1,433
edits
Changes
Template:Networking rutos manual firewall (view source)
Revision as of 15:43, 3 September 2024
, 3 September→Add New Source NAT
<td>Source port</td>
<td>Source port</td>
<td>integer [0..65535] | range of integers [0..65534] - [1..65535] | port inversion [!0..!65535]; default: <b>none</b></td>
<td>integer [0..65535] | range of integers [0..65534] - [1..65535] | port inversion [!0..!65535]; default: <b>none</b></td>
<td>Port number(s) used by the connecting host.<br>The rule will match the source port used by the connecting host with the port number(s) specified in this field. Leave empty to make the rule skip source port matching. Port negation using is also available, for ex. <b>!1</b>.<td>
<td>Port number(s) used by the connecting host.<br>The rule will match the source port used by the connecting host with the port number(s) specified in this field. Leave empty to make the rule skip source port matching. Port negation using is also available, for ex. <b>!1</b>.</td>
</tr>
</tr>
<tr>
<tr>
<tr>
<tr>
<td>Action</td>
<td>Action</td>
<td>Drop | Accept | Reject | Don't track | <span style="color:green">DSCP</span> | <span style="color:blue">Mark</span>; default: <b>Accept</b></td>
<td>Drop | Accept | Reject | Don't track | <span style="color:green">DSCP</span> | <span style="color:blue">Mark</span> | <span style="color:red">Change TTL</span>; default: <b>Accept</b></td>
<td>Action that is to be taken when a packet matches the conditions of the rule.
<td>Action that is to be taken when a packet matches the conditions of the rule.
<ul>
<ul>
<li><b>Don't track</b> – packet is no longer tracked as it moves forward.</li>
<li><b>Don't track</b> – packet is no longer tracked as it moves forward.</li>
<li><b>DSCP</b> – packet is marked with specified DiffServ Code Point value.</li>
<li><b>DSCP</b> – packet is marked with specified DiffServ Code Point value.</li>
<li><b>Mark</b> – packet is marked with specified firewall mark..</li>
<li><b>Mark</b> – packet is marked with specified firewall mark.</li>
<li><b>Change TTL</b> – packet's TTL value is adjusted based on the selected action</li>
</ul>
</ul>
</td>
</td>
</tr>
</tr>
<tr>
<td><span style="color:red">TTL action</span></td>
<td>Set | Increment | Decrement; default: <b>Set</b></td>
<td>TTL action to apply to packets.</td>
</tr>
<tr>
<td><span style="color:red">TTL value</span></td>
<td>integer [1..255]; default: <b>none</b></td>
<td>TTL value to use for actions.</td>
</tr>
</table>
====Advanced settings====
====Advanced settings====
<td><span style="color:blue">Mark</span>: Set Target value</td>
<td><span style="color:blue">Mark</span>: Set Target value</td>
<td>hex; default: <b>none</b></td>
<td>hex; default: <b>none</b></td>
<td>If specified, target traffic against the given firewall mark, e.g. 0xFF to target mark 255 or 0x0/0x1 to target any even mark value.</td>
<td>If specified, target traffic against the given firewall mark, e.g. FF or ff to target mark 255.</td>
</tr>
</tr>
<tr>
<tr>
<td><span style="color:blue">Mark</span>: Set Match value</td>
<td><span style="color:blue">Mark</span>: Set Match value</td>
<td>hex; default: <b>none</b></td>
<td>hex; default: <b>none</b></td>
<td>If specified, match traffic against the given firewall mark, e.g. 0xFF to match mark 255 or 0x0/0x1 to match any even mark value.</td>
<td>If specified, match traffic against the given firewall mark, e.g. FF or ff to match mark 255.</td>
</tr>
</tr>
<tr>
<tr>
<td>Time in UTC</td>
<td>Time in UTC</td>
<td>off | on; default: <b>no</b></td>
<td>off | on; default: <b>no</b></td>
<td>Specifies whether the device should use UTC time. If this is disabled, the time zone specified in the Services → [[{{{name}}} NTP|NTP]] page will be used.</td>
<td>Specifies whether the device should use UTC time. If this is disabled, the time zone specified in the System → Administration → [[{{{name}}}_Administration#NTP|NTP]] page will be used.</td>
</tr>
</tr>
</table>
</table>
The Source NAT section displays currently existing SNAT rules.
The Source NAT section displays currently existing SNAT rules.
[[File:Networking_rutos_manual_firewall_nat_rules_source_nat.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_nat_rules_source_nat_v2.png|border|class=tlt-border]]
===Add New Source NAT===
===Add New Source NAT===
The <b>Add New Source NAT</b> section is used to create new source NAT rules.
The <b>Add New Source NAT</b> section is used to create new source NAT rules.
[[File:Networking_rutos_manual_firewall_nat_rules_add_new_source_nat.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_nat_rules_add_new_source_nat_v4.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">
</tr>
</tr>
<tr>
<tr>
<td>Destination Zone</td>
<td>Rewrite IP</td>
<td>IP | do not rewrite; default: <b>none</b></td>
<td>Matches traffic destined for the specified zone.</td>
<td>Changes the source IP address in the packet header to the value specified in this field.</td>
<td>Changes the source IP address in the packet header to the value specified in this field.</td>
</tr>
</tr>
<tr>
<tr>
<td>To Source Port</td>
<td>Rewrite Port</td>
<td>integer [0..65335] | port inversion [!0..!65535] | do not rewrite; default: <b>none</b></td>
<td>integer [0..65335] | port inversion [!0..!65535] | do not rewrite; default: <b>none</b></td>
<td>Changes the source port in the packet header to the value specified in this field.</td>
<td>Changes the source port in the packet header to the value specified in this field.</td>
===Source NAT Configuration===
===Source NAT Configuration===
----
----
In order to begin editing a traffic rule, click the button that looks like a pencil [[File:Networking_rutx_trb14x_manual_edit_button_v1.png|20px]] next to it:
In order to begin editing a traffic rule, click the edit button [[File:Networking_rutx_trb14x_manual_edit_button_v2.png|20px]] next to it:
[[File:Networking_rutos_manual_firewall_nat_rules_source_nat_edit_button_v3.png|border|class=tlt-border]]
You will be redirected to that rule's configuration page:
You will be redirected to that rule's configuration page:
[[File:Networking_rutos_manual_firewall_nat_rules_configuration_mobile_{{{mobile}}}_dualsim_{{{dualsim}}}_wired_{{{wired}}}.png|border|class=tlt-border]]
[[File:Networking rutos manual firewall nat rules configuration mobile general_v2.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">
<td>string; default <b>none</b></td>
<td>string; default <b>none</b></td>
<td>Name of the rule. This is used for easier management purposes.</td>
<td>Name of the rule. This is used for easier management purposes.</td>
</tr>
<tr>
<td>Target</td>
<td>SNAT | MASQUERADE | ACCEPT; default <b>SNAT</b></td>
<td>NAT target to use when generating the rule.</td>
</tr>
</tr>
<tr>
<tr>
<td>Source port</td>
<td>Source port</td>
<td>integer [0..65535] | range of integers [0..65534] - [1..65535] | port inversion [!0..!65535]; default: <b>none</b></td>
<td>integer [0..65535] | range of integers [0..65534] - [1..65535] | port inversion [!0..!65535]; default: <b>none</b></td>
<td>Mathes traffic originated from specified port number.<td>
<td>Mathes traffic originated from specified port number.</td>
</tr>
</tr>
<tr>
<tr>
<td>Destination IP address</td>
<td>Destination IP address</td>
</tr>
</tr>
<tr>
<tr>
<td>Rewrite port</td>
<td>ip; default: <b>none</b></td>
<td>integer [0..65535] | range of integers [0..65534] - [1..65535] | port inversion [!0..!65535]; default: <b>No rewrite</b></td>
<td>Changes matched traffic packet source IP address to the value specified in this field.</td>
<td>Rewrite matched traffic to the given source port.</td>
</tr>
</tr>
</table>
[[File:Networking rutos manual firewall nat rules configuration mobile advanced.png|border|class=tlt-border]]
<table class="nd-mantable">
<tr>
<tr>
<td>SNAT port</td>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
</tr>
<tr>
<tr>
<td>string; default: <b>none</b></td>
<td>string; default: <b>none</b></td>
<td>Adds extra .iptables options to the rule.</td>
<td>Adds extra .iptables options to the rule.</td>
</tr>
</table>
[[File:Networking rutos manual firewall nat rules configuration mobile time restriction.png|border|class=tlt-border]]
<table class="nd-mantable">
<tr>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
</tr>
<tr>
<tr>
<td>Time in UTC</td>
<td>Time in UTC</td>
<td>off | on; default: <b>no</b></td>
<td>off | on; default: <b>no</b></td>
<td>Specifies whether the device should use UTC time. If this is disabled, the time zone specified in the Services → [[{{{name}}} NTP|NTP]] page will be used.</td>
<td>Specifies whether the device should use UTC time. If this is disabled, the time zone specified in the System → Administration → [[{{{name}}}_Administration#NTP|NTP]] page will be used.</td>
</tr>
</tr>
</table>
</table>
<b>SYN Flood Protection</b> allows you to protect yourself from attacks that exploit part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive. Essentially, with SYN flood DDOS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network over-saturation.
<b>SYN Flood Protection</b> allows you to protect yourself from attacks that exploit part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive. Essentially, with SYN flood DDOS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network over-saturation.
[[File:Networking_rutos_manual_firewall_attack_prevention_syn_flood_protection.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_attack_prevention_syn_flood_protection_v2.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">
<td>SYN flood rate</td>
<td>SYN flood rate</td>
<td>integer; default: <b>5</b></td>
<td>integer; default: <b>5</b></td>
<td>Set rate limit (packets per second) for SYN packets above which the traffic is considered floodedb</td>
<td>Set rate limit (packets per second) for SYN packets above which the traffic is considered flooded</td>
</tr>
</tr>
<tr>
<tr>
<td>SYN flood burst</td>
<td>SYN flood burst</td>
<td>integer; default: <b>10</b></td>
<td>integer; default: <b>10</b></td>
<td>Sets burst limit for SYN packets above which the traffic is considered flooded if it exceeds the allowed ratbe</td>
<td>Sets burst limit for SYN packets above which the traffic is considered flooded if it exceeds the allowed rate</td>
</tr>
</tr>
<tr>
<tr>
<td>TCP SYN cookies</td>
<td>TCP SYN cookies</td>
<td>off | on; default: <b>off<b></b></td>
<td>off | on; default: <b>on</b></td>
<td>Enables the use of SYN cookies (particular choices of initial TCP sequence numbers by TCP servers)b</td>
<td>Enables the use of SYN cookies (particular choices of initial TCP sequence numbers by TCP servers)</td>
</tr>
</tr>
</table>
</table>
Some attackers use <b>ICMP echo request</b> packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. You can set up some custom restrictions to help protect your router from ICMP bursts.
Some attackers use <b>ICMP echo request</b> packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. You can set up some custom restrictions to help protect your router from ICMP bursts.
[[File:Networking_rutos_manual_firewall_attack_prevention_remote_icmp_requests.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_attack_prevention_remote_icmp_requests_v2.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">
This protection prevent <b>SSH attacks</b> by limiting connections in a defined period.
This protection prevent <b>SSH attacks</b> by limiting connections in a defined period.
[[File:Networking_rutos_manual_firewall_attack_prevention_ssh_attack_prevention.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_attack_prevention_ssh_attack_prevention_v2.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">
<tr>
<tr>
<td>Limit</td>
<td>Limit</td>
<td>integer; default: <b>5</b></td>
<td>integer [1..10000]; default: <b>none</b></td>
<td>Maximum SSH connections during the set period</td>
<td>Maximum SSH connections during the set period</td>
</tr>
</tr>
<tr>
<tr>
<td>Limit burst</td>
<td>Limit burst</td>
<td>integer; default: <b>10</b></td>
<td>integer [1..10000]; default: <b>none</b></td>
<td>Indicates the maximum burst before the above limit kicks in.</td>
<td>Indicates the maximum burst before the above limit kicks in.</td>
</tr>
</tr>
An <b>HTTP attack</b> sends a complete, legitimate HTTP header, which includes a 'Content-Length' field to specify the size of the message body to follow. However, the attacker then proceeds to send the actual message body at an extremely slow rate (e.g. 1 byte/100 seconds.) Due to the entire message being correct and complete, the target server will attempt to obey the 'Content-Length' field in the header, and wait for the entire body of the message to be transmitted, hence slowing it down.
An <b>HTTP attack</b> sends a complete, legitimate HTTP header, which includes a 'Content-Length' field to specify the size of the message body to follow. However, the attacker then proceeds to send the actual message body at an extremely slow rate (e.g. 1 byte/100 seconds.) Due to the entire message being correct and complete, the target server will attempt to obey the 'Content-Length' field in the header, and wait for the entire body of the message to be transmitted, hence slowing it down.
[[File:Networking_rutos_manual_firewall_attack_prevention_http_attack_prevention.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_attack_prevention_http_attack_prevention_v2.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">
<tr>
<tr>
<td>Limit</td>
<td>Limit</td>
<td>integer; default: <b>5</b></td>
<td>integer [1..10000]; default: <b>none</b></td>
<td>Maximum HTTP connections during the set period<./td>
<td>Maximum HTTP connections during the set period.</td>
</tr>
</tr>
<tr>
<tr>
<td>Limit burst</td>
<td>Limit burst</td>
<td>integer; default: <b>10</b></td>
<td>integer [1..10000]; default: <b>none</b></td>
<td>Indicates the maximum burst before the above limit kicks in.</td>
<td>Indicates the maximum burst before the above limit kicks in.</td>
</tr>
</tr>
In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the perpetrator secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.
In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the perpetrator secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.
[[File:Networking_rutos_manual_firewall_attack_prevention_https_attack_prevention.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_attack_prevention_https_attack_prevention_v2.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">
<tr>
<tr>
<td>Limit</td>
<td>Limit</td>
<td>integer; default: <b>5</b></td>
<td>integer [1..10000]; default: <b>none</b></td>
<td>Maximum HTTPS connections during the set period.</td>
<td>Maximum HTTPS connections during the set period.</td>
</tr>
</tr>
<tr>
<tr>
<td>Limit burst</td>
<td>Limit burst</td>
<td>integer; default: <b>10</b></td>
<td>integer [1..10000]; default: <b>none</b></td>
<td>Indicates the maximum burst number before the above limit kicks in.</td>
<td>Indicates the maximum burst number before the above limit kicks in.</td>
</tr>
</tr>
Port scanning is usually done in the initial phase of a penetration test in order to discover all network entry points into the target system. The Port Scan section provides you with the possibility to enable protection against port scanning software. The Defending Type section provides the possibility for the user to enable protections from certain types of online attacks. These include <b>SYN-FIN</b>, <b>SYN-RST</b>, <b>X-Mas</b>, <b>FIN scan</b> and <b>NULLflags</b> attacks.
Port scanning is usually done in the initial phase of a penetration test in order to discover all network entry points into the target system. The Port Scan section provides you with the possibility to enable protection against port scanning software. The Defending Type section provides the possibility for the user to enable protections from certain types of online attacks. These include <b>SYN-FIN</b>, <b>SYN-RST</b>, <b>X-Mas</b>, <b>FIN scan</b> and <b>NULLflags</b> attacks.
[[File:Networking_rutos_manual_firewall_attack_prevention_port_scan.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_attack_prevention_port_scan_v2.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">
<tr>
<tr>
<td>Scan count</td>
<td>Scan count</td>
<td>integer [5..65534]; default: <b>5</b></td>
<td>integer [5..10000]; default: <b>none</b></td>
<td>How many port scans before blocked.</td>
<td>How many port scans before blocked.</td>
</tr>
</tr>
<tr>
<tr>
<td>Interval</td>
<td>Interval</td>
<td>integer [10..60]; default: <b>10</b></td>
<td>integer [10..4096]; default: <b>none</b></td>
<td>Time interval in seconds in which port scans are counted.</td>
<td>Time interval in seconds in which port scans are counted.</td>
</tr>
</tr>
The <b>DMZ</b> is a security concept. It comprises the separation of the LAN-side network into at least two networks: the user LAN and the DMZ. Generally the DMZ is imprisoned: only access to certain ports from the Internet are allowed into the DMZ, while the DMZ is not allowed to establish new connections to the WAN-side or LAN-side networks. That way, if a server inside of the DMZ is hacked the potential damage that can be done remains restricted! The whole point of the DMZ is to cleanly create a unique firewall rule set that dramatically restricts access in to, and out of the, DMZ.
The <b>DMZ</b> is a security concept. It comprises the separation of the LAN-side network into at least two networks: the user LAN and the DMZ. Generally the DMZ is imprisoned: only access to certain ports from the Internet are allowed into the DMZ, while the DMZ is not allowed to establish new connections to the WAN-side or LAN-side networks. That way, if a server inside of the DMZ is hacked the potential damage that can be done remains restricted! The whole point of the DMZ is to cleanly create a unique firewall rule set that dramatically restricts access in to, and out of the, DMZ.
[[File:Networking rutos manual network firewall dmz.png|border|class=tlt-border]]
[[File:Networking rutos manual network firewall dmz_v2.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">