain if a packet does not match any existing rule on that chain.</td> | <td>Default action<span class="asterisk">*</span> of the OUTPUT chain if a packet does not match any existing rule on that chain.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Forward</td> | <td>Forward</td> | ||
<td>Reject | Drop | Accept; | <td>Reject | Drop | Accept; default: <b>Reject</b></td> | ||
<td>Default action<span class="asterisk">*</span> of the FORWARD chain if a packet does not match any existing rule on that chain.</td> | <td>Default action<span class="asterisk">*</span> of the FORWARD chain if a packet does not match any existing rule on that chain.</td> | ||
</tr> | </tr> | ||
Line 57: | Line 62: | ||
<li><b>Reject</b> – packet is stopped, deleted and, differently from Drop, a message of rejection is sent to the source from which the packet came.</li> | <li><b>Reject</b> – packet is stopped, deleted and, differently from Drop, a message of rejection is sent to the source from which the packet came.</li> | ||
</ul> | </ul> | ||
===Routing/NAT Offloading=== | |||
---- | |||
The <b>Routing/NAT Offloading</b> is used to turns software flow offloading on or off. | |||
The device checks whether the flow (sequence of related packets) is of a received a packed is known. Packets of unknown flow are forwarded to the networking stack. Meanwhile, if the flow is known, NAT is applied (if matched) and the packet is forwarded to the correct destination port. This process is called <b>software flow offloading</b>. | |||
[[File:Networking_rutos_manual_firewall_general_settings_routing_nat_offloading.png|border|class=tlt-border]] | |||
<table class="nd-mantable"> | |||
<tr> | |||
<th>Field</th> | |||
<th>Value</th> | |||
<th>Description</th> | |||
</tr> | |||
<tr> | |||
<td>Software flow offloading</td> | |||
<td>off {{!}} on; default: <b>off</b></td> | |||
<td>Turns software flow offloading on or off.</td> | |||
</tr> | |||
</table> | |||
===Zones=== | ===Zones=== | ||
Line 68: | Line 94: | ||
[[File:Networking_rutos_manual_firewall_general_settings_zones_edit_button.png|border|class=tlt-border]] | [[File:Networking_rutos_manual_firewall_general_settings_zones_edit_button.png|border|class=tlt-border]] | ||
====Zones: | ====Zones: General Settings==== | ||
---- | ---- | ||
[[File:Networking_rutos_manual_firewall_general_settings_zones_general_settings.png|border|class=tlt-border]] | [[File:Networking_rutos_manual_firewall_general_settings_zones_general_settings.png|border|class=tlt-border]] | ||
Line 85: | Line 111: | ||
<tr> | <tr> | ||
<td>Input</td> | <td>Input</td> | ||
<td>Reject | Drop | Accept; | <td>Reject | Drop | Accept; default: <b>Accept</b></td> | ||
<td>Default policy for traffic entering the zone.</td> | <td>Default policy for traffic entering the zone.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Output</td> | <td>Output</td> | ||
<td>Reject | Drop | Accept; | <td>Reject | Drop | Accept; default: <b>Accept</b></td> | ||
<td>Default policy for traffic originating from and leaving the zone.</td> | <td>Default policy for traffic originating from and leaving the zone.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Forward</td> | <td>Forward</td> | ||
<td>Reject | Drop | Accept; | <td>Reject | Drop | Accept; default: <b>Reject</b></td> | ||
<td>Default policy for traffic forwarded between the networks belonging to the zone.</td> | <td>Default policy for traffic forwarded between the networks belonging to the zone.</td> | ||
</tr> | </tr> | ||
Line 115: | Line 141: | ||
</table> | </table> | ||
====Zones: | ====Zones: Advanced Settings==== | ||
---- | ---- | ||
[[File: | [[File:Networking_rutos_manual_firewall_general_settings_zones_advanced_settings_v3.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 147: | Line 173: | ||
<tr> | <tr> | ||
<td>Enable logging on this zone</td> | <td>Enable logging on this zone</td> | ||
<td>off | <span style="color: | <td>off | <span style="color: #1550bf; font-weight: bold;">on</span>; default: <b>off</b></td> | ||
<td>Logs packets that hit this rule.</td> | <td>Logs packets that hit this rule.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><span style="color: | <td><span style="color: #1550bf;">Limit log messages</span></td> | ||
<td>integer/minute; default: <b>none</b></td> | <td>integer/minute; default: <b>none</b></td> | ||
<td>Limit how many messages can be logged in the span of 1 minute. For example, to log 50 packets per minute use: <i>50/minute</i>.</td> | <td>Limit how many messages can be logged in the span of 1 minute. For example, to log 50 packets per minute use: <i>50/minute</i>.</td> | ||
</tr> | |||
<tr> | |||
<td>Conntrack helpers</td> | |||
<td> Amanda backup and archiving proto (AMANDA) | FTP passive connection tracking (FTP) | RAS proto tracking (RAS) | Q.931 proto tracking (Q.931) | IRC DCC connection tracking (IRC) | NetBIOS name service broadcast tracking (NETBIOS-NS) | PPTP VPN connection tracking (PPTP) | SIP VoIP connection tracking (SIP) | SNMP monitoring connection tracking (SNMP) | TFTP connection tracking (TFTP); default: <b>none</b></td> | |||
<td><b>This option appears only when automatic helper assignment option in the firewall's general settings is disabled. </b>Explicitly choses allowed connection tracking helpers for zone traffic.</td> | |||
</tr> | </tr> | ||
</table> | </table> | ||
====Zones: | ====Zones: Inter-zone Forwarding==== | ||
---- | ---- | ||
The <b>Inter-zone forwarding</b> options control the forwarding policies between the currently edited zone and other zones. | The <b>Inter-zone forwarding</b> options control the forwarding policies between the currently edited zone and other zones. | ||
Line 181: | Line 212: | ||
</table> | </table> | ||
==Port | ==Port Forwards== | ||
<b>Port forwarding</b> is a way of redirecting an incoming connection to another IP address, port or the combination of both: | <b>Port forwarding</b> is a way of redirecting an incoming connection to another IP address, port or the combination of both: | ||
Line 189: | Line 220: | ||
The Port forwards table displays configured port forwarding rules currently configured on the device. | The Port forwards table displays configured port forwarding rules currently configured on the device. | ||
[[File:Networking_rutos_manual_firewall_port_forwards_port_forwards.png]] | [[File:Networking_rutos_manual_firewall_port_forwards_port_forwards.png|border|class=tlt-border]] | ||
===New | ===Add New Port Forward=== | ||
---- | ---- | ||
The <b>New | The <b>Add New Port Forward</b> section is used to quickly add additional port forwarding rules. The figure below is an example of the Add New Port Forward section and the table below provides information on the fields contained in that section: | ||
[[File:Networking_rutos_manual_firewall_port_forwards_add_new_port_forward.png|border|class=tlt-border]] | [[File:Networking_rutos_manual_firewall_port_forwards_add_new_port_forward.png|border|class=tlt-border]] | ||
Line 207: | Line 238: | ||
<td>string; default: <b>none</b></td> | <td>string; default: <b>none</b></td> | ||
<td>Name of the rule. This is used for easier management purposes.</td> | <td>Name of the rule. This is used for easier management purposes.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 222: | Line 243: | ||
<td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td> | <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td> | ||
<td>The port number to which hosts will be connecting.<td> | <td>The port number to which hosts will be connecting.<td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 240: | Line 256: | ||
</table> | </table> | ||
===Port | ===Port Forwards Configuration=== | ||
---- | ---- | ||
While the New port forward section provides the possibility to add port forwarding rules fast, it does not contain all possible configuration options to customize a rule. In order to create a more complicated rule, add one using the New port forward section and click the button that looks like a pencil [[File:Networking_rutx_trb14x_manual_edit_button_v1.png|20px]] next to it: | While the New port forward section provides the possibility to add port forwarding rules fast, it does not contain all possible configuration options to customize a rule. In order to create a more complicated rule, add one using the New port forward section and click the button that looks like a pencil [[File:Networking_rutx_trb14x_manual_edit_button_v1.png|20px]] next to it: | ||
[[File: | [[File:Networking_rutos_manual_firewall_port_forwards_edit_button.png|border|class=tlt-border]] | ||
You will be redirected to that rule's configuration page: | You will be redirected to that rule's configuration page: | ||
[[File: | [[File:Networking_rutos_manual_firewall_port_forwards_configuration.png|border|class=tlt-border]] | ||
| | |||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
<tr> | <tr> | ||
Line 275: | Line 289: | ||
<tr> | <tr> | ||
<td>Source zone</td> | <td>Source zone</td> | ||
<td>firewall zone name; default: | <td>firewall zone name; default: <b>wan</b></td> | ||
<td>The zone to which the third party will be connecting. (Same thing as "External zone" in the New port forward section.)</td> | <td>The zone to which the third party will be connecting. (Same thing as "External zone" in the New port forward section.)</td> | ||
</tr> | </tr> | ||
Line 281: | Line 295: | ||
<td>Source MAC address</td> | <td>Source MAC address</td> | ||
<td>mac; default: <b>none</b></td> | <td>mac; default: <b>none</b></td> | ||
<td>MAC address | <td>MAC address of connecting hosts.<br>The rule will apply only to hosts that match MAC addresses specified in this field. Leave empty to make the rule skip MAC address matching.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 305: | Line 319: | ||
<tr> | <tr> | ||
<td>Internal zone</td> | <td>Internal zone</td> | ||
<td>firewall zone name; default: | <td>firewall zone name; default: <b>lan</b></td> | ||
<td>The zone to which the incoming connection will be redirected.</td> | <td>The zone to which the incoming connection will be redirected.</td> | ||
</tr> | </tr> | ||
Line 330: | Line 344: | ||
</table> | </table> | ||
==Traffic | ==Traffic Rules== | ||
The <b>Traffic rules</b> tab is used to set firewall rules that filter traffic moving through the device. The figure below is an example of the Traffic rules table: | The <b>Traffic rules</b> tab is used to set firewall rules that filter traffic moving through the device. The figure below is an example of the Traffic rules table: | ||
[[File: | [[File:Networking_rutos_manual_firewall_traffic_rules.png|border|class=tlt-border]] | ||
===Traffic | ===Traffic Rule Configuration=== | ||
---- | ---- | ||
In order to begin editing a traffic rule, click the button that looks like a pencil [[File:Networking_rutx_trb14x_manual_edit_button_v1.png|20px]] next to it: | In order to begin editing a traffic rule, click the button that looks like a pencil [[File:Networking_rutx_trb14x_manual_edit_button_v1.png|20px]] next to it: | ||
[[File: | [[File:Networking_rutos_manual_firewall_traffic_rules_edit_button.png|border|class=tlt-border]] | ||
You will be redirected to that rule's configuration page: | You will be redirected to that rule's configuration page: | ||
[[File: | [[File:Networking_rutos_manual_firewall_traffic_rules_configuration_mobile_{{{mobile}}}_dualsim_{{{dualsim}}}_wired_{{{wired}}}.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 354: | Line 368: | ||
<tr> | <tr> | ||
<td>Enable</td> | <td>Enable</td> | ||
<td>off | on; | <td>off | on; default <b>on</b></td> | ||
<td>Turns the rule on or off.</td> | <td>Turns the rule on or off.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Name</td> | <td>Name</td> | ||
<td>string; | <td>string; default <b>none</b></td> | ||
<td>Name of the rule. This is used for easier management purposes.</td> | <td>Name of the rule. This is used for easier management purposes.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Restrict to address family</td> | <td>Restrict to address family</td> | ||
<td>IPv4 and IPv6 | IPv4 only | IPv6 only; | <td>IPv4 and IPv6 | IPv4 only | IPv6 only; default: <b>IPv4 and IPv6</b></td> | ||
<td>IP address family to which the rule will apply to.</td> | <td>IP address family to which the rule will apply to.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Protocol</td> | <td>Protocol</td> | ||
<td>TCP+UDP | TCP | UDP | ICMP | -- custom --; | <td>TCP+UDP | TCP | UDP | <span style="color:red">ICMP</span> | -- custom --; default: <b>TCP+UDP</b></td> | ||
<td>Specifies to which protocols the rule should apply.</td> | <td>Specifies to which protocols the rule should apply.</td> | ||
</tr> | |||
<tr> | |||
<td><span style="color:red"> Match ICMP type</span></td> | |||
<td>-- Custom -- | Any | ICMP-type; default: '''none'''</td> | |||
<td>Allows matching specific ICMP types.</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 394: | Line 413: | ||
<tr> | <tr> | ||
<td>Destination zone</td> | <td>Destination zone</td> | ||
<td>firewall zone; | <td>firewall zone; default: <b>Device (input)</b></td> | ||
<td>Target zone of the incoming connection.</td> | <td>Target zone of the incoming connection.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Destination address</td> | <td>Destination address</td> | ||
<td>ip | ip/netmask; | <td>ip | ip/netmask; default: <b>any</b></td> | ||
<td>Tagert IP address or network segment of the incoming connection.</td> | <td>Tagert IP address or network segment of the incoming connection.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Destination port</td> | <td>Destination port</td> | ||
<td>integer [0..65535] | range of integers [0..65534] - [1..65535]; | <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td> | ||
<td>Tagert port or range of ports of the incoming connection.</td> | <td>Tagert port or range of ports of the incoming connection.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Action</td> | <td>Action</td> | ||
<td> | <td>Drop | Accept | Reject | Don't track; default: <b>Accept</b></td> | ||
<td>Action that is to be taken when a packet | <td>Action that is to be taken when a packet matches the conditions of the rule. | ||
<ul> | <ul> | ||
<li><b> | <li><b>Drop</b> – packet is stopped and deleted.</li> | ||
<li><b> | <li><b>Accept</b> – packet gets to continue to the next chain.</li> | ||
<li><b> | <li><b>Reject</b> – packet is stopped, deleted and, differently from Drop, an ICMP packet containing a message of rejection is sent to the source from which the dropped packet came.</li> | ||
<li><b>Don't track</b> – packet is no longer tracked as it moves forward.</li> | |||
</ul> | </ul> | ||
</td> | </td> | ||
Line 420: | Line 440: | ||
<tr> | <tr> | ||
<td>Extra arguments</td> | <td>Extra arguments</td> | ||
<td>string; | <td>string; default: <b>none</b></td> | ||
<td>Adds extra .iptables options to the rule.</td> | <td>Adds extra .iptables options to the rule.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Week days</td> | <td>Week days</td> | ||
<td>days of the week [Sunday..Saturday]; | <td>days of the week [Sunday..Saturday]; default: <b>none</b></td> | ||
<td>Specifies on which days of the week the rule is valid.</td> | <td>Specifies on which days of the week the rule is valid.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Month days</td> | <td>Month days</td> | ||
<td>days of the month [1..31]; | <td>days of the month [1..31]; default: <b>none</b></td> | ||
<td>Specifies on which days of the month the rule is valid.</td> | <td>Specifies on which days of the month the rule is valid.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Start Time (hh:mm:ss)</td> | <td>Start Time (hh:mm:ss)</td> | ||
<td>time [0..23:0..59:0..59]; | <td>time [0..23:0..59:0..59]; default: <b>none</b></td> | ||
<td>Indicates the beginning of the time period during which the rule is valid.</td> | <td>Indicates the beginning of the time period during which the rule is valid.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Stop Time (hh:mm:ss)</td> | <td>Stop Time (hh:mm:ss)</td> | ||
<td>time [0..23:0..59:0..59]; | <td>time [0..23:0..59:0..59]; default: <b>none</b></td> | ||
<td>Indicates the end of the time period during which the rule is valid.</td> | <td>Indicates the end of the time period during which the rule is valid.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Start Date (yyyy-mm-dd)</td> | <td>Start Date (yyyy-mm-dd)</td> | ||
<td>date [0000..9999:1..12:1..31]; | <td>date [0000..9999:1..12:1..31]; default: <b>none</b></td> | ||
<td>Indicates the first day of the date of the period during which the rule is valid.</td> | <td>Indicates the first day of the date of the period during which the rule is valid.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Stop Date (yyyy-mm-dd)</td> | <td>Stop Date (yyyy-mm-dd)</td> | ||
<td>date [0000..9999:1..12:1..31]; | <td>date [0000..9999:1..12:1..31]; default: <b>none</b></td> | ||
<td>Indicates the last day of the date of the period during which the rule is valid.</td> | <td>Indicates the last day of the date of the period during which the rule is valid.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Time in UTC</td> | <td>Time in UTC</td> | ||
<td> | <td>off | on; default: <b>no</b></td> | ||
<td>Specifies whether the device should use UTC time. If this is disabled, the time zone specified in the | <td>Specifies whether the device should use UTC time. If this is disabled, the time zone specified in the Services → [[{{{name}}} NTP|NTP]] page will be used.</td> | ||
</tr> | </tr> | ||
</table> | </table> | ||
===Open Ports on Router=== | |||
===Open | |||
---- | ---- | ||
In the <b>Add new instance</b> section, select <b>Open ports on router</b>. This provides a quick way to set simple rules that allow traffic on specified ports of the device. The figure below is an example of the Open ports on device section and the table below provides information on the fields contained in that section: | |||
[[File: | [[File:Networking_rutos_manual_firewall_traffic_rules_open_ports_on_router.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 475: | Line 494: | ||
<tr> | <tr> | ||
<td>Name</td> | <td>Name</td> | ||
<td>string; | <td>string; default: <b>none</b></td> | ||
<td>The name of the rule. This is used for easier management purposes.<br>The name field is filled automatically when port numbers are specified, unless the name was specified beforehand by the user.</td> | <td>The name of the rule. This is used for easier management purposes.<br>The name field is filled automatically when port numbers are specified, unless the name was specified beforehand by the user.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Protocol</td> | <td>Protocol</td> | ||
<td>TCP+UDP | TCP | UDP | Other; | <td>TCP+UDP | TCP | UDP | Other; default: <b>TCP+UDP</b></td> | ||
<td>Specifies to which protocols the rule should apply.</td> | <td>Specifies to which protocols the rule should apply.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>External port</td> | <td>External port</td> | ||
<td>integer [0..65535] | range of integers [0..65534] - [1..65535]; | <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td> | ||
<td>Specifies which port(s) should be opened.</td> | <td>Specifies which port(s) should be opened.</td> | ||
</tr> | </tr> | ||
</table> | </table> | ||
===New | ===Add New Forward Rule=== | ||
---- | ---- | ||
In the <b>Add new instance</b> section, select <b>Add new forward rule</b>. This is used to create firewall rules that control traffic on the FORWARD chain. The figure below is an example of the Add New Forward Rule section and the table below provides information on the fields contained in that section: | |||
[[File: | [[File:Networking_rutos_manual_firewall_traffic_rules_add_new_forward_rule.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 504: | Line 523: | ||
<tr> | <tr> | ||
<td>Name</td> | <td>Name</td> | ||
<td>string; | <td>string; default: <b>none</b></td> | ||
<td>The name of the rule. This is used for easier management purposes.</td> | <td>The name of the rule. This is used for easier management purposes.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Source zone</td> | <td>Source zone</td> | ||
<td>firewall zone; | <td>firewall zone; default: <b>wan</b></td> | ||
<td>The zone from which traffic has originated.</td> | <td>The zone from which traffic has originated.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Destination zone</td> | <td>Destination zone</td> | ||
<td>firewall zone; | <td>firewall zone; default: <b>lan</b></td> | ||
<td>The zone to which traffic will be forwarded to.</td> | <td>The zone to which traffic will be forwarded to.</td> | ||
</tr> | </tr> | ||
Line 523: | Line 542: | ||
</tr> | </tr> | ||
</table> | </table> | ||
==NAT Rules== | |||
<b>Network address translation</b> (<b>NAT</b>) is method of modifying the source/destination address and/or port information in a packet's IP header. | |||
===Source NAT=== | ===Source NAT=== | ||
---- | ---- | ||
<b>Source NAT</b> is a | <b>Source NAT</b> (<b>SNAT</b>) is a form of masquerading used to change a packet's source address and/or port number to a static, user-defined value. SNAT is performed in the POSTROUTING chain, just before a packet leaves the device. | ||
The Source NAT section displays currently existing SNAT rules. | |||
[[File:Networking_rutos_manual_firewall_nat_rules_source_nat.png|border|class=tlt-border]] | |||
=== | ===Add New Source NAT=== | ||
---- | ---- | ||
The <b>New Source NAT</b> section is used to | The <b>Add New Source NAT</b> section is used to create new source NAT rules. | ||
[[File: | [[File:Networking_rutos_manual_firewall_nat_rules_add_new_source_nat.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 542: | Line 569: | ||
<tr> | <tr> | ||
<td>Name</td> | <td>Name</td> | ||
<td>string; | <td>string; default: <b>none</b></td> | ||
<td>The name of the rule. | <td>The name of the rule. Used only for easier management purposes.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Source zone</td> | <td>Source zone</td> | ||
<td>firewall zone; | <td>firewall zone; default: <b>lan</b></td> | ||
<td> | <td>Matches traffic originated from the specified zone.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Destination | <td>Destination Zone</td> | ||
<td>firewall zone; | <td>firewall zone; default: <b>wan</b></td> | ||
<td> | <td>Matches traffic destined for the specified zone.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>To source IP</td> | <td>To source IP</td> | ||
<td>ip | do not rewrite; | <td>ip | do not rewrite; default: <b>none</b></td> | ||
<td>Changes the source IP in the packet header to the value specified in this field.</td> | <td>Changes the source IP address in the packet header to the value specified in this field.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>To | <td>To Source Port</td> | ||
<td>integer [0..65335] | do not rewrite; | <td>integer [0..65335] | do not rewrite; default: <b>none</b></td> | ||
<td>Changes the source port in the packet header to the value specified in this field.</td> | <td>Changes the source port in the packet header to the value specified in this field.</td> | ||
</tr> | </tr> | ||
Line 568: | Line 595: | ||
<td>Add</td> | <td>Add</td> | ||
<td>- (interactive button)</td> | <td>- (interactive button)</td> | ||
<td>Creates the rule and redirects you to the rule's configuration page.</td> | <td>Creates the rule in accordance with the given parameter and redirects you to the rule's configuration page.</td> | ||
</tr> | </tr> | ||
</table> | </table> | ||
== | ===Source NAT Configuration=== | ||
---- | |||
In order to begin editing a traffic rule, click the button that looks like a pencil [[File:Networking_rutx_trb14x_manual_edit_button_v1.png|20px]] next to it: | |||
{{#ifeq: {{{series}}} | TRB1 | |||
| [[File:Networking_trb1_manual_firewall_nat_rules_source_nat_edit_button.png|border|class=tlt-border]] | |||
| [[File:Networking_rutos_manual_firewall_nat_rules_source_nat_edit_button.png|border|class=tlt-border]] | |||
}} | |||
You will be redirected to that rule's configuration page: | |||
[[File:Networking_rutos_manual_firewall_nat_rules_configuration_mobile_{{{mobile}}}_dualsim_{{{dualsim}}}_wired_{{{wired}}}.png|border|class=tlt-border]] | |||
[[File: | |||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 603: | Line 619: | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td> | <td>Enable</td> | ||
<td>off < | <td>off | on; default <b>on</b></td> | ||
<td>Turns the rule on or off.</td> | |||
</tr> | |||
<tr> | |||
<td>Name</td> | |||
<td>string; default <b>none</b></td> | |||
<td>Name of the rule. This is used for easier management purposes.</td> | |||
</tr> | |||
<tr> | |||
<td>Protocol</td> | |||
<td>All protocols | TCP+UDP | TCP | UDP | ICMP | -- custom --; default: <b>All protocols</b></td> | |||
<td>Specifies to which protocols the rule should apply.</td> | |||
</tr> | |||
<tr> | |||
<td>Source zone</td> | |||
<td>firewall zone; default: <b>lan</b></td> | |||
<td>Matches traffic originated from the specified zone.</td> | |||
</tr> | |||
<tr> | |||
<td>Source IP address</td> | |||
<td>ip | ip/netmask; default: <b>Any</b></td> | |||
<td>Mathes traffic originated from specified IP address or network segment.</td> | |||
</tr> | |||
<tr> | |||
<td>Source port</td> | |||
<td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td> | |||
<td>Mathes traffic originated from specified port number.<td> | |||
</tr> | |||
<tr> | |||
<td>Destination zone</td> | |||
<td>firewall zone; default: <b>wan</b></td> | |||
<td>Matches traffic destined for the specified zone.</td> | |||
</tr> | |||
<tr> | |||
<td>Destination IP address</td> | |||
<td>ip | ip/netmask; default: <b>any</b></td> | |||
<td>Matches traffic destined for the specified IP address or network segment.</td> | |||
</tr> | |||
<tr> | |||
<td>Destination port</td> | |||
<td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td> | |||
<td>Matches traffic destined for the specified port number.</td> | |||
</tr> | |||
<tr> | |||
<td>SNAT address</td> | |||
<td>ip; default: <b>none</b></td> | |||
<td>Changes matched traffic packet source IP address to the value specified in this field.</td> | |||
</tr> | |||
<tr> | |||
<td>SNAT port</td> | |||
<td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td> | |||
<td>Changes matched traffic packet source port number to the value specified in this field.</td> | |||
</tr> | |||
<tr> | |||
<td>Extra arguments</td> | |||
<td>string; default: <b>none</b></td> | |||
<td>Adds extra .iptables options to the rule.</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Week days</td> | |||
<td>days of the week [Sunday..Saturday]; default: <b>none</b></td> | |||
<td>Specifies on which days of the week the rule is valid.</td> | |||
</tr> | |||
<tr> | |||
<td>Month days</td> | |||
<td>days of the month [1..31]; default: <b>none</b></td> | |||
<td>Specifies on which days of the month the rule is valid.</td> | |||
</tr> | |||
<tr> | |||
<td>Start Time (hh:mm:ss)</td> | |||
<td>time [0..23:0..59:0..59]; default: <b>none</b></td> | |||
<td>Indicates the beginning of the time period during which the rule is valid.</td> | |||
</tr> | |||
<tr> | |||
<td>Stop Time (hh:mm:ss)</td> | |||
<td>time [0..23:0..59:0..59]; default: <b>none</b></td> | |||
<td>Indicates the end of the time period during which the rule is valid.</td> | |||
</tr> | |||
<tr> | |||
<td>Start Date (yyyy-mm-dd)</td> | |||
<td>date [0000..9999:1..12:1..31]; default: <b>none</b></td> | |||
<td>Indicates the first day of the date of the period during which the rule is valid.</td> | |||
</tr> | |||
<tr> | |||
<td>Stop Date (yyyy-mm-dd)</td> | |||
<td>date [0000..9999:1..12:1..31]; default: <b>none</b></td> | |||
<td>Indicates the last day of the date of the period during which the rule is valid.</td> | |||
</tr> | |||
<tr> | |||
<td>Time in UTC</td> | |||
<td>off | on; default: <b>no</b></td> | |||
<td>Specifies whether the device should use UTC time. If this is disabled, the time zone specified in the Services → [[{{{name}}} NTP|NTP]] page will be used.</td> | |||
</tr> | </tr> | ||
</table> | </table> | ||
==Attack Prevention== | ==Attack Prevention== | ||
The <b>Attack Prevention</b> menu tab provides the possibility to configure protections against certain types of online attacks. | |||
===SYN Flood Protection=== | ===SYN Flood Protection=== | ||
---- | ---- | ||
<b>SYN Flood Protection</b> allows you to protect yourself from attacks that exploit part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive. Essentially, with SYN flood DDOS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network over-saturation. | |||
[[File: | [[File:Networking_rutos_manual_firewall_attack_prevention_syn_flood_protection.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
<tr> | <tr> | ||
<th> | <th>Field</th> | ||
<th> | <th>Value</th> | ||
<th> | <th>Description</th> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Enable SYN flood protection</td> | <td>Enable SYN flood protection</td> | ||
<td> | <td>off | on; default: <b>on</b></td> | ||
<td> | <td>Turns the rule on or off.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>SYN flood rate</td> | <td>SYN flood rate</td> | ||
<td>integer; | <td>integer; default: <b>5</b></td> | ||
<td>Set rate limit (packets per second) for SYN packets above which the traffic is considered | <td>Set rate limit (packets per second) for SYN packets above which the traffic is considered floodedb</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>SYN flood burst</td> | <td>SYN flood burst</td> | ||
<td>integer; | <td>integer; default: <b>10</b></td> | ||
<td> | <td>Sets burst limit for SYN packets above which the traffic is considered flooded if it exceeds the allowed ratbe</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>TCP SYN cookies</td> | <td>TCP SYN cookies</td> | ||
<td> | <td>off | on; default: <b>off<b></b></td> | ||
<td> | <td>Enables the use of SYN cookies (particular choices of initial TCP sequence numbers by TCP servers)b</td> | ||
</tr> | </tr> | ||
</table> | </table> | ||
Line 653: | Line 755: | ||
===Remote ICMP Requests=== | ===Remote ICMP Requests=== | ||
---- | ---- | ||
Some attackers use | Some attackers use <b>ICMP echo request</b> packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. You can set up some custom restrictions to help protect your router from ICMP bursts. | ||
[[File:Networking_rutos_manual_firewall_attack_prevention_remote_icmp_requests.png|border|class=tlt-border]] | |||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
<tr> | <tr> | ||
<th> | <th>Field</th> | ||
<th> | <th>Value</th> | ||
<th> | <th>Description</th> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Enable ICMP requests</td> | <td>Enable ICMP requests</td> | ||
<td> | <td>off | on; default: <b>on</b></td> | ||
<td> | <td>Turns the rule on or off.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Enable ICMP limit</td> | <td>Enable ICMP limit</td> | ||
<td> | <td>off | <span style="color: #1550bf;">on</span>; default: <b>off</b></td> | ||
<td> | <td>Turns ICMP echo-request limit in selected period on or off.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Limit period</td> | <td><span style="color: #1550bf;">Limit period</span></td> | ||
<td>Second | Minute | Hour | Day; | <td>Second | Minute | Hour | Day; default: <b>Second</b></td> | ||
<td>Period length for matching the conditions of the rule.</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Limit</td> | <td><span style="color: #1550bf;">Limit</span></td> | ||
<td>integer; | <td>integer; default: <b>5</b></td> | ||
<td>Maximum ICMP echo-request number during the period</td> | <td>Maximum ICMP echo-request number during the period.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Limit burst</td> | <td><span style="color: #1550bf;">Limit burst</span></td> | ||
<td>integer; | <td>integer; default: <b>10</b></td> | ||
<td> | <td>Indicates the maximum burst before the above limit kicks in.</td> | ||
</tr> | </tr> | ||
</table> | </table> | ||
Line 693: | Line 794: | ||
===SSH Attack Prevention=== | ===SSH Attack Prevention=== | ||
---- | ---- | ||
This protection prevent <b>SSH attacks</b> by limiting connections in a defined period. | |||
[[File:Networking_rutos_manual_firewall_attack_prevention_ssh_attack_prevention.png|border|class=tlt-border]] | |||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
<tr> | <tr> | ||
<th> | <th>Field</th> | ||
<th> | <th>Value</th> | ||
<th> | <th>Description</th> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Enable SSH limit</td> | <td>Enable SSH limit</td> | ||
<td> | <td>off | on; default: <b>off</b></td> | ||
<td> | <td>Turns the rule on or off.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Limit period</td> | <td>Limit period</td> | ||
<td>Second | Minute | Hour | Day; | <td>Second | Minute | Hour | Day; default: <b>Second</b></td> | ||
<td> | <td>Period length for matching the conditions of the rule.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Limit</td> | <td>Limit</td> | ||
<td>integer; | <td>integer; default: <b>5</b></td> | ||
<td>Maximum SSH connections during the set period</td> | <td>Maximum SSH connections during the set period</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Limit burst</td> | <td>Limit burst</td> | ||
<td>integer; | <td>integer; default: <b>10</b></td> | ||
<td> | <td>Indicates the maximum burst before the above limit kicks in.</td> | ||
</tr> | </tr> | ||
</table> | </table> | ||
Line 728: | Line 828: | ||
===HTTP Attack Prevention=== | ===HTTP Attack Prevention=== | ||
---- | ---- | ||
An HTTP attack sends a complete, legitimate HTTP header, which includes a 'Content-Length' field to specify the size of the message body to follow. However, the attacker then proceeds to send the actual message body at an extremely slow rate (e.g. 1 byte/100 seconds.) Due to the entire message being correct and complete, the target server will attempt to obey the 'Content-Length' field in the header, and wait for the entire body of the message to be transmitted, hence slowing it down. | An <b>HTTP attack</b> sends a complete, legitimate HTTP header, which includes a 'Content-Length' field to specify the size of the message body to follow. However, the attacker then proceeds to send the actual message body at an extremely slow rate (e.g. 1 byte/100 seconds.) Due to the entire message being correct and complete, the target server will attempt to obey the 'Content-Length' field in the header, and wait for the entire body of the message to be transmitted, hence slowing it down. | ||
[[File:Networking_rutos_manual_firewall_attack_prevention_http_attack_prevention.png|border|class=tlt-border]] | |||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
<tr> | <tr> | ||
<th> | <th>Field</th> | ||
<th> | <th>Value</th> | ||
<th> | <th>Description</th> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Enable HTTP limit</td> | <td>Enable HTTP limit</td> | ||
<td> | <td>off | on; default: <b>off</b></td> | ||
<td> | <td>Turns the rule on or off.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Limit period</td> | <td>Limit period</td> | ||
<td>Second | Minute | Hour | Day; | <td>Second | Minute | Hour | Day; default: <b>Second</b></td> | ||
<td> | <td>Period length for matching the conditions of the rule.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Limit</td> | <td>Limit</td> | ||
<td>integer; | <td>integer; default: <b>5</b></td> | ||
<td>Maximum HTTP connections during the set period</td> | <td>Maximum HTTP connections during the set period<./td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Limit burst</td> | <td>Limit burst</td> | ||
<td>integer; | <td>integer; default: <b>10</b></td> | ||
<td> | <td>Indicates the maximum burst before the above limit kicks in.</td> | ||
</tr> | </tr> | ||
</table> | </table> | ||
Line 763: | Line 862: | ||
===HTTPS Attack Prevention=== | ===HTTPS Attack Prevention=== | ||
---- | ---- | ||
This section allows you to enable protection against | This section allows you to enable protection against <b>HTTPS attacks</b>, also known as "man-in-the-middle" attacks (MITM). | ||
In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the perpetrator secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. | In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the perpetrator secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. | ||
[[File: | [[File:Networking_rutos_manual_firewall_attack_prevention_https_attack_prevention.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
<tr> | <tr> | ||
<th> | <th>Field</th> | ||
<th> | <th>Value</th> | ||
<th> | <th>Description</th> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Enable HTTPS limit</td> | <td>Enable HTTPS limit</td> | ||
<td> | <td>off | on; default: <b>off</b></td> | ||
<td> | <td>Turns the rule on or off.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Limit period</td> | <td>Limit period</td> | ||
<td>Second | Minute | Hour | Day; | <td>Second | Minute | Hour | Day; default: <b>Second</b></td> | ||
<td> | <td>Period length for matching the conditions of the rule.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Limit</td> | <td>Limit</td> | ||
<td>integer; | <td>integer; default: <b>5</b></td> | ||
<td>Maximum HTTPS connections during the set period</td> | <td>Maximum HTTPS connections during the set period.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Limit burst</td> | <td>Limit burst</td> | ||
<td>integer; | <td>integer; default: <b>10</b></td> | ||
<td> | <td>Indicates the maximum burst number before the above limit kicks in.</td> | ||
</tr> | </tr> | ||
</table> | </table> | ||
==Port Scan | ===Port Scan=== | ||
---- | |||
Port | <b>Port Scan</b> attacks scan which of the targeted host's ports are open. Network ports are the entry points to a machine that is connected to the Internet. A service that listens on a port is able to receive data from a client application, process it and send a response back. Malicious clients can sometimes exploit vulnerabilities in the server code so they gain access to sensitive data or execute malicious code on the machine remotely. | ||
Port scanning is usually done in the initial phase of a penetration test in order to discover all network entry points into the target system. The Port Scan section provides you with the possibility to enable protection against port scanning software. The Defending Type section provides the possibility for the user to enable protections from certain types of online attacks. These include | Port scanning is usually done in the initial phase of a penetration test in order to discover all network entry points into the target system. The Port Scan section provides you with the possibility to enable protection against port scanning software. The Defending Type section provides the possibility for the user to enable protections from certain types of online attacks. These include <b>SYN-FIN</b>, <b>SYN-RST</b>, <b>X-Mas</b>, <b>FIN scan</b> and <b>NULLflags</b> attacks. | ||
[[File: | [[File:Networking_rutos_manual_firewall_attack_prevention_port_scan.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
<tr> | <tr> | ||
<th> | <th>Field</th> | ||
<th> | <th>Value</th> | ||
<th> | <th>Description</th> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Enable</td> | <td>Enable</td> | ||
<td> | <td>off | on; default: <b>off</b></td> | ||
<td> | <td>Turns the function on or off.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Scan count</td> | <td>Scan count</td> | ||
<td>integer [5..65534]; | <td>integer [5..65534]; default: <b>5</b></td> | ||
<td>How many port scans before blocked</td> | <td>How many port scans before blocked.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Interval</td> | <td>Interval</td> | ||
<td>integer [10..60]; | <td>integer [10..60]; default: <b>10</b></td> | ||
<td>Time interval in seconds in which port scans are counted</td> | <td>Time interval in seconds in which port scans are counted.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>SYN-FIN attack</td> | <td>SYN-FIN attack</td> | ||
<td> | <td>off | on; default: <b>off</b></td> | ||
<td> | <td>Turns protection from SYN-FIN attacks on or off.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>SYN-RST attack</td> | <td>SYN-RST attack</td> | ||
<td> | <td>off | on; default: <b>off</b></td> | ||
<td> | <td>Turns protection from SYN-RST attacks on or off.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>X-Mas attack</td> | <td>X-Mas attack</td> | ||
<td> | <td>off | on; default: <b>off</b></td> | ||
<td> | <td>Turns protection from X-Mas attacks on or off.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>FIN scan</td> | <td>FIN scan</td> | ||
<td> | <td>off | on; default: <b>off</b></td> | ||
<td> | <td>Turns protection from FIN scan attacks on or off.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>NULLflags attack</td> | <td>NULLflags attack</td> | ||
<td> | <td>off | on; default: <b>off</b></td> | ||
<td> | <td>Turns protection from NULLflags attacks on or off.</td> | ||
</tr> | </tr> | ||
</table> | </table> | ||
==Custom Rules== | |||
The <b>Custom rules</b> tab provides you with the possibility to execute <b>iptables</b> commands which are not otherwise covered by the device's firewall framework. The commands are executed after each firewall restart, right after the default rule set has been loaded. | |||
<b>Note: </b> Custom rules are not recommended to be used with <i>hostnames</i>. The rules will not remain active after reboot due to security reasons. | |||
The figure below is an example of the Custom rules tab: | |||
[[File:Networking_rutos_manual_firewall_custom_rules.png|border|class=tlt-border]] | |||
The rules added here are saved in the <b>/etc/firewall.user</b> file. Feel free to edit that file instead for the same effect in case you don't have access to the device's WebUI. | |||
The <b>Save</b> button restarts the firewall service. Thus, adding the custom rules specified in this section to the device's list of firewall rules. | |||
The <b>Reset</b> button resets the custom rules field to its default state. | |||
[[Category:{{{name}}} Network section]] | [[Category:{{{name}}} Network section]] |