RUT850 Firewall: Difference between revisions

From Teltonika Networks Wiki
No edit summary
 
(14 intermediate revisions by 2 users not shown)
Line 19: Line 19:
     <tr>
     <tr>
       <td>Drop invalid packets</td>
       <td>Drop invalid packets</td>
       <td>yes {{!}} no; Default: '''no'''</td>
       <td>yes | no; Default: '''no'''</td>
       <td>A “Drop” action is performed on a packet that is determined to be invalid</td>
       <td>A “Drop” action is performed on a packet that is determined to be invalid</td>
     </tr>
     </tr>
     <tr>
     <tr>
       <td>Input</td>
       <td>Input</td>
       <td>Reject {{!}} Drop {{!}} Accept; Default: '''Accept'''</td>
       <td>Reject | Drop | Accept; Default: '''Accept'''</td>
       <td>Action<span style="color: #0054A6;">'''*'''</span> that is to be performed for packets that pass through the Input chain</td>
       <td>Action<span style="color: #0054A6;">'''*'''</span> that is to be performed for packets that pass through the Input chain</td>
     </tr>
     </tr>
     <tr>
     <tr>
     <td>Output</td>
     <td>Output</td>
         <td>Reject {{!}} Drop {{!}} Accept; Default: '''Accept'''</td>
         <td>Reject | Drop | Accept; Default: '''Accept'''</td>
         <td>Action<span style="color: #0054A6;">'''*'''</span> that is to be performed for packets that pass through the Output chain</td>
         <td>Action<span style="color: #0054A6;">'''*'''</span> that is to be performed for packets that pass through the Output chain</td>
     </tr>
     </tr>
     <tr>
     <tr>
     <td>Forward</td>
     <td>Forward</td>
         <td>Reject {{!}} Drop {{!}} Accept; Default: '''Reject'''</td>
         <td>Reject | Drop | Accept; Default: '''Reject'''</td>
         <td>Action<span style="color: #0054A6;">'''*'''</span> that is to be performed for packets that pass through the Forward chain</td>
         <td>Action<span style="color: #0054A6;">'''*'''</span> that is to be performed for packets that pass through the Forward chain</td>
     </tr>
     </tr>
Line 62: Line 62:
     <tr>
     <tr>
       <td>Source zone</td>
       <td>Source zone</td>
       <td>yes {{!}} no; Default: '''no'''</td>
       <td>yes | no; Default: '''no'''</td>
       <td>Toggles DMZ On or Off</td>
       <td>Toggles DMZ On or Off</td>
     </tr>
     </tr>
Line 88: Line 88:
     <tr>
     <tr>
       <td>Source zone</td>
       <td>Source zone</td>
       <td><span style="background:#9DB6BA"> gre: gre tunnel </span>  |  <span style="background:#FD9589"> hotspot: </span>  {{!}} <span style="background:#CEF58F"> l2tp: l2tp </span>  {{!}} <span style="background:#9BEAC3"> pptp: pptp </span>  {{!}} <span style="background:#96EBE8"> vpn: openvpn </span>  {{!}} <span style="background:#D0E1EF"> wan: ppp </span>  {{!}} <span style="background:#DDDDDD"> lan: lan </span></td>
       <td><span style="background:#9DB6BA"> gre: gre tunnel </span>  |  <span style="background:#FD9589"> hotspot: </span>  | <span style="background:#CEF58F"> l2tp: l2tp </span>  | <span style="background:#9BEAC3"> pptp: pptp </span>  | <span style="background:#96EBE8"> vpn: openvpn </span>  | <span style="background:#D0E1EF"> wan: ppp </span>  | <span style="background:#DDDDDD"> lan: lan </span></td>
       <td>The source zone from which data packets will redirected from</td>
       <td>The source zone from which data packets will redirected from</td>
     </tr>
     </tr>
     <tr>
     <tr>
       <td>Destination zones</td>
       <td>Destination zones</td>
       <td><span style="background:#9DB6BA"> gre: gre tunnel </span>  |  <span style="background:#FD9589"> hotspot: </span>  {{!}} <span style="background:#CEF58F"> l2tp: l2tp </span>  {{!}} <span style="background:#9BEAC3"> pptp: pptp </span>  {{!}} <span style="background:#96EBE8"> vpn: openvpn </span>  {{!}} <span style="background:#D0E1EF"> wan: ppp </span>  {{!}} <span style="background:#DDDDDD"> lan: lan </span></td>
       <td><span style="background:#9DB6BA"> gre: gre tunnel </span>  |  <span style="background:#FD9589"> hotspot: </span>  | <span style="background:#CEF58F"> l2tp: l2tp </span>  | <span style="background:#9BEAC3"> pptp: pptp </span>  | <span style="background:#96EBE8"> vpn: openvpn </span>  | <span style="background:#D0E1EF"> wan: ppp </span>  | <span style="background:#DDDDDD"> lan: lan </span></td>
       <td>The destination zone to which data packets will be redirected to</td>
       <td>The destination zone to which data packets will be redirected to</td>
     </tr>
     </tr>
     <tr>
     <tr>
     <td>Default forwarding action</td>
     <td>Default forwarding action</td>
         <td>Reject {{!}} Drop {{!}} Accept</td>
         <td>Reject | Drop | Accept</td>
         <td>Action to be performed with the redirected packets</td>
         <td>Action to be performed with the redirected packets</td>
     </tr>
     </tr>
Line 129: Line 129:
     <tr>
     <tr>
       <td>Protocol</td>
       <td>Protocol</td>
       <td>TCP+UDP {{!}} TCP {{!}} UDP {{!}} ICMP {{!}} -- custom --; Default: '''TCP+UDP'''</td>
       <td>TCP+UDP | TCP | UDP | ICMP | -- custom --; Default: '''TCP+UDP'''</td>
       <td>Type of protocol of incoming packet</td>
       <td>Type of protocol of incoming packet</td>
     </tr>
     </tr>
     <tr>
     <tr>
     <td>External port</td>
     <td>External port</td>
         <td>integer [0..65535] {{!}} range of integers [0..65534] - [1..65535]; Default: " "</td>
         <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " "</td>
         <td>Traffic will be forwarded from this port on the WAN network</td>
         <td>Traffic will be forwarded from this port on the WAN network</td>
     </tr>
     </tr>
Line 144: Line 144:
     <tr>
     <tr>
     <td>Internal port</td>
     <td>Internal port</td>
         <td>integer [0..65535] {{!}} range of integers [0..65534] - [1..65535]; Default: " "</td>
         <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " "</td>
         <td>The rule will redirect the traffic to this port on the internal machine</td>
         <td>The rule will redirect the traffic to this port on the internal machine</td>
     </tr>
     </tr>
Line 167: Line 167:
     <tr>
     <tr>
       <td>Enable</td>
       <td>Enable</td>
       <td>yes {{!}} no; Default: '''no'''</td>
       <td>yes | no; Default: '''no'''</td>
       <td>Toggles a rule ON or OFF</td>
       <td>Toggles a rule ON or OFF</td>
     </tr>
     </tr>
Line 177: Line 177:
     <tr>
     <tr>
     <td>Protocol</td>
     <td>Protocol</td>
         <td>TCP+UDP {{!}} TCP {{!}} UDP {{!}} ICMP {{!}} -- custom --; Default: '''TCP+UDP'''</td>
         <td>TCP+UDP | TCP | UDP | ICMP | -- custom --; Default: '''TCP+UDP'''</td>
         <td>Specifies to which protocols the rule should apply</td>
         <td>Specifies to which protocols the rule should apply</td>
     </tr>
     </tr>
     <tr>
     <tr>
     <td>Source zone</td>
     <td>Source zone</td>
         <td> <span style="background:#9DB6BA"> gre: gre tunnel </span>  |  <span style="background:#FD9589"> hotspot: </span>  {{!}} <span style="background:#CEF58F"> l2tp: l2tp </span>  {{!}} <span style="background:#9BEAC3"> pptp: pptp </span>  {{!}} <span style="background:#96EBE8"> vpn: openvpn </span>  {{!}} <span style="background:#D0E1EF"> wan: ppp </span>  {{!}} <span style="background:#DDDDDD"> lan: lan </span> ; Default: '''<span style="background:#DDDDDD"> wan: ppp </span>'''</td>
         <td> <span style="background:#9DB6BA"> gre: gre tunnel </span>  |  <span style="background:#FD9589"> hotspot: </span>  | <span style="background:#CEF58F"> l2tp: l2tp </span>  | <span style="background:#9BEAC3"> pptp: pptp </span>  | <span style="background:#96EBE8"> vpn: openvpn </span>  | <span style="background:#D0E1EF"> wan: ppp </span>  | <span style="background:#DDDDDD"> lan: lan </span> ; Default: '''<span style="background:#DDDDDD"> wan: ppp </span>'''</td>
         <td>The source zone from which data packets will redirected from</td>
         <td>The source zone from which data packets will redirected from</td>
     </tr>
     </tr>
Line 197: Line 197:
     <tr>
     <tr>
     <td>Source port</td>
     <td>Source port</td>
         <td>integer [0..65535] {{!}} range of integers [0..65534] - [1..65535]; Default: " "</td>
         <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " "</td>
         <td>Matches incoming traffic originating from the given source port or port range on the client host only</td>
         <td>Matches incoming traffic originating from the given source port or port range on the client host only</td>
     </tr>
     </tr>
Line 207: Line 207:
     <tr>
     <tr>
       <td>External port</td>
       <td>External port</td>
       <td>integer [0..65535] {{!}} range of integers [0..65534] - [1..65535]; Default: " "</td>
       <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " "</td>
       <td>Specifies the external port, i.e., the port from which the third party is connecting </td>
       <td>Specifies the external port, i.e., the port from which the third party is connecting </td>
     </tr>
     </tr>
     <tr>
     <tr>
       <td>Internal zone</td>
       <td>Internal zone</td>
       <td><span style="background:#9DB6BA"> gre: gre tunnel </span>  |  <span style="background:#FD9589"> hotspot: </span>  {{!}} <span style="background:#CEF58F"> l2tp: l2tp </span>  {{!}} <span style="background:#9BEAC3"> pptp: pptp </span>  {{!}} <span style="background:#96EBE8"> vpn: openvpn </span>  {{!}} <span style="background:#D0E1EF"> wan: ppp </span>  {{!}} <span style="background:#DDDDDD"> lan: lan </span> ; Default: '''<span style="background:#DDDDDD"> lan: lan </span>'''</td>
       <td><span style="background:#9DB6BA"> gre: gre tunnel </span>  |  <span style="background:#FD9589"> hotspot: </span>  | <span style="background:#CEF58F"> l2tp: l2tp </span>  | <span style="background:#9BEAC3"> pptp: pptp </span>  | <span style="background:#96EBE8"> vpn: openvpn </span>  | <span style="background:#D0E1EF"> wan: ppp </span>  | <span style="background:#DDDDDD"> lan: lan </span> ; Default: '''<span style="background:#DDDDDD"> lan: lan </span>'''</td>
       <td>Specifies the internal zone, i.e., the zone where the incoming connection will be redirected to</td>
       <td>Specifies the internal zone, i.e., the zone where the incoming connection will be redirected to</td>
     </tr>
     </tr>
Line 222: Line 222:
     <tr>
     <tr>
     <td>Internal port</td>
     <td>Internal port</td>
         <td>integer [0..65535] {{!}} range of integers [0..65534] - [1..65535]; Default: " "</td>
         <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " "</td>
         <td>Specifies the internal port, i.e., the port to which the incoming connection will be redirected to</td>
         <td>Specifies the internal port, i.e., the port to which the incoming connection will be redirected to</td>
     </tr>
     </tr>
     <tr>
     <tr>
       <td>Enable NAT loopback</td>
       <td>Enable NAT loopback</td>
       <td>yes {{!}} no; Default: '''no'''</td>
       <td>yes | no; Default: '''no'''</td>
       <td>NAT loopback enables your local network (i.e., behind your router/modem) to connect to a forward-facing IP address (such as 208.112.93.73) of a machine that it also on your local network</td>
       <td>NAT loopback enables your local network (i.e., behind your router/modem) to connect to a forward-facing IP address (such as 208.112.93.73) of a machine that it also on your local network</td>
     </tr>
     </tr>
Line 245: Line 245:




{| class="wikitable"
<table class="nd-othertables">
|+
    <tr>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | FIELD NAME
        <th style="width: 250px">FIELD NAME</th>
! style="width: 1450px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | DESCRIPTION
      <th style="width: 1450px">DESCRIPTION</th>
|-
    </tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Name
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Name of the rule, used purely for easier management purposes
      <td>Name</td>
|-
      <td>Name of the rule, used purely for easier management purposes</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Protocol
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Type of protocol of incoming packet
    <tr>
|-
      <td>Protocol</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Source
      <td>Type of protocol of incoming packet</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | The source zone from which data packets will redirected from
    </tr>
|-
    <tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Destination
    <td>Source</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Redirect matched traffic to the given IP address and destination port
        <td>The source zone from which data packets will redirected from</td>
|-
    </tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Action
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Action to be performed with the packet if it matches the rule
    <td>Destination</td>
|-
        <td>Redirect matched traffic to the given IP address and destination port</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Enable
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles the rule ON or OFF. If unchecked, the rule will not be deleted, but it also will not be loaded into the firewall
    <tr>
|-
      <td>Action</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Sort
      <td>Action to be performed with the packet if it matches the rule</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | When a packet arrives, it gets checked for a matching rule. If there are several matching rules, only the first one is applied, i.e., the order of the rule list impacts how your firewall operates, therefore you are given the ability to sort your list however you deem fit
    </tr>
|-
    <tr>
|}
    <td>Enable</td>
        <td>Toggles the rule ON or OFF. If unchecked, the rule will not be deleted, but it also will not be loaded into the firewall</td>
    </tr>
    <tr>
    <td>Sort</td>
        <td>When a packet arrives, it gets checked for a matching rule. If there are several matching rules, only the first one is applied, i.e., the order of the rule list impacts how your firewall operates, therefore you are given the ability to sort your list however you deem fit</td>
    </tr>
</table>


===Traffic Rule Configuration===
===Traffic Rule Configuration===
Line 281: Line 288:




{| class="wikitable"
<table class="nd-mantable">
|+
    <tr>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | FIELD NAME
        <th>field name</th>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | VALUE
      <th>value</th>
! style="width: 579px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | DESCRIPTION
      <th>description</th>
|-
    </tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Enable
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''no'''
      <td>Enable</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Turns the rule ON or OFF
      <td>yes | no; Default: '''no'''</td>
|-
      <td>Turns the rule ON or OFF</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Name
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | string; Default: " "
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | The name of the rule. This is used for easier management purposes
      <td>Name</td>
|-
      <td>string; Default: " "</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Restrict to address family
      <td>The name of the rule. This is used for easier management purposes</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | IPv4 and IPv6 {{!}} IPv4 only {{!}} IPv6 only; Default: '''IPv4 and IPv6'''
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Name of the rule, used purely for easier management purposes
    <tr>
|-
    <td>Restrict to address family</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Protocol
        <td>IPv4 and IPv6 | IPv4 only | IPv6 only; Default: '''IPv4 and IPv6'''</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | TCP+UDP {{!}} TCP {{!}} UDP {{!}} ICMP {{!}} -- custom --; Default: '''TCP+UDP'''
        <td>Name of the rule, used purely for easier management purposes</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Specifies to which protocols the rule should apply
    </tr>
|-
    <tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Source zone
    <td>Protocol</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | <span style="background:#9DB6BA"> gre: gre tunnel </span> <span style="background:#FD9589"> hotspot: </span> {{!}}  <span style="background:#CEF58F"> l2tp: l2tp </span> {{!}}  <span style="background:#9BEAC3"> pptp: pptp </span> {{!}}  <span style="background:#96EBE8"> vpn: openvpn </span> {{!}}  <span style="background:#D0E1EF"> wan: ppp </span>  {{!}}  <span style="background:#DDDDDD"> lan: lan </span> ; Default: '''<span style="background:#DDDDDD"> wan: ppp </span>'''
        <td>TCP+UDP | TCP | UDP | ICMP | -- custom --; Default: '''TCP+UDP'''</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Specifies the external zone, i.e., the zone from which the third party connection will come
        <td>Specifies to which protocols the rule should apply</td>
|-
    </tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Source MAC address
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | mac; Default: " "
      <td>Source zone</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Specifies the mac address of the external host, i.e., the rule will apply only to hosts that have the MAC addresses specified in this field <br>  
      <td><span style="background:#9DB6BA"> gre: gre tunnel </span>  | <span style="background:#FD9589"> hotspot: </span>  |  <span style="background:#CEF58F"> l2tp: l2tp </span>  | <span style="background:#9BEAC3"> pptp: pptp </span>  |  <span style="background:#96EBE8"> vpn: openvpn </span>  |  <span style="background:#D0E1EF"> wan: ppp </span>  | <span style="background:#DDDDDD"> lan: lan </span> ; Default: '''<span style="background:#DDDDDD"> wan: ppp </span>'''</td>
|-
      <td>Specifies the external zone, i.e., the zone from which the third party connection will come</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Source IP address
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | ip; Default: " "
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Specifies the IP address or range of IPs of the external host, i.e., the rule will apply only to hosts that have the IP addresses specified in this field
      <td>Source MAC address</td>
|-
      <td>mac; Default: " "</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Source port
      <td>Specifies the mac address of the external host, i.e., the rule will apply only to hosts that have the MAC addresses specified in this field <br> </td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | integer [0..65535] {{!}} range of integers [0..65534] - [1..65535]; Default: " "
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Specifies the port or range of ports that the external host host will using as their source, i.e., the rule will apply only to hosts that use source ports specified in this field
    <tr>
|-
    <td>Source IP address</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | External IP address
        <td>ip; Default: " "</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | ip {{!}} ip/netmask {{!}} ANY; Default: '''ANY'''
        <td>Specifies the IP address or range of IPs of the external host, i.e., the rule will apply only to hosts that have the IP addresses specified in this field</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Specifies the external IP address or range of external IPs of the local host, i.e., the rule will apply only to the external IP addresses specified in this field
    </tr>
|-
    <tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | External port
    <td>Source port</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | integer [0..65535] {{!}} range of integers [0..65534] - [1..65535]; Default: " "
        <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " "</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Specifies the external port, i.e., the port from which the third party is connecting
        <td>Specifies the port or range of ports that the external host host will using as their source, i.e., the rule will apply only to hosts that use source ports specified in this field</td>
|-
    </tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Destination zone
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | <span style="background:#9DB6BA"> gre: gre tunnel </span>  |  <span style="background:#FD9589"> hotspot: </span>  {{!}}  <span style="background:#CEF58F"> l2tp: l2tp </span>  {{!}}  <span style="background:#9BEAC3"> pptp: pptp </span>  {{!}}  <span style="background:#96EBE8"> vpn: openvpn </span>  {{!}}  <span style="background:#D0E1EF"> wan: ppp </span>  {{!}}  <span style="background:#DDDDDD"> lan: lan </span> ; Default: '''<span style="background:#DDDDDD"> lan: lan </span>'''
      <td>External IP address</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Match forwarded traffic to the given destination zone only
      <td>ip | ip/netmask | ANY; Default: '''ANY'''</td>
|-
      <td>Specifies the external IP address or range of external IPs of the local host, i.e., the rule will apply only to the external IP addresses specified in this field</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Destination address
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | ip; Default: " "
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" |  Match forwarded traffic to the given destination IP address or IP range only
      <td>External port</td>
|-
      <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " "</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Destination port
      <td>Specifies the external port, i.e., the port from which the third party is connecting</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | integer [0..65535] {{!}} range of integers [0..65534] - [1..65535]; Default: " "
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Match forwarded traffic to the given destination port or port range only
    <tr>
|-
    <td>Destination zone</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Action
        <td><span style="background:#9DB6BA"> gre: gre tunnel </span>  | <span style="background:#FD9589"> hotspot: </span>  | <span style="background:#CEF58F"> l2tp: l2tp </span>  |  <span style="background:#9BEAC3"> pptp: pptp </span>  | <span style="background:#96EBE8"> vpn: openvpn </span>  |  <span style="background:#D0E1EF"> wan: ppp </span>  | <span style="background:#DDDDDD"> lan: lan </span> ; Default: '''<span style="background:#DDDDDD"> lan: lan </span>'''</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Drop {{!}} Accept {{!}} Reject {{!}} Don't track; Default: '''no'''
        <td>Match forwarded traffic to the given destination zone only</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Action to be taken on the packet if it matches the rule. You can also define additional options like limiting packet volume, and defining to which chain the rule belongs.
    </tr>
    <tr>
    <td>Destination address</td>
        <td>ip; Default: " "</td>
        <td>Match forwarded traffic to the given destination IP address or IP range only</td>
    </tr>
    <tr>
    <td>Destination port</td>
        <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " "</td>
        <td>Match forwarded traffic to the given destination port or port range only</td>
    </tr>
    <tr>
      <td>Action</td>
      <td>Drop | Accept | Reject | Don't track; Default: '''no'''</td>
      <td>Action to be taken on the packet if it matches the rule. You can also define additional options like limiting packet volume, and defining to which chain the rule belongs.


'''Don't track''' - connections with the specified parameters will not be monitored by the Firewall, i.e., no other Firewall rules will be applied to the specified configuration  
'''Don't track''' - connections with the specified parameters will not be monitored by the Firewall, i.e., no other Firewall rules will be applied to the specified configuration </td>
|-
    </tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Extra arguments
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | string; Default: " "
    <td>Extra arguments</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Adds extra options (specified in this field) to the rule
        <td>string; Default: " "</td>
|-
        <td>Adds extra options (specified in this field) to the rule</td>
|}
    </tr>
</table>


===Open Ports On Router===
===Open Ports On Router===
Line 359: Line 381:




{| class="wikitable"
<table class="nd-mantable">
|+
    <tr>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | FIELD NAME
        <th>field name</th>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | VALUE
      <th>value</th>
! style="width: 579px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | DESCRIPTION
      <th>description</th>
|-
    </tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | NAME
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | string; Default: " "
      <td>NAME</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | The name of the rule. This is used for easier management purposes. The NAME field auto-filled when port numbers are specified, unless the NAME was specified beforehand by the user
      <td>string; Default: " "</td>
|-
      <td>The name of the rule. This is used for easier management purposes. The NAME field auto-filled when port numbers are specified, unless the NAME was specified beforehand by the user</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | PROTOCOL
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | TCP+UDP {{!}} TCP {{!}} UDP {{!}} Other; Default: '''TCP+UDP'''
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Specifies to which protocols the rule should apply  
      <td>PROTOCOL</td>
|-
      <td>TCP+UDP | TCP | UDP | Other; Default: '''TCP+UDP'''</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | EXTERNAL PORT
      <td>Specifies to which protocols the rule should apply </td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | integer [0..65535] {{!}} range of integers [0..65534] - [1..65535]; Default: " "  
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Specifies which port should be opened
    <tr>
|-
    <td>EXTERNAL PORT</td>
|}
        <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " " </td>
        <td>Specifies which port should be opened</td>
    </tr>
</table>


===New Forward Rule===
===New Forward Rule===
Line 387: Line 412:




{| class="wikitable"
<table class="nd-mantable">
|+
    <tr>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | FIELD NAME
        <th>field name</th>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | VALUE
      <th>value</th>
! style="width: 579px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | DESCRIPTION
      <th>description</th>
|-
    </tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Name
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | string; Default: " "
      <td>Name</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Name of the rule, used purely for easier management purposes
      <td>string; Default: " "</td>
|-
      <td>Name of the rule, used purely for easier management purposes</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Source
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | GRE {{!}} HOTSPOT {{!}} L2TP {{!}} LAN {{!}} PPTP {{!}} VPN {{!}} WAN; Default: '''LAN'''
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Match incoming traffic from selected address family only
      <td>Source</td>
|-
      <td>GRE | HOTSPOT | L2TP | LAN | PPTP | VPN | WAN; Default: '''LAN'''</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Destination
      <td>Match incoming traffic from selected address family only</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | GRE {{!}} HOTSPOT {{!}} L2TP {{!}} LAN {{!}} PPTP {{!}} VPN {{!}} WAN; Default: '''WAN'''
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Forward incoming traffic to selected address family only
    <tr>
|-
    <td>Destination</td>
|}
        <td>GRE | HOTSPOT | L2TP | LAN | PPTP | VPN | WAN; Default: '''WAN'''</td>
        <td>Forward incoming traffic to selected address family only</td>
    </tr>
</table>


===Source NAT===
===Source NAT===
Line 415: Line 443:




{| class="wikitable"
<table class="nd-mantable">
|+
    <tr>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | FIELD NAME
        <th>field name</th>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | VALUE
      <th>value</th>
! style="width: 579px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | DESCRIPTION
      <th>description</th>
|-
    </tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Name
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | string; Default: " "
      <td>Name</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Name of the rule, used purely for easier management purposes
      <td>string; Default: " "</td>
|-
      <td>Name of the rule, used purely for easier management purposes</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Protocol
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | TCP+UDP {{!}} TCP {{!}} UDP {{!}} Other...; Default: '''TCP+UDP'''
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Protocol of the packet that is being matched against traffic rules
      <td>Protocol</td>
|-
      <td>TCP+UDP | TCP | UDP | Other...; Default: '''TCP+UDP'''</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Source
      <td>Protocol of the packet that is being matched against traffic rules</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | GRE {{!}} HOTSPOT {{!}} L2TP {{!}} LAN {{!}} PPTP {{!}} VPN {{!}} WAN; Default: '''LAN'''
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Match incoming traffic from selected address family only
    <tr>
|-
    <td>Source</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Destination
        <td>GRE | HOTSPOT | L2TP | LAN | PPTP | VPN | WAN; Default: '''LAN'''</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | GRE {{!}} HOTSPOT {{!}} L2TP {{!}} LAN {{!}} PPTP {{!}} VPN {{!}} WAN; Default: '''LAN'''
        <td>Match incoming traffic from selected address family only</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Forward incoming traffic to selected address family only
    </tr>
|-
    <tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | SNAT
    <td>Destination</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | ip and port [0..65535]; Default: " "
        <td>GRE | HOTSPOT | L2TP | LAN | PPTP | VPN | WAN; Default: '''LAN'''</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | SNAT (Source Network Address Translation) rewrites packet's source IP address and port
        <td>Forward incoming traffic to selected address family only</td>
|-
    </tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Enable
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''no'''
    <td>SNAT</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles the rule ON or OFF
        <td>ip and port [0..65535]; Default: " "</td>
|-
        <td>SNAT (Source Network Address Translation) rewrites packet's source IP address and port</td>
|}
    </tr>
    <tr>
    <td>Enable</td>
        <td>yes | no; Default: '''no'''</td>
        <td>Toggles the rule ON or OFF</td>
    </tr>
</table>


==Custom Rules==
==Custom Rules==
Line 466: Line 500:




{| class="wikitable"
<table class="nd-mantable">
|+
    <tr>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | FIELD NAME
        <th>field name</th>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | VALUE
      <th>value</th>
! style="width: 579px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | DESCRIPTION
      <th>description</th>
|-
    </tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Enable SYN flood protection
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''yes'''
      <td>Enable SYN flood protection</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles the rule ON or OFF
      <td>yes | no; Default: '''yes'''</td>
|-
      <td>Toggles the rule ON or OFF</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | SYN flood rate
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | integer; Default: '''25'''
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Set rate limit (packets per second) for SYN packets above which the traffic is considered flooded
      <td>SYN flood rate</td>
|-
      <td>integer; Default: '''25'''</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | SYN flood burst
      <td>Set rate limit (packets per second) for SYN packets above which the traffic is considered flooded</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | integer; Default: '''50'''
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Set rate limit (packets per second) for SYN packets above which the traffic is considered flooded
    <tr>
|-
    <td>SYN flood burst</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | TCP SYN cookies
        <td>integer; Default: '''50'''</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''no'''
        <td>Set burst limit for SYN packets above which the traffic is considered flooded if it exceeds the allowed rate</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Enable the use of SYN cookies (particular choices of initial TCP sequence numbers by TCP servers)
    </tr>
|-
    <tr>
|}
    <td>TCP SYN cookies</td>
        <td>yes | no; Default: '''no'''</td>
        <td>Enable the use of SYN cookies (particular choices of initial TCP sequence numbers by TCP servers)</td>
    </tr>
</table>


===Remote ICMP Requests===
===Remote ICMP Requests===
Line 495: Line 533:




[[Image:Network firewall ddos icmp.PNG]]
<table class="nd-mantable">
 
    <tr>
 
        <th>field name</th>
{| class="wikitable"
      <th>value</th>
|+
      <th>description</th>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | FIELD NAME
    </tr>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | VALUE
    <tr>
! style="width: 579px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | DESCRIPTION
      <td>Enable ICMP requests</td>
|-
      <td>yes | no; Default: '''yes'''</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Enable ICMP requests
      <td>Toggles the rule ON or OFF</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''yes'''
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles the rule ON or OFF
    <tr>
|-
      <td>Enable ICMP limit</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Enable ICMP requests
      <td>yes | no; Default: '''no'''</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''yes'''
      <td>Toggles ICMP echo-request limit in selected period ON or OFF</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles ICMP echo-request limit in selected period ON or OFF
    </tr>
|-
    <tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Limit period
    <td>Limit period</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Second {{!}} Minute {{!}} Hour {{!}} Day; Default: '''Second'''
        <td>Second | Minute | Hour | Day; Default: '''Second'''</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Select ICMP echo-request period limit
        <td>Select ICMP echo-request period limit</td>
|-
    </tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Limit
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | integer; Default: '''10'''
    <td>Limit</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Maximum ICMP echo-request number during the period
        <td>integer; Default: '''10'''</td>
|-
        <td>Maximum ICMP echo-request number during the period</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Limit burst
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | integer; Default: '''5'''
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Indicate the maximum burst before the above limit kicks in
    <td>Limit burst</td>
|-
        <td>integer; Default: '''5'''</td>
|}
        <td>Indicate the maximum burst before the above limit kicks in</td>
    </tr>
</table>


===SSH Attack Prevention===
===SSH Attack Prevention===
Line 534: Line 574:




{| class="wikitable"
<table class="nd-mantable">
|+
    <tr>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | FIELD NAME
        <th>field name</th>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | VALUE
      <th>value</th>
! style="width: 579px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | DESCRIPTION
      <th>description</th>
|-
    </tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Enable SSH limit
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''yes'''
      <td>Enable SSH limit</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles the rule ON or OFF
      <td>yes | no; Default: '''yes'''</td>
|-
      <td>Toggles the rule ON or OFF</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Limit period
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Second {{!}} Minute {{!}} Hour {{!}} Day; Default: '''Second'''
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | The period in which SSH connections are to be limited
      <td>Limit period</td>
|-
      <td>Second | Minute | Hour | Day; Default: '''Second'''</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Limit
      <td>The period in which SSH connections are to be limited</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | integer; Default: '''10'''
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Maximum SSH connections during the set period
    <tr>
|-
    <td>Limit</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Limit burst
        <td>integer; Default: '''10'''</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | integer; Default: '''5'''
        <td>Maximum SSH connections during the set period</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Indicate the maximum burst before the above limit kicks in
    </tr>
|-
    <tr>
|}
    <td>Limit burst</td>
        <td>integer; Default: '''5'''</td>
        <td>Indicate the maximum burst before the above limit kicks in</td>
    </tr>
</table>


===HTTP Attack Prevention===
===HTTP Attack Prevention===
Line 566: Line 610:




{| class="wikitable"
<table class="nd-mantable">
|+
    <tr>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | FIELD NAME
        <th>field name</th>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | VALUE
      <th>value</th>
! style="width: 579px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | DESCRIPTION
      <th>description</th>
|-
    </tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Enable HTTP limit
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''yes'''
      <td>Enable HTTP limit</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles the rule ON or OFF
      <td>yes | no; Default: '''yes'''</td>
|-
      <td>Toggles the rule ON or OFF</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Limit period
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Second {{!}} Minute {{!}} Hour {{!}} Day; Default: '''Second'''
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | The period in which HTTP connections are to be limited
      <td>Limit period</td>
|-
      <td>Second | Minute | Hour | Day; Default: '''Second'''</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Limit
      <td>The period in which HTTP connections are to be limited</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | integer; Default: '''10'''
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Maximum HTTP connections during the set period
    <tr>
|-
    <td>Limit</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Limit burst
        <td>integer; Default: '''10'''</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | integer; Default: '''10'''
        <td>Maximum HTTP connections during the set period</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Indicate the maximum burst before the above limit kicks in
    </tr>
|-
    <tr>
|}
    <td>Limit burst</td>
        <td>integer; Default: '''10'''</td>
        <td>Indicate the maximum burst before the above limit kicks in</td>
    </tr>
</table>


===HTTPS Attack Prevention===
===HTTPS Attack Prevention===
Line 600: Line 648:




{| class="wikitable"
<table class="nd-mantable">
|+
    <tr>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | FIELD NAME
        <th>field name</th>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | VALUE
      <th>value</th>
! style="width: 579px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | DESCRIPTION
      <th>description</th>
|-
    </tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Enable HTTPS limit
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''yes'''
      <td>Enable HTTPS limit</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles the rule ON or OFF
      <td>yes | no; Default: '''yes'''</td>
|-
      <td>Toggles the rule ON or OFF</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Limit period
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Second {{!}} Minute {{!}} Hour {{!}} Day; Default: '''Second'''
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | The period in which HTTPS connections are to be limited
      <td>Limit period</td>
|-
      <td>Second | Minute | Hour | Day; Default: '''Second'''</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Limit
      <td>The period in which HTTPS connections are to be limited</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | integer; Default: '''10'''
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Maximum HTTPS connections during the set period
    <tr>
|-
    <td>Limit</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Limit burst
        <td>integer; Default: '''10'''</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | integer; Default: '''10'''
        <td>Maximum HTTPS connections during the set period</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Indicate the maximum burst before the above limit kicks in
    </tr>
|-
    <tr>
|}
    <td>Limit burst</td>
        <td>integer; Default: '''10'''</td>
        <td>Indicate the maximum burst before the above limit kicks in</td>
    </tr>
</table>


==Port Scan Prevention==
==Port Scan Prevention==
Line 636: Line 688:




{| class="wikitable"
<table class="nd-mantable">
|+
    <tr>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | FIELD NAME
        <th>field name</th>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | VALUE
      <th>value</th>
! style="width: 579px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | DESCRIPTION
      <th>description</th>
|-
    </tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Enable
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''yes'''
      <td>Enable</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles the function ON or OFF
      <td>yes | no; Default: '''yes'''</td>
|-
      <td>Toggles the function ON or OFF</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Interval
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | integer [10..60]; Default: '''30'''
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Time interval in seconds in which port scans are counted
      <td>Interval</td>
|-
      <td>integer [10..60]; Default: '''30'''</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Scan count
      <td>Time interval in seconds in which port scans are counted</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | integer [5..65534]; Default: '''10'''
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | How many port scans before blocked
    <tr>
|-
    <td>Scan count</td>
|}
        <td>integer [5..65534]; Default: '''10'''</td>
        <td>How many port scans before blocked</td>
    </tr>
</table>


===Defending Type===
===Defending Type===
Line 664: Line 719:




{| class="wikitable"
<table class="nd-mantable">
|+
    <tr>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | FIELD NAME
        <th>field name</th>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | VALUE
      <th>value</th>
! style="width: 579px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | DESCRIPTION
      <th>description</th>
|-
    </tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | SYN-FIN attack
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''no'''
      <td>SYN-FIN attack</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles protection from SYN-FIN attacks ON or OFF
      <td>yes | no; Default: '''no'''</td>
|-
      <td>Toggles protection from SYN-FIN attacks ON or OFF</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | SYN-RST attack
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''no'''
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles protection from SYN-RST attacks ON or OFF
      <td>SYN-RST attack</td>
|-
      <td>yes | no; Default: '''no'''</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | X-Mas attack
      <td>Toggles protection from SYN-RST attacks ON or OFF</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''no'''
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles protection from X-Mas attacks ON or OFF
    <tr>
|-
    <td>X-Mas attack</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | FIN scan
        <td>yes | no; Default: '''no'''</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''no'''
        <td>Toggles protection from X-Mas attacks ON or OFF</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles protection from FIN scan attacks ON or OFF
    </tr>
|-
    <tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | NULLflags attack
    <td>FIN scan</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''no'''
        <td>yes | no; Default: '''no'''</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles protection from NULLflags attacks ON or OFF
        <td>Toggles protection from FIN scan attacks ON or OFF</td>
|-
    </tr>
|}
    <tr>
    <td>NULLflags attack</td>
        <td>yes | no; Default: '''no'''</td>
        <td>Toggles protection from NULLflags attacks ON or OFF</td>
    </tr>
</table>


==Helpers==
==Helpers==
Line 705: Line 765:




{| class="wikitable"
<table class="nd-mantable">
|+
    <tr>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | FIELD NAME
        <th>field name</th>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | VALUE
      <th>value</th>
! style="width: 579px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | DESCRIPTION
      <th>description</th>
|-
    </tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | H323
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''no'''
      <td>H323</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles H323 filtering ON or OFF
      <td>yes | no; Default: '''no'''</td>
|-
      <td>Toggles H323 filtering ON or OFF</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | SIP
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''no'''
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles SIP filtering ON or OFF
      <td>SIP</td>
|-
      <td>yes | no; Default: '''no'''</td>
|}
      <td>Toggles SIP filtering ON or OFF</td>
    </tr>
</table>
 
[[Category:{{{name}}} Network section]]

Latest revision as of 10:46, 7 May 2020

Summary

RutOS uses a standard Linux iptables package as its firewall, which uses routing chains and policies to facilitate control over inbound and outbound traffic. This chapter is an overview of the Firewall section.

General Settings

The General Settings tab is used to configure the main policies of the device's firewall. The figure below is an example of the General Settings section and the table below provides information on the fields contained in that section:



field name value description
Drop invalid packets yes | no; Default: no A “Drop” action is performed on a packet that is determined to be invalid
Input Reject | Drop | Accept; Default: Accept Action* that is to be performed for packets that pass through the Input chain
Output Reject | Drop | Accept; Default: Accept Action* that is to be performed for packets that pass through the Output chain
Forward Reject | Drop | Accept; Default: Reject Action* that is to be performed for packets that pass through the Forward chain

*When a packet goes through a firewall chain it is matched against all the rules of that specific chain. If no rule matches said packet, an according Action (Drop, Reject or Accept) is performed

Accept – packet gets to continue down to the next chain

Drop – packet is stopped and deleted

Reject – packet is stopped, deleted and, differently from Drop, an ICMP packet containing a message of rejection is sent to the source of the dropped packet

DMZ


By enabling DMZ for a specific internal host (e.g., your computer), you will expose that host and its services to the router’s WAN network (i.e. – the Internet).



field name value description
Source zone yes | no; Default: no Toggles DMZ On or Off
DMZ host IP address ip; Default: " " Internal host to which the DMZ rule will be applied

Zone Forwarding


A zone section groups one or more interfaces and serves as a source or destination for forwardings, rules and redirects. The Zone Forwarding section allows you to configure these forwardings.



field name value description
Source zone gre: gre tunnel | hotspot: | l2tp: l2tp | pptp: pptp | vpn: openvpn | wan: ppp | lan: lan The source zone from which data packets will redirected from
Destination zones gre: gre tunnel | hotspot: | l2tp: l2tp | pptp: pptp | vpn: openvpn | wan: ppp | lan: lan The destination zone to which data packets will be redirected to
Default forwarding action Reject | Drop | Accept Action to be performed with the redirected packets

Port Forwarding

The Port Forwarding window is used to set up servers and services on local LAN machines. Below is an overview of Port Forwarding default rules.


New Port Forward Rule


If none of the default rules suit your purposes, you can create custom rules using the New Port Forward Rule tab.

field name value description
Name string; Default: " " Name of the rule, used purely for easier management purposes
Protocol TCP+UDP | TCP | UDP | ICMP | -- custom --; Default: TCP+UDP Type of protocol of incoming packet
External port integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " " Traffic will be forwarded from this port on the WAN network
Internal IP address ip; Default: " " The IP address of the internal machine that hosts some service that you want to access from the outside
Internal port integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " " The rule will redirect the traffic to this port on the internal machine

Once you have submitted the required information, click the Add button located in the New Port Forward Rule tab.

Port Forward Rule Configuration


To configure a Port Forward rule, click the Edit button located next to it. Below is a continuation of the previous New Port Forward Rule example, where we look at the configuration of the newly created rule.



field name value description
Enable yes | no; Default: no Toggles a rule ON or OFF
Name string; Default: " " The name of the rule. This is used for easier management purposes
Protocol TCP+UDP | TCP | UDP | ICMP | -- custom --; Default: TCP+UDP Specifies to which protocols the rule should apply
Source zone gre: gre tunnel | hotspot: | l2tp: l2tp | pptp: pptp | vpn: openvpn | wan: ppp | lan: lan  ; Default: wan: ppp The source zone from which data packets will redirected from
Source MAC address mac; Default: " " Matches incoming traffic from these MACs only
Source IP address ip; Default: " " Matches incoming traffic from this IP or range of IPs only
Source port integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " " Matches incoming traffic originating from the given source port or port range on the client host only
External IP address ip; Default: " " Matches incoming traffic directed at the given IP address only
External port integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " " Specifies the external port, i.e., the port from which the third party is connecting
Internal zone gre: gre tunnel | hotspot: | l2tp: l2tp | pptp: pptp | vpn: openvpn | wan: ppp | lan: lan  ; Default: lan: lan Specifies the internal zone, i.e., the zone where the incoming connection will be redirected to
Internal IP address ip; Default: " " Specifies the internal IP address, i.e., the IP address to which the incoming connection will be redirected to
Internal port integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " " Specifies the internal port, i.e., the port to which the incoming connection will be redirected to
Enable NAT loopback yes | no; Default: no NAT loopback enables your local network (i.e., behind your router/modem) to connect to a forward-facing IP address (such as 208.112.93.73) of a machine that it also on your local network
Extra arguments string; Default: " " Passes additional arguments to iptables. Use with care!

Traffic Rules

The Traffic Rules page contains a more generalized rule definition. With it you can block or open ports, alter how traffic is forwarded between LAN and WAN and many other things.



FIELD NAME DESCRIPTION
Name Name of the rule, used purely for easier management purposes
Protocol Type of protocol of incoming packet
Source The source zone from which data packets will redirected from
Destination Redirect matched traffic to the given IP address and destination port
Action Action to be performed with the packet if it matches the rule
Enable Toggles the rule ON or OFF. If unchecked, the rule will not be deleted, but it also will not be loaded into the firewall
Sort When a packet arrives, it gets checked for a matching rule. If there are several matching rules, only the first one is applied, i.e., the order of the rule list impacts how your firewall operates, therefore you are given the ability to sort your list however you deem fit

Traffic Rule Configuration


To customize a Traffic Rule, click the Edit button located next to it. This way you can fine tune a rule to near perfection, if you should desire that. The figure below is an example of the "Allow-DHCP-Relay" default rule editing. All rules are configured in an identical manner but with different settings.



field name value description
Enable yes | no; Default: no Turns the rule ON or OFF
Name string; Default: " " The name of the rule. This is used for easier management purposes
Restrict to address family IPv4 and IPv6 | IPv4 only | IPv6 only; Default: IPv4 and IPv6 Name of the rule, used purely for easier management purposes
Protocol TCP+UDP | TCP | UDP | ICMP | -- custom --; Default: TCP+UDP Specifies to which protocols the rule should apply
Source zone gre: gre tunnel | hotspot: | l2tp: l2tp | pptp: pptp | vpn: openvpn | wan: ppp | lan: lan  ; Default: wan: ppp Specifies the external zone, i.e., the zone from which the third party connection will come
Source MAC address mac; Default: " " Specifies the mac address of the external host, i.e., the rule will apply only to hosts that have the MAC addresses specified in this field
Source IP address ip; Default: " " Specifies the IP address or range of IPs of the external host, i.e., the rule will apply only to hosts that have the IP addresses specified in this field
Source port integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " " Specifies the port or range of ports that the external host host will using as their source, i.e., the rule will apply only to hosts that use source ports specified in this field
External IP address ip | ip/netmask | ANY; Default: ANY Specifies the external IP address or range of external IPs of the local host, i.e., the rule will apply only to the external IP addresses specified in this field
External port integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " " Specifies the external port, i.e., the port from which the third party is connecting
Destination zone gre: gre tunnel | hotspot: | l2tp: l2tp | pptp: pptp | vpn: openvpn | wan: ppp | lan: lan  ; Default: lan: lan Match forwarded traffic to the given destination zone only
Destination address ip; Default: " " Match forwarded traffic to the given destination IP address or IP range only
Destination port integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " " Match forwarded traffic to the given destination port or port range only
Action Drop | Accept | Reject | Don't track; Default: no Action to be taken on the packet if it matches the rule. You can also define additional options like limiting packet volume, and defining to which chain the rule belongs. Don't track - connections with the specified parameters will not be monitored by the Firewall, i.e., no other Firewall rules will be applied to the specified configuration
Extra arguments string; Default: " " Adds extra options (specified in this field) to the rule

Open Ports On Router


Open Ports On Router rules can open certain ports and redirect hosts connecting to the router from specified zones to specified ports.



field name value description
NAME string; Default: " " The name of the rule. This is used for easier management purposes. The NAME field auto-filled when port numbers are specified, unless the NAME was specified beforehand by the user
PROTOCOL TCP+UDP | TCP | UDP | Other; Default: TCP+UDP Specifies to which protocols the rule should apply
EXTERNAL PORT integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " " Specifies which port should be opened

New Forward Rule


New Forward Rules lets you create custom zone forwarding rules



field name value description
Name string; Default: " " Name of the rule, used purely for easier management purposes
Source GRE | HOTSPOT | L2TP | LAN | PPTP | VPN | WAN; Default: LAN Match incoming traffic from selected address family only
Destination GRE | HOTSPOT | L2TP | LAN | PPTP | VPN | WAN; Default: WAN Forward incoming traffic to selected address family only

Source NAT


Source NAT is a specific form of masquerading which allows fine grained control over the source IP used for outgoing traffic, for example to map multiple WAN addresses to internal subnets.



field name value description
Name string; Default: " " Name of the rule, used purely for easier management purposes
Protocol TCP+UDP | TCP | UDP | Other...; Default: TCP+UDP Protocol of the packet that is being matched against traffic rules
Source GRE | HOTSPOT | L2TP | LAN | PPTP | VPN | WAN; Default: LAN Match incoming traffic from selected address family only
Destination GRE | HOTSPOT | L2TP | LAN | PPTP | VPN | WAN; Default: LAN Forward incoming traffic to selected address family only
SNAT ip and port [0..65535]; Default: " " SNAT (Source Network Address Translation) rewrites packet's source IP address and port
Enable yes | no; Default: no Toggles the rule ON or OFF

Custom Rules

The Custom Rules page provides ultimate freedom in defining your own rules – you can enter them straight into the iptables program. Just type a rule into the text field ant it will get executed as a Linux shell script. If you are unsure of how to use iptables, we advise that you consult with an expert or check the Internet for manuals, examples and explanations.


DDOS Prevention

The DDOS Prevention page allows you to set up protections from various types of DDOS attacks. You will find information on all of these methods bellow.

SYN Flood Protection


SYN Flood Protection allows you to protect yourself from attacks that exploit part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive. Essentially, with SYN flood DDOS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network over-saturation.



field name value description
Enable SYN flood protection yes | no; Default: yes Toggles the rule ON or OFF
SYN flood rate integer; Default: 25 Set rate limit (packets per second) for SYN packets above which the traffic is considered flooded
SYN flood burst integer; Default: 50 Set burst limit for SYN packets above which the traffic is considered flooded if it exceeds the allowed rate
TCP SYN cookies yes | no; Default: no Enable the use of SYN cookies (particular choices of initial TCP sequence numbers by TCP servers)

Remote ICMP Requests


Some attackers use ICMP echo request packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. You can set up some custom restrictions to help protect your router from ICMP bursts.


field name value description
Enable ICMP requests yes | no; Default: yes Toggles the rule ON or OFF
Enable ICMP limit yes | no; Default: no Toggles ICMP echo-request limit in selected period ON or OFF
Limit period Second | Minute | Hour | Day; Default: Second Select ICMP echo-request period limit
Limit integer; Default: 10 Maximum ICMP echo-request number during the period
Limit burst integer; Default: 5 Indicate the maximum burst before the above limit kicks in

SSH Attack Prevention


Prevent SSH (allows a user to run commands on a machine's command prompt without them being physically present near the machine) attacks by limiting connections in a defined period.



field name value description
Enable SSH limit yes | no; Default: yes Toggles the rule ON or OFF
Limit period Second | Minute | Hour | Day; Default: Second The period in which SSH connections are to be limited
Limit integer; Default: 10 Maximum SSH connections during the set period
Limit burst integer; Default: 5 Indicate the maximum burst before the above limit kicks in

HTTP Attack Prevention


An HTTP attack sends a complete, legitimate HTTP header, which includes a 'Content-Length' field to specify the size of the message body to follow. However, the attacker then proceeds to send the actual message body at an extremely slow rate (e.g. 1 byte/100 seconds.) Due to the entire message being correct and complete, the target server will attempt to obey the 'Content-Length' field in the header, and wait for the entire body of the message to be transmitted, hence slowing it down.



field name value description
Enable HTTP limit yes | no; Default: yes Toggles the rule ON or OFF
Limit period Second | Minute | Hour | Day; Default: Second The period in which HTTP connections are to be limited
Limit integer; Default: 10 Maximum HTTP connections during the set period
Limit burst integer; Default: 10 Indicate the maximum burst before the above limit kicks in

HTTPS Attack Prevention


This section allows you to enable protection against HTTPS attacks, also known as man-in-the-middle attacks (MITM).

In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the perpetrator secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.



field name value description
Enable HTTPS limit yes | no; Default: yes Toggles the rule ON or OFF
Limit period Second | Minute | Hour | Day; Default: Second The period in which HTTPS connections are to be limited
Limit integer; Default: 10 Maximum HTTPS connections during the set period
Limit burst integer; Default: 10 Indicate the maximum burst before the above limit kicks in

Port Scan Prevention

Port scan attacks scan which of the targeted host's ports are open. Network ports are the entry points to a machine that is connected to the Internet. A service that listens on a port is able to receive data from a client application, process it and send a response back. Malicious clients can sometimes exploit vulnerabilities in the server code so they gain access to sensitive data or execute malicious code on the machine remotely.

Port Scan


Port scanning is usually done in the initial phase of a penetration test in order to discover all network entry points into the target system. The Port Scan section provides you with the possibility to enable protection against port scanning software.



field name value description
Enable yes | no; Default: yes Toggles the function ON or OFF
Interval integer [10..60]; Default: 30 Time interval in seconds in which port scans are counted
Scan count integer [5..65534]; Default: 10 How many port scans before blocked

Defending Type


The Defending Type section provides the possibility for the user to enable protections from certain types of online attacks. These include SYN-FIN, SYN-RST, X-Mas, FIN scan and NULLflags attacks.



field name value description
SYN-FIN attack yes | no; Default: no Toggles protection from SYN-FIN attacks ON or OFF
SYN-RST attack yes | no; Default: no Toggles protection from SYN-RST attacks ON or OFF
X-Mas attack yes | no; Default: no Toggles protection from X-Mas attacks ON or OFF
FIN scan yes | no; Default: no Toggles protection from FIN scan attacks ON or OFF
NULLflags attack yes | no; Default: no Toggles protection from NULLflags attacks ON or OFF

Helpers

The NAT Helpers section provides you the option to add firewall exceptions for some VoIP protocols, namely SIP and H.323. In other words, these functions provide a pass-through for VoIP communications between the router's LAN and WAN.

Technical explanation:

FTP, SIP and H.323 protocols are harder to filter by firewalls since they violate layering by introducing OSI layer 3/4 parameters in the OSI layer 7. NAT helpers are modules that are able to assist the firewall in tracking these protocols. These helpers create the so-called expectations that can be used to open necessary ports for RELATED connections. For example: FTP, GRE and PPTP helpers are enabled by default.



field name value description
H323 yes | no; Default: no Toggles H323 filtering ON or OFF
SIP yes | no; Default: no Toggles SIP filtering ON or OFF

[[Category:{{{name}}} Network section]]