Jump to content
  • EN

RUT900 Firewall: Difference between revisions

From Teltonika Networks Wiki
← Older editNewer edit →
VisualWikitext
No edit summary
Replaced content with "{{Template: Networking_rutos_manual_firewall <!------------------------DEVICE-----------------------> | name = RUT900 | series = RUT9 <!----------------------SEPARATOR..."
Tag: Replaced
Line 1: Line 1:
{{Template: Networking_rutxxx_manual_fw_disclosure
{{Template: Networking_rutos_manual_firewall
| fw_version = RUT9XX_R_00.06.08.2
<!------------------------DEVICE----------------------->
| name    = RUT900
| series  = RUT9
<!----------------------SEPARATORS--------------------->
| mobile  = 1
| dualsim = 1
| wifi    = 1
| wired  = 1
}}
}}
==Summary==
{{Template: webui_network_firewall_summary}}
==General Settings==
{{Template: webui_network_firewall_general_settings}}
[[Image:Network firewall general general.PNG]]
<table class="nd-mantable">
    <tr>
        <th>field name</th>
      <th>value</th>
      <th>description</th>
    </tr>
    <tr>
      <td>Drop invalid packets</td>
      <td>yes | no; Default: '''no'''</td>
      <td>A “Drop” action is performed on a packet that is determined to be invalid</td>
    </tr>
    <tr>
      <td>Input</td>
      <td>Reject | Drop | Accept; Default: '''Accept'''</td>
      <td>Action<span class="asterisk">*</span> that is to be performed for packets that pass through the Input chain</td>
    </tr>
    <tr>
    <td>Output</td>
        <td>Reject | Drop | Accept; Default: '''Accept'''</td>
        <td>Action<span class="asterisk">*</span> that is to be performed for packets that pass through the Output chain</td>
    </tr>
    <tr>
    <td>Forward</td>
        <td>Reject | Drop | Accept; Default: '''Reject'''</td>
        <td>Action<span class="asterisk">*</span> that is to be performed for packets that pass through the Forward chain</td>
    </tr>
</table>
<span class="asterisk">*</span>When a packet goes through a firewall chain it is matched against all the rules of that specific chain. If no rule matches said packet, an according Action (Drop, Reject or Accept) is performed
*<b>Accept</b> – packet gets to continue down to the next chain
*<b>Drop</b> – packet is stopped and deleted
*<b>Reject</b> – packet is stopped, deleted and, differently from Drop, an ICMP packet containing a message of rejection is sent to the source of the dropped packet
===DMZ===
----
By enabling '''DMZ''' for a specific internal host (e.g., your computer), you will expose that host and its services to the router’s WAN network (i.e. – the Internet).
[[Image:Network firewall general dmz.PNG]]
<table class="nd-mantable">
    <tr>
        <th>field name</th>
      <th>value</th>
      <th>description</th>
    </tr>
    <tr>
      <td>Source zone</td>
      <td>yes | no; Default: '''no'''</td>
      <td>Toggles DMZ On or Off</td>
    </tr>
    <tr>
      <td>DMZ host IP address</td>
      <td>ip; Default: " "</td>
      <td>Internal host to which the DMZ rule will be applied </td>
    </tr>
</table>
===Zone Forwarding===
----
A zone section groups one or more interfaces and serves as a source or destination for forwardings, rules and redirects. The '''Zone Forwarding''' section allows you to configure these forwardings.
[[Image:Network firewall general zone.PNG]]
<table class="nd-mantable">
    <tr>
        <th>field name</th>
      <th>value</th>
      <th>description</th>
    </tr>
    <tr>
      <td>Source zone</td>
      <td><span style="background:#9DB6BA"> gre: gre tunnel </span>  |  <span style="background:#FD9589"> hotspot: </span>  |  <span style="background:#CEF58F"> l2tp: l2tp </span>  |  <span style="background:#9BEAC3"> pptp: pptp </span>  |  <span style="background:#96EBE8"> vpn: openvpn </span>  |  <span style="background:#D0E1EF"> wan: ppp </span>  |  <span style="background:#DDDDDD"> lan: lan </span></td>
      <td>The source zone from which data packets will redirected from</td>
    </tr>
    <tr>
      <td>Destination zones</td>
      <td><span style="background:#9DB6BA"> gre: gre tunnel </span>  |  <span style="background:#FD9589"> hotspot: </span>  |  <span style="background:#CEF58F"> l2tp: l2tp </span>  |  <span style="background:#9BEAC3"> pptp: pptp </span>  |  <span style="background:#96EBE8"> vpn: openvpn </span>  |  <span style="background:#D0E1EF"> wan: ppp </span>  |  <span style="background:#DDDDDD"> lan: lan </span></td>
      <td>The destination zone to which data packets will be redirected to</td>
    </tr>
    <tr>
    <td>Default forwarding action</td>
        <td>Reject | Drop | Accept</td>
        <td>Action to be performed with the redirected packets</td>
    </tr>
</table>
==Port Forwarding==
The '''Port Forwarding''' window is used to set up servers and services on local LAN machines. Below is an overview of Port Forwarding default rules.
[[Image:Network firewall port forwarding.PNG]]
===New Port Forward Rule===
----
If none of the default rules suit your purposes, you can create custom rules using the '''New Port Forward Rule''' tab.
[[Image:Network firewall port forwarding new.PNG]]
<table class="nd-mantable">
    <tr>
        <th>field name</th>
      <th>value</th>
      <th>description</th>
    </tr>
    <tr>
      <td>Name</td>
      <td>string; Default: " "</td>
      <td>Name of the rule, used purely for easier management purposes</td>
    </tr>
    <tr>
      <td>Protocol</td>
      <td>TCP+UDP | TCP | UDP | ICMP | -- custom --; Default: '''TCP+UDP'''</td>
      <td>Type of protocol of incoming packet</td>
    </tr>
    <tr>
    <td>External port</td>
        <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " "</td>
        <td>Traffic will be forwarded from this port on the WAN network</td>
    </tr>
    <tr>
    <td>Internal IP address</td>
        <td>ip; Default: " "</td>
        <td>The IP address of the internal machine that hosts some service that you want to access from the outside</td>
    </tr>
    <tr>
    <td>Internal port</td>
        <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " "</td>
        <td>The rule will redirect the traffic to this port on the internal machine</td>
    </tr>
</table>
Once you have submitted the required information, click the '''Add''' button located in the New Port Forward Rule tab.
====Port Forward Rule Configuration====
----
To configure a Port Forward rule, click the '''Edit''' button located next to it. Below is a continuation of the previous New Port Forward Rule example, where we look at the configuration of the newly created rule.
[[Image:Network firewall port forwarding new configuration.PNG]]
<table class="nd-mantable">
    <tr>
        <th>field name</th>
      <th>value</th>
      <th>description</th>
    </tr>
    <tr>
      <td>Enable</td>
      <td>yes | no; Default: '''no'''</td>
      <td>Toggles a rule ON or OFF</td>
    </tr>
    <tr>
      <td>Name</td>
      <td>string; Default: " "</td>
      <td>The name of the rule. This is used for easier management purposes</td>
    </tr>
    <tr>
    <td>Protocol</td>
        <td>TCP+UDP | TCP | UDP | ICMP | -- custom --; Default: '''TCP+UDP'''</td>
        <td>Specifies to which protocols the rule should apply</td>
    </tr>
    <tr>
    <td>Source zone</td>
        <td> <span style="background:#9DB6BA"> gre: gre tunnel </span>  |  <span style="background:#FD9589"> hotspot: </span>  |  <span style="background:#CEF58F"> l2tp: l2tp </span>  |  <span style="background:#9BEAC3"> pptp: pptp </span>  |  <span style="background:#96EBE8"> vpn: openvpn </span>  |  <span style="background:#D0E1EF"> wan: ppp </span>  |  <span style="background:#DDDDDD"> lan: lan </span> ; Default: '''<span style="background:#DDDDDD"> wan: ppp </span>'''</td>
        <td>The source zone from which data packets will redirected from</td>
    </tr>
    <tr>
      <td>Source MAC address</td>
      <td>mac; Default: " "</td>
      <td>Matches incoming traffic from these MACs only</td>
    </tr>
    <tr>
      <td>Source IP address</td>
      <td>ip; Default: " "</td>
      <td>Matches incoming traffic from this IP or range of IPs only</td>
    </tr>
    <tr>
    <td>Source port</td>
        <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " "</td>
        <td>Matches incoming traffic originating from the given source port or port range on the client host only</td>
    </tr>
    <tr>
    <td>External IP address</td>
        <td>ip; Default: " "</td>
        <td>Matches incoming traffic directed at the given IP address only</td>
    </tr>
    <tr>
      <td>External port</td>
      <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " "</td>
      <td>Specifies the external port, i.e., the port from which the third party is connecting </td>
    </tr>
    <tr>
      <td>Internal zone</td>
      <td><span style="background:#9DB6BA"> gre: gre tunnel </span>  |  <span style="background:#FD9589"> hotspot: </span>  |  <span style="background:#CEF58F"> l2tp: l2tp </span>  |  <span style="background:#9BEAC3"> pptp: pptp </span>  |  <span style="background:#96EBE8"> vpn: openvpn </span>  |  <span style="background:#D0E1EF"> wan: ppp </span>  |  <span style="background:#DDDDDD"> lan: lan </span> ; Default: '''<span style="background:#DDDDDD"> lan: lan </span>'''</td>
      <td>Specifies the internal zone, i.e., the zone where the incoming connection will be redirected to</td>
    </tr>
    <tr>
    <td>Internal IP address</td>
        <td>ip; Default: " "</td>
        <td>Specifies the internal IP address, i.e., the IP address to which the incoming connection will be redirected to</td>
    </tr>
    <tr>
    <td>Internal port</td>
        <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " "</td>
        <td>Specifies the internal port, i.e., the port to which the incoming connection will be redirected to</td>
    </tr>
    <tr>
      <td>Enable NAT loopback</td>
      <td>yes | no; Default: '''no'''</td>
      <td>NAT loopback enables your local network (i.e., behind your router/modem) to connect to a forward-facing IP address (such as 208.112.93.73) of a machine that it also on your local network</td>
    </tr>
    <tr>
      <td>Extra arguments</td>
      <td>string; Default: " "</td>
      <td>Passes additional arguments to iptables. '''Use with care!'''</td>
    </tr>
</table>
==Traffic Rules==
The '''Traffic Rules''' page contains a more generalized rule definition. With it you can block or open ports, alter how traffic is forwarded between LAN and WAN and many other things.
[[Image:Network firewall trafic rules.PNG]]
<table class="nd-othertables">
    <tr>
        <th style="width: 250px">FIELD NAME</th>
      <th style="width: 1450px">DESCRIPTION</th>
    </tr>
    <tr>
      <td>Name</td>
      <td>Name of the rule, used purely for easier management purposes</td>
    </tr>
    <tr>
      <td>Protocol</td>
      <td>Type of protocol of incoming packet</td>
    </tr>
    <tr>
    <td>Source</td>
        <td>The source zone from which data packets will redirected from</td>
    </tr>
    <tr>
    <td>Destination</td>
        <td>Redirect matched traffic to the given IP address and destination port</td>
    </tr>
    <tr>
      <td>Action</td>
      <td>Action to be performed with the packet if it matches the rule</td>
    </tr>
    <tr>
    <td>Enable</td>
        <td>Toggles the rule ON or OFF. If unchecked, the rule will not be deleted, but it also will not be loaded into the firewall</td>
    </tr>
    <tr>
    <td>Sort</td>
        <td>When a packet arrives, it gets checked for a matching rule. If there are several matching rules, only the first one is applied, i.e., the order of the rule list impacts how your firewall operates, therefore you are given the ability to sort your list however you deem fit</td>
    </tr>
</table>
===Traffic Rule Configuration===
----
To customize a Traffic Rule, click the '''Edit''' button located next to it. This way you can fine tune a rule to near perfection, if you should desire that. The figure below is an example of the "Allow-DHCP-Relay" default rule editing. All rules are configured in an identical manner but with different settings.
[[Image:Network firewall trafic rules edit.PNG]]
<table class="nd-mantable">
    <tr>
        <th>field name</th>
      <th>value</th>
      <th>description</th>
    </tr>
    <tr>
      <td>Enable</td>
      <td>yes | no; Default: '''no'''</td>
      <td>Turns the rule ON or OFF</td>
    </tr>
    <tr>
      <td>Name</td>
      <td>string; Default: " "</td>
      <td>The name of the rule. This is used for easier management purposes</td>
    </tr>
    <tr>
    <td>Restrict to address family</td>
        <td>IPv4 and IPv6 | IPv4 only | IPv6 only; Default: '''IPv4 and IPv6'''</td>
        <td>Name of the rule, used purely for easier management purposes</td>
    </tr>
    <tr>
    <td>Protocol</td>
        <td>TCP+UDP | TCP | UDP | ICMP | -- custom --; Default: '''TCP+UDP'''</td>
        <td>Specifies to which protocols the rule should apply</td>
    </tr>
    <tr>
      <td>Source zone</td>
      <td><span style="background:#9DB6BA"> gre: gre tunnel </span>  |  <span style="background:#FD9589"> hotspot: </span>  |  <span style="background:#CEF58F"> l2tp: l2tp </span>  |  <span style="background:#9BEAC3"> pptp: pptp </span>  |  <span style="background:#96EBE8"> vpn: openvpn </span>  |  <span style="background:#D0E1EF"> wan: ppp </span>  |  <span style="background:#DDDDDD"> lan: lan </span> ; Default: '''<span style="background:#DDDDDD"> wan: ppp </span>'''</td>
      <td>Specifies the external zone, i.e., the zone from which the third party connection will come</td>
    </tr>
    <tr>
      <td>Source MAC address</td>
      <td>mac; Default: " "</td>
      <td>Specifies the mac address of the external host, i.e., the rule will apply only to hosts that have the MAC addresses specified in this field <br> </td>
    </tr>
    <tr>
    <td>Source IP address</td>
        <td>ip; Default: " "</td>
        <td>Specifies the IP address or range of IPs of the external host, i.e., the rule will apply only to hosts that have the IP addresses specified in this field</td>
    </tr>
    <tr>
    <td>Source port</td>
        <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " "</td>
        <td>Specifies the port or range of ports that the external host host will using as their source, i.e., the rule will apply only to hosts that use source ports specified in this field</td>
    </tr>
    <tr>
      <td>External IP address</td>
      <td>ip | ip/netmask | ANY; Default: '''ANY'''</td>
      <td>Specifies the external IP address or range of external IPs of the local host, i.e., the rule will apply only to the external IP addresses specified in this field</td>
    </tr>
    <tr>
      <td>External port</td>
      <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " "</td>
      <td>Specifies the external port, i.e., the port from which the third party is connecting</td>
    </tr>
    <tr>
    <td>Destination zone</td>
        <td><span style="background:#9DB6BA"> gre: gre tunnel </span>  |  <span style="background:#FD9589"> hotspot: </span>  |  <span style="background:#CEF58F"> l2tp: l2tp </span>  |  <span style="background:#9BEAC3"> pptp: pptp </span>  |  <span style="background:#96EBE8"> vpn: openvpn </span>  |  <span style="background:#D0E1EF"> wan: ppp </span>  |  <span style="background:#DDDDDD"> lan: lan </span> ; Default: '''<span style="background:#DDDDDD"> lan: lan </span>'''</td>
        <td>Match forwarded traffic to the given destination zone only</td>
    </tr>
    <tr>
    <td>Destination address</td>
        <td>ip; Default: " "</td>
        <td>Match forwarded traffic to the given destination IP address or IP range only</td>
    </tr>
    <tr>
    <td>Destination port</td>
        <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " "</td>
        <td>Match forwarded traffic to the given destination port or port range only</td>
    </tr>
    <tr>
      <td>Action</td>
      <td>Drop | Accept | Reject | Don't track; Default: '''no'''</td>
      <td>Action to be taken on the packet if it matches the rule. You can also define additional options like limiting packet volume, and defining to which chain the rule belongs.<br>
'''Don't track''' - connections with the specified parameters will not be monitored by the Firewall, i.e., no other Firewall rules will be applied to the specified configuration </td>
    </tr>
    <tr>
    <td>Extra arguments</td>
        <td>string; Default: " "</td>
        <td>Adds extra options (specified in this field) to the rule</td>
    </tr>
</table>
===Open Ports On Router===
----
'''Open Ports On Router''' rules can open certain ports and redirect hosts connecting to the router from specified zones to specified ports.
[[Image:Network firewall trafic rules open.PNG]]
<table class="nd-mantable">
    <tr>
        <th>field name</th>
      <th>value</th>
      <th>description</th>
    </tr>
    <tr>
      <td>NAME</td>
      <td>string; Default: " "</td>
      <td>The name of the rule. This is used for easier management purposes. The NAME field auto-filled when port numbers are specified, unless the NAME was specified beforehand by the user</td>
    </tr>
    <tr>
      <td>PROTOCOL</td>
      <td>TCP+UDP | TCP | UDP | Other; Default: '''TCP+UDP'''</td>
      <td>Specifies to which protocols the rule should apply </td>
    </tr>
    <tr>
    <td>EXTERNAL PORT</td>
        <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " " </td>
        <td>Specifies which port should be opened</td>
    </tr>
</table>
===New Forward Rule===
----
'''New Forward Rules''' lets you create custom zone forwarding rules
[[Image:Network firewall trafic rules new.PNG]]
<table class="nd-mantable">
    <tr>
        <th>field name</th>
      <th>value</th>
      <th>description</th>
    </tr>
    <tr>
      <td>Name</td>
      <td>string; Default: " "</td>
      <td>Name of the rule, used purely for easier management purposes</td>
    </tr>
    <tr>
      <td>Source</td>
      <td>GRE | HOTSPOT | L2TP | LAN | PPTP | VPN | WAN; Default: '''LAN'''</td>
      <td>Match incoming traffic from selected address family only</td>
    </tr>
    <tr>
    <td>Destination</td>
        <td>GRE | HOTSPOT | L2TP | LAN | PPTP | VPN | WAN; Default: '''WAN'''</td>
        <td>Forward incoming traffic to selected address family only</td>
    </tr>
</table>
===Source NAT===
----
'''Source NAT''' is a specific form of masquerading which allows fine grained control over the source IP used for outgoing traffic, for example to map multiple WAN addresses to internal subnets.
[[Image:Network firewall trafic rules snat.PNG]]
<table class="nd-mantable">
    <tr>
        <th>field name</th>
      <th>value</th>
      <th>description</th>
    </tr>
    <tr>
      <td>Name</td>
      <td>string; Default: " "</td>
      <td>Name of the rule, used purely for easier management purposes</td>
    </tr>
    <tr>
      <td>Protocol</td>
      <td>TCP+UDP | TCP | UDP | Other...; Default: '''TCP+UDP'''</td>
      <td>Protocol of the packet that is being matched against traffic rules</td>
    </tr>
    <tr>
    <td>Source</td>
        <td>GRE | HOTSPOT | L2TP | LAN | PPTP | VPN | WAN; Default: '''LAN'''</td>
        <td>Match incoming traffic from selected address family only</td>
    </tr>
    <tr>
    <td>Destination</td>
        <td>GRE | HOTSPOT | L2TP | LAN | PPTP | VPN | WAN; Default: '''LAN'''</td>
        <td>Forward incoming traffic to selected address family only</td>
    </tr>
    <tr>
    <td>SNAT</td>
        <td>ip and port [0..65535]; Default: " "</td>
        <td>SNAT (Source Network Address Translation) rewrites packet's source IP address and port</td>
    </tr>
    <tr>
    <td>Enable</td>
        <td>yes | no; Default: '''no'''</td>
        <td>Toggles the rule ON or OFF</td>
    </tr>
</table>
==Custom Rules==
The Custom Rules page provides ultimate freedom in defining your own rules – you can enter them straight into the '''iptables''' program. Just type a rule into the text field ant it will get executed as a Linux shell script. If you are unsure of how to use iptables, we advise that you consult with an expert or check the Internet for manuals, examples and explanations.
[[Image:Network firewall custom rules.PNG]]
==DDOS Prevention==
The '''DDOS Prevention''' page allows you to set up protections from various types of DDOS attacks. You will find information on all of these methods bellow.
===SYN Flood Protection===
----
'''SYN Flood Protection''' allows you to protect yourself from attacks that exploit part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive. Essentially, with SYN flood DDOS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network over-saturation.
[[Image:Network firewall ddos syn.PNG]]
<table class="nd-mantable">
    <tr>
        <th>field name</th>
      <th>value</th>
      <th>description</th>
    </tr>
    <tr>
      <td>Enable SYN flood protection</td>
      <td>yes | no; Default: '''yes'''</td>
      <td>Toggles the rule ON or OFF</td>
    </tr>
    <tr>
      <td>SYN flood rate</td>
      <td>integer; Default: '''25'''</td>
      <td>Set rate limit (packets per second) for SYN packets above which the traffic is considered flooded</td>
    </tr>
    <tr>
    <td>SYN flood burst</td>
        <td>integer; Default: '''50'''</td>
        <td>Set burst limit for SYN packets above which the traffic is considered flooded if it exceeds the allowed rate</td>
    </tr>
    <tr>
    <td>TCP SYN cookies</td>
        <td>yes | no; Default: '''no'''</td>
        <td>Enable the use of SYN cookies (particular choices of initial TCP sequence numbers by TCP servers)</td>
    </tr>
</table>
===Remote ICMP Requests===
----
Some attackers use '''ICMP echo''' request packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. You can set up some custom restrictions to help protect your router from ICMP bursts.
[[Image:Network firewall ddos icmp.PNG]]
<table class="nd-mantable">
    <tr>
        <th>field name</th>
      <th>value</th>
      <th>description</th>
    </tr>
    <tr>
      <td>Enable ICMP requests</td>
      <td>yes | no; Default: '''yes'''</td>
      <td>Toggles the rule ON or OFF</td>
    </tr>
    <tr>
      <td>Enable ICMP limit</td>
      <td>yes | no; Default: '''no'''</td>
      <td>Toggles ICMP echo-request limit in selected period ON or OFF</td>
    </tr>
    <tr>
    <td>Limit period</td>
        <td>Second | Minute | Hour | Day; Default: '''Second'''</td>
        <td>Select ICMP echo-request period limit</td>
    </tr>
    <tr>
    <td>Limit</td>
        <td>integer; Default: '''10'''</td>
        <td>Maximum ICMP echo-request number during the period</td>
    </tr>
    <tr>
    <td>Limit burst</td>
        <td>integer; Default: '''5'''</td>
        <td>Indicate the maximum burst before the above limit kicks in</td>
    </tr>
</table>
===SSH Attack Prevention===
----
Prevent SSH (allows a user to run commands on a machine's command prompt without them being physically present near the machine) attacks by limiting connections in a defined period.
[[Image:Network firewall ddos ssh.PNG]]
<table class="nd-mantable">
    <tr>
        <th>field name</th>
      <th>value</th>
      <th>description</th>
    </tr>
    <tr>
      <td>Enable SSH limit</td>
      <td>yes | no; Default: '''no'''</td>
      <td>Toggles the rule ON or OFF</td>
    </tr>
    <tr>
      <td>Limit period</td>
      <td>Second | Minute | Hour | Day; Default: '''Second'''</td>
      <td>The period in which SSH connections are to be limited</td>
    </tr>
    <tr>
    <td>Limit</td>
        <td>integer; Default: '''10'''</td>
        <td>Maximum SSH connections during the set period</td>
    </tr>
    <tr>
    <td>Limit burst</td>
        <td>integer; Default: '''5'''</td>
        <td>Indicate the maximum burst before the above limit kicks in</td>
    </tr>
</table>
===HTTP Attack Prevention===
----
An HTTP attack sends a complete, legitimate HTTP header, which includes a 'Content-Length' field to specify the size of the message body to follow. However, the attacker then proceeds to send the actual message body at an extremely slow rate (e.g. 1 byte/100 seconds.) Due to the entire message being correct and complete, the target server will attempt to obey the 'Content-Length' field in the header, and wait for the entire body of the message to be transmitted, hence slowing it down.
[[Image:Network firewall ddos hhtp.PNG]]
<table class="nd-mantable">
    <tr>
        <th>field name</th>
      <th>value</th>
      <th>description</th>
    </tr>
    <tr>
      <td>Enable HTTP limit</td>
      <td>yes | no; Default: '''yes'''</td>
      <td>Toggles the rule ON or OFF</td>
    </tr>
    <tr>
      <td>Limit period</td>
      <td>Second | Minute | Hour | Day; Default: '''Second'''</td>
      <td>The period in which HTTP connections are to be limited</td>
    </tr>
    <tr>
    <td>Limit</td>
        <td>integer; Default: '''10'''</td>
        <td>Maximum HTTP connections during the set period</td>
    </tr>
    <tr>
    <td>Limit burst</td>
        <td>integer; Default: '''10'''</td>
        <td>Indicate the maximum burst before the above limit kicks in</td>
    </tr>
</table>
===HTTPS Attack Prevention===
----
This section allows you to enable protection against '''HTTPS''' attacks, also known as '''man-in-the-middle attacks''' ('''MITM''').
In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the perpetrator secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.
[[Image:Network firewall ddos hhtps.PNG]]
<table class="nd-mantable">
    <tr>
        <th>field name</th>
      <th>value</th>
      <th>description</th>
    </tr>
    <tr>
      <td>Enable HTTPS limit</td>
      <td>yes | no; Default: '''yes'''</td>
      <td>Toggles the rule ON or OFF</td>
    </tr>
    <tr>
      <td>Limit period</td>
      <td>Second | Minute | Hour | Day; Default: '''Second'''</td>
      <td>The period in which HTTPS connections are to be limited</td>
    </tr>
    <tr>
    <td>Limit</td>
        <td>integer; Default: '''10'''</td>
        <td>Maximum HTTPS connections during the set period</td>
    </tr>
    <tr>
    <td>Limit burst</td>
        <td>integer; Default: '''10'''</td>
        <td>Indicate the maximum burst before the above limit kicks in</td>
    </tr>
</table>
==Port Scan Prevention==
Port scan attacks scan which of the targeted host's ports are open. Network ports are the entry points to a machine that is connected to the Internet. A service that listens on a port is able to receive data from a client application, process it and send a response back. Malicious clients can sometimes exploit vulnerabilities in the server code so they gain access to sensitive data or execute malicious code on the machine remotely.
===Port Scan===
----
Port scanning is usually done in the initial phase of a penetration test in order to discover all network entry points into the target system. The Port Scan section provides you with the possibility to enable protection against port scanning software.
[[Image:Network firewall port scan.PNG]]
<table class="nd-mantable">
    <tr>
        <th>field name</th>
      <th>value</th>
      <th>description</th>
    </tr>
    <tr>
      <td>Enable</td>
      <td>yes | no; Default: '''yes'''</td>
      <td>Toggles the function ON or OFF</td>
    </tr>
    <tr>
      <td>Interval</td>
      <td>integer [10..60]; Default: '''30'''</td>
      <td>Time interval in seconds in which port scans are counted</td>
    </tr>
    <tr>
    <td>Scan count</td>
        <td>integer [5..65534]; Default: '''10'''</td>
        <td>How many port scans before blocked</td>
    </tr>
</table>
===Defending Type===
----
The Defending Type section provides the possibility for the user to enable protections from certain types of online attacks. These include '''SYN-FIN''', '''SYN-RST''', '''X-Mas''', '''FIN scan''' and '''NULLflags''' attacks.
[[Image:Network firewall port scan def.PNG]]
<table class="nd-mantable">
    <tr>
        <th>field name</th>
      <th>value</th>
      <th>description</th>
    </tr>
    <tr>
      <td>SYN-FIN attack</td>
      <td>yes | no; Default: '''no'''</td>
      <td>Toggles protection from SYN-FIN attacks ON or OFF</td>
    </tr>
    <tr>
      <td>SYN-RST attack</td>
      <td>yes | no; Default: '''no'''</td>
      <td>Toggles protection from SYN-RST attacks ON or OFF</td>
    </tr>
    <tr>
    <td>X-Mas attack</td>
        <td>yes | no; Default: '''no'''</td>
        <td>Toggles protection from X-Mas attacks ON or OFF</td>
    </tr>
    <tr>
    <td>FIN scan</td>
        <td>yes | no; Default: '''no'''</td>
        <td>Toggles protection from FIN scan attacks ON or OFF</td>
    </tr>
    <tr>
    <td>NULLflags attack</td>
        <td>yes | no; Default: '''no'''</td>
        <td>Toggles protection from NULLflags attacks ON or OFF</td>
    </tr>
</table>
==Helpers==
The '''NAT Helpers''' section provides you the option to add firewall exceptions for some VoIP protocols, namely SIP and H.323. In other words, these functions provide a pass-through for VoIP communications between the router's LAN and WAN.
'''Technical explanation:'''
FTP, SIP and H.323 protocols are harder to filter by firewalls since they violate layering by introducing OSI layer 3/4 parameters in the OSI layer 7.
NAT helpers are modules that are able to assist the firewall in tracking these protocols. These helpers create the so-called expectations that can be used to open necessary ports for RELATED connections. For example: FTP, GRE and PPTP helpers are enabled by default.
[[File:Network firewall helpers.png]]
<table class="nd-mantable">
    <tr>
        <th>field name</th>
      <th>value</th>
      <th>description</th>
    </tr>
    <tr>
      <td>H323</td>
      <td>yes | no; Default: '''no'''</td>
      <td>Toggles H323 filtering ON or OFF</td>
    </tr>
    <tr>
      <td>SIP</td>
      <td>yes | no; Default: '''no'''</td>
      <td>Toggles SIP filtering ON or OFF</td>
    </tr>
</table>
[[Category:RUT900 Network section]]

Revision as of 12:14, 19 July 2021

Main Page > EOL Products > RUT900 > RUT900 Manual > RUT900 WebUI > RUT900 Network section > RUT900 Firewall

The information in this page is updated in accordance with firmware version .
Note: click here for the old style WebUI (FW version RUT9XX_R_00.06.09.5 and earlier) user manual page.

Summary

RUT900 devices use a standard Linux iptables package as its firewall, which uses routing chains and policies to facilitate control over inbound and outbound traffic.

This chapter of the user manual provides an overview of the Firewall page for RUT900 devices.

General Settings

The General Settings section is used to configure the main policies of the device's firewall. The figure below is an example of the General Settings section and the table below provides information on the fields contained in that section:

Field Value Description
Drop invalid packets off | on; default: off If enabled, a "Drop" action will be performed on packets that are determined to be invalid.
Automatic helper assignment off | on; default: on Automatically assigns conntrack helpers based on traffic protocol and port. If turned off, conntrack helpers can be selected for each zone.
Input Reject | Drop | Accept; default: Reject Default action* of the INPUT chain if a packet does not match any existing rule on that chain.
Output Reject | Drop | Accept; default: Accept Default action* of the OUTPUT chain if a packet does not match any existing rule on that chain.
Forward Reject | Drop | Accept; default: Reject Default action* of the FORWARD chain if a packet does not match any existing rule on that chain.

* When a packet goes through a firewall chain it is matched against all the rules of that specific chain. If no rule matches said packet, an according Action (Drop, Reject or Accept) is performed:

  • Accept – packet gets to continue to the next chain.
  • Drop – packet is stopped and deleted.
  • Reject – packet is stopped, deleted and, differently from Drop, a message of rejection is sent to the source from which the packet came.

Routing/NAT Offloading

The Routing/NAT Offloading is used to turn software flow offloading on or off.

The device checks whether the flow (sequence of related packets) is received and packed. Packets of unknown flow are forwarded to the networking stack. Meanwhile, if the flow is known, NAT is applied (if matched) and the packet is forwarded to the correct destination port (fast path) to bypass certain layers or packet processing process. As a result, we have a higher throughput and reduced the CPU load. This process is called software flow offloading.

Field Value Description
Software flow offloading off | on; default: on Software based offloading for routing/NAT.
IPsec software flow offload off | on; default: off Software based offloading for IPsec.

Zones

The Zones section is used to manage default traffic forwarding policies between different device zones. The figure below is an example of the Zones section and the table below provides information on the fields contained in that section:

You can change a zone's settings from this page by interacting with entries in the zones table. For a more in-depth configuration click the edit button next to a zone.

Zones: General Settings

Field Value Description
Name string; default: none A custom name for the zone. Used for easier management purposes.
Input Accept | Drop | Reject; default: Accept Default policy for traffic entering the zone.
    Possible variants:
  • ACCEPT: packet gets to continue to the next chain.
  • DROP: packet is stopped and deleted.
  • REJECT: packet is stopped, deleted and, differently from Drop, an ICMP packet containing a message of rejection is sent to the source from which the dropped packet came.
Output Accept | Drop | Reject; default: Accept Default policy for traffic originating from and leaving the zone.
    Possible variants:
  • ACCEPT: packet gets to continue to the next chain.
  • DROP: packet is stopped and deleted.
  • REJECT: packet is stopped, deleted and, differently from Drop, an ICMP packet containing a message of rejection is sent to the source from which the dropped packet came.
Forwarding inside zone Accept | Drop | Reject; default: Accept Default policy for traffic forwarded between the networks belonging to the zone.
    Possible variants:
  • ACCEPT: packet gets to continue to the next chain.
  • DROP: packet is stopped and deleted.
  • REJECT: packet is stopped, deleted and, differently from Drop, an ICMP packet containing a message of rejection is sent to the source from which the dropped packet came.
Masquerading off | on; default: off Turns Masquerading off or on. MASQUERADE is an iptables target that can be used instead of the SNAT (source NAT) target when the external IP of the network interface is not known at the moment of writing the rule (when the interface gets the external IP dynamically).
MSS clamping off | on; default: off Turns MSS clamping off or on. MSS clamping is a workaround used to change the maximum segment size (MSS) of all TCP connections passing through links with an MTU lower than the Ethernet default of 1500.
Covered networks network interface(s); default: depends on zone Network or networks that belong to the zone.

Zones: Advanced Settings

Field Value Description
Restrict to address family IPv4 and IPv6 | IPv4 only | IPv6 only; default: IPv4 and IPv6 IP address family to which to zone will apply.
Restrict Masquerading to given source subnets network/subnet; default: none Applies Masquerading only to the specified source network/subnet.
Restrict Masquerading to given destinations subnets network/subnet; default: none Applies Masquerading only to the specified destination network/subnet.
Force connection tracking off | on; default: off Always maintains connection state (NEW, ESTABLISHED, RELATED) information.
Enable logging off | on; default: off Log dropped and rejected packets.
Limit log messages integer/minute; default: none Limit how many messages can be logged in the span of 1 minute. For example, to log 50 packets per minute use: 50/minute.
Conntrack helpers Amanda backup and archiving proto (AMANDA) | FTP passive connection tracking (FTP) | RAS proto tracking (RAS) | Q.931 proto tracking (Q.931) | IRC DCC connection tracking (IRC) | PPTP VPN connection tracking (PPTP) | SIP VoIP connection tracking (SIP) | SNMP monitoring connection tracking (SNMP) | TFTP connection tracking (TFTP); default: none Explicitly choses allowed connection tracking helpers for zone traffic.

Forwarding between zones

The options below control the forwarding policies between this zone (lan) and other zones. Destination zones cover forwarded traffic originating from lan. Source zones match forwarded traffic from other zones targeted at lan. The forwarding rule is unidirectional e.g., a forward from lan to wan does not imply a permission to forwad from wan to lan as well.

Field Value Description
Allow forward to destination zones zone(s); default: none Allows forward traffic to specified destination zones. Destination zones cover forwarded traffic originating from this source zone.
Allow forward from source zones zone(s); default: none Allows forward traffic to specified source zones. Source zones match forwarded traffic originating from other zones that is targeted at this zone.

Port Forwards

Port forwarding is a way of redirecting an incoming connection to another IP address, port or the combination of both:

The Port forwards table displays configured port forwarding rules currently configured on the device.

Field Value Description
Name string; default: none The name of the rule. This is used for easier management purposes.
Match Only match traffic using the given rules.
Forward Forward traffic to the given location.
Status Displays the status of NAT rule.
Counter Only the first packet of connection is usually counted due to stateful packet inspection (SPI). This also affects connectionless protocols.
Enabled off | on; default none Enables port forward rule.
Actions clone | Edit | Delete; default - Performs the selected action.

Add new instance

The Add new instance section is used to quickly add additional port forwarding rules.

Field Value Description
Name string; default: none Name of the rule. This is used for easier management purposes.
External port Any | FTP data (20) | FTP cmd (21) | SSH (22) | Old SMTP (25) | DNS (53) | HTTP (80) | NTP (123) | BGP (179) | HTTPS (443) | ISAKMP (500) | Modern SMTP (587) | RDP (3389) | + Add new; default: none Only match traffic coming to the given port.
    Possible variants:
  • Any: Match everything
  • Port: 422
  • Port range: 1000-2000
  • All except value: !value
Internal IP address IP | + Add new; default: first IP from the list Forward traffic to the given network address.
    Possible variants:
  • Any: Match everything
  • IP address: 192.168.1.1
  • Subnet: 192.168.1.0/24
Internal port No rewrite | FTP data (20) | FTP cmd (21) | SSH (22) | Old SMTP (25) | DNS (53) | HTTP (80) | NTP (123) | BGP (179) | HTTPS (443) | ISAKMP (500) | Modern SMTP (587) | RDP (3389) | + Add new; default: No rewrite Forward traffic to the given port.
    Possible variants:
  • No rewrite: Keep External port
  • Port: 422
  • Port range: 1000-2000
  • All except value: !value

Port Forwards Configuration

While the New port forward section provides the possibility to add port forwarding rules fast, it does not contain all possible configuration options to customize a rule. In order to create a more complicated rule, add one using the New port forward section and click the edit button next to it:

You will be redirected to that rule's configuration general settings page:

Field Value Description
Enable off | on ; default: on Turns the rule on or off
Name string; default: none Name of the rule. This is used for easier management purposes.
Protocol TCP | UDP | ICMP | All | +Add new; default: TCP+UDP Only match traffic using the given internet communication protocol.
    Possible variants:
  • TCP: used by most applications (e.g., web browsing, file downloads, games).
  • UDP: used by real-time applications that can accept packet loss (e.g., voice calls, video streaming).
  • ICMP: used for diagnostic, control and error transfers in networks (e.g., ping).
  • All: Accept all protocols
  • Custom protocol: sctp
Source zone Unspecified | firewall zone name | framed; default: wan Only match traffic coming to the given firewall zone.
External port Any | FTP data (20) | FTP cmd (21) | SSH (22) | Old SMTP (25) | DNS (53) | HTTP (80) | NTP (123) | BGP (179) | HTTPS (443) | ISAKMP (500) | Modern SMTP (587) | RDP (3389) | + Add new; default: none Only match traffic coming to the given port.
    Possible variants:
  • Any: Match everything
  • Port: 422
  • Port range: 1000-2000
  • All except value: !value
Internal zone Unspecified | firewall zone name | framed; default: lan Forward traffic to the given firewall zone.
Internal IP address Any | IP | + Add new; default: first IP from the list Forward traffic to the given network address.
    Possible variants:
  • IP address: 192.168.1.1
  • Subnet: 192.168.1.0/24
Internal port No rewrite | FTP data (20) | FTP cmd (21) | SSH (22) | Old SMTP (25) | DNS (53) | HTTP (80) | NTP (123) | BGP (179) | HTTPS (443) | ISAKMP (500) | Modern SMTP (587) | RDP (3389) | + Add new; default: No rewrite Forward traffic to the given port.
    Possible variants:
  • No rewrite: Keep External port
  • Port: 422
  • Port range: 1000-2000
  • All except value: !value

Advanced settings:

Field Value Description
Source MAC address mac | + Add new; default: Any Only match traffic coming from the given MAC address.
    Possible variants:
  • Any: Match everything
  • Mac address: 01:23:45:56:78:9a
  • All except value: !value
Source IP address IP | + Add new; default: Any Only match traffic coming from the given network address.
    Possible variants:
  • Any: Match everything
  • IP address: 192.168.1.1
  • Subnet: 192.168.1.0/24
  • All except value: !value
Source port FTP data (20) | FTP cmd (21) | SSH (22) | Old SMTP (25) | DNS (53) | HTTP (80) | NTP (123) | BGP (179) | HTTPS (443) | ISAKMP (500) | Modern SMTP (587) | RDP (3389) | + Add new; default: Any Only match traffic coming from the given port.
    Possible variants:
  • Any: Match everything
  • Port: 422
  • Port range: 1000-2000
  • All except value: !value
External IP address Any | IP | + Add new; default: Any Only match traffic coming to the given network address.
    Possible variants:
  • Any: Match everything
  • IP address: 192.168.1.1
  • Subnet: 192.168.1.0/24
  • All except value: !value
Enable NAT loopback off | on ; default: on NAT loopback a.k.a. NAT reflection a.k.a. NAT hairpinning is a method of accessing an internal server using a public IP. NAT loopback enables your local network (i.e., behind your NAT device) to connect to a forward-facing IP address of a machine that it also on your local network.
Extra arguments string; default: none Passes additional arguments to iptables. Use with care!

Traffic Rules

The Traffic rules tab is used to set firewall rules that filter traffic moving through the device. The figure below is an example of the Traffic rules table:

Field Value Description
Name string; default: - The name of the rule. This is used for easier management purposes.
Match Only match traffic using the given rules.
Action Take given action when traffic matches all conditions.
Status Displays the status of NAT rule.
Counter Only the first packet of connection is usually counted due to stateful packet inspection (SPI). This also affects connectionless protocols.
Enabled off | on; default none Enables traffic rule.
Actions clone | Edit | Delete; default - Performs the selected action.

Traffic Rule Configuration

In order to begin editing a traffic rule, click the edit button next to it:

You will be redirected to that rule's configuration page:

General settings

Field Value Description
Enable off | on; default on Turns the rule on or off.
Name string; default none Name of the rule. This is used for easier management purposes.
Protocol TCP | UDP | ICMP | All | +Add new; default: depends on the rule Only match traffic using the given internet communication protocol.
    Possible variants:
  • TCP: used by most applications (e.g., web browsing, file downloads, games)
  • UDP: used by real-time applications that can accept packet loss (e.g., voice calls, video streaming)
  • ICMP: used for diagnostic, control and error transfers in networks (e.g., ping)
  • All: Accept all protocols
  • Custom protocol: sctp
Match ICMP type Any | ICMP-type (list) | + Add new; default: Any Only match traffic having the given ICMP type.
Source zone firewall zone; default: wan Only match traffic coming to the given firewall zone.
Source IP address ip address; default: Any Only match traffic coming from the given network address.
    Possible variants:
  • Any: Match everything
  • IP address: 192.168.1.1
  • Subnet: 192.168.1.0/24
  • IPv6 address: 123:1::5:6:7
  • IPv6 Subnet: 123:1:5:6::0/64
  • All except value: !value
Source port FTP data (20) | FTP cmd (21) | SSH (22) | Old SMTP (25) | DNS (53) | HTTP (80) | NTP (123) | BGP (179) | HTTPS (443) | ISAKMP (500) | Modern SMTP (587) | RDP (3389) | + Add new; default: Any Only match traffic coming from the given port.
    Possible variants:
  • Any: Match everything
  • Port: 422
  • Port range: 1000-2000
  • All except value: !value
Destination zone firewall zone; default: Device (input) Only match traffic being forwarded to to the given firewall zone.
Destination address ip address; default: Any Only match traffic being forwarded to the given network address.
    Possible variants:
  • Any: Match everything
  • IP address: 192.168.1.1
  • Subnet: 192.168.1.0/24
  • IPv6 address: 123:1::5:6:7
  • IPv6 Subnet: 123:1:5:6::0/64
  • All except value: !value
Destination port FTP data (20) | FTP cmd (21) | SSH (22) | Old SMTP (25) | DNS (53) | HTTP (80) | NTP (123) | BGP (179) | HTTPS (443) | ISAKMP (500) | Modern SMTP (587) | RDP (3389) | + Add new; default: Any Only match traffic being forwarded to the given port.
    Possible variants:
  • Any: Match everything
  • Port: 422
  • Port range: 1000-2000
  • All except value: !value
Action Drop | Accept | Reject | Do not track | Change DSCP | Mark | Change TTL; default: Accept Take given action when traffic matches all conditions.
    Possible variants:
  • Accept – packet gets to continue to the next chain.
  • Drop – packet is stopped and deleted.
  • Reject – packet is stopped, deleted and, differently from Drop, an ICMP packet containing a message of rejection is sent to the source from which the dropped packet came.
  • Change DSCP: – packet is marked with specified DiffServ Code Point value.
  • Do not track – packet gets excluded from connection tracking (conntrack).
  • Mark – packet is marked with specified firewall mark.
  • Change TTL – packet's TTL value is adjusted based on the selected action.
  • Clamp MSS – packet's MSS will be clamped to improve compatability with other networks. Only available if protocol is TCP.
DSCP value Default | CS1 | AF11 | AF12 | AF13 | CS2 | AF21 | AF22 | AF23...; default: Default DSCP value to use for actions.
Mark value hexadecimal string; default: empty Mark value to use for actions.
TTL action Set | Increment | Decrement; default: Set TTL action to apply to packets.
TTL value integer [1..255]; default: none TTL value to use for actions.

Advanced settings

Restrict to address family IPv4 and IPv6 | IPv4 only | IPv6 only; default: IPv4 and IPv6 Only match traffic using the given IP family.
Source MAC address mac | + Add new; default: Any Only match traffic coming from the given MAC address.
    Possible variants:
  • Any: Match everything
  • Mac address: 01:23:45:56:78:9a
  • All except value: !value
Match DSCP | Mark; default: none Match traffic against the given DSCP value or firewall mark
DSCP: Set Match value Default | DSCP values; default: Default Match traffic against the given firewall DSCP value.
Mark: Set Match value hexadecimal string; default: none If specified, match traffic against the given firewall mark, e.g. FF or ff to match mark 255.
Extra arguments string; default: none Adds extra .iptables options to the rule.

Time restrictions

Week days days of the week [Monday..Sunday]; default: none Specifies on which days of the week the rule is valid.
Month days days of the month [1..31]; default: none Specifies on which days of the month the rule is valid.
Start Time (hh:mm:ss) time [0..23:0..59:0..59]; default: none Indicates the beginning of the time period during which the rule is valid.
Stop Time (hh:mm:ss) time [0..23:0..59:0..59]; default: none Indicates the end of the time period during which the rule is valid.
Start Date (yyyy-mm-dd) date [0000..9999:1..12:1..31]; default: none Indicates the first day of the date of the period during which the rule is valid.
Stop Date (yyyy-mm-dd) date [0000..9999:1..12:1..31]; default: none Indicates the last day of the date of the period during which the rule is valid.
Time in UTC off | on; default: no Specifies whether the device should use UTC time. If this is disabled, the time zone specified in the System → Administration → NTP page will be used.

Open Ports on Router

In the Add new instance section, select Open ports on router. This provides a quick way to set simple rules that allow traffic on specified ports of the device. The figure below is an example of the Open ports on device section and the table below provides information on the fields contained in that section:

Field Value Description
Name string; default: none Name of the rule. This is only used for easier management purposes.
Protocol TCP | UDP | ICMP | All | +Add new; default: depends on the rule Only match traffic using the given internet communication protocol.
    Possible variants:
  • TCP: used by most applications (e.g., web browsing, file downloads, games)
  • UDP: used by real-time applications that can accept packet loss (e.g., voice calls, video streaming)
  • ICMP: used for diagnostic, control and error transfers in networks (e.g., ping)
  • All: Accept all protocols
  • Custom protocol: sctp

Add New Forward Rule

In the Add new instance section, select Add new forward rule. This is used to create firewall rules that control traffic on the FORWARD chain. The figure below is an example of the Add New Forward Rule section and the table below provides information on the fields contained in that section:

Field Value Description
Name string; default: none The name of the rule. This is used for easier management purposes.
Source zone firewall zone; default: lan Only match traffic coming to the given firewall zone.
Destination zone firewall zone; default: lan Only match traffic being forwarded to the given firewall zone.
Add - (interactive button) Creates the rule and redirects you to the rule's configuration page

NAT Rules

NAT rules allow fine grained control over the source IP to use for outbound or forwarded traffic.

The NAT section displays currently existing NAT rules.

Field Value Description
Name string; default: none The name of the rule. This is used for easier management purposes.
Match Only match traffic using the given rules.
Action Modify traffic with the given rules.
Status Displays the status of NAT rule.
Counter Only the first packet of connection is usually counted due to stateful packet inspection (SPI). This also affects connectionless protocols.
Enabled off | on; default none Enables NAT rule.
Actions clone | Edit | Delete; default - Performs the selected action.

Add new instance

The Add new instance section is used to create new NAT rules.

Field Value Description
Name string; default: none The name of the rule. This is used for easier management purposes.
Source zone firewall zone; default: lan Only match traffic coming to the given firewall zone.
Rewrite IP IP | + Add new; default: first IP from the list Rewrite matched traffic to the given source network address.
    Possible variants:
  • IP address: 192.168.1.1
  • Subnet: 192.168.1.0/24
Rewrite Port integer [0..65335] | port inversion [!0..!65535] | do not rewrite; default: none Rewrite matched traffic to the given source port.
    Possible variants:
  • No rewrite: Keep Source port
  • Port: 422
  • Port range: 1000-2000
Add - (interactive button) Creates the rule in accordance with the given parameter and redirects you to the rule's configuration page.

NAT Configuration

After adding new rule, you will be redirected to that rule's configuration page:

Field Value Description
Enable off | on; default on Turns the rule on or off.
Name string; default none Name of the rule. This is used for easier management purposes.
Protocol TCP | UDP | ICMP | All | +Add new; default: All Only match traffic using the given internet communication protocol.
    Possible variants:
  • TCP: used by most applications (e.g., web browsing, file downloads, games).
  • UDP: used by real-time applications that can accept packet loss (e.g., voice calls, video streaming).
  • ICMP: used for diagnostic, control and error transfers in networks (e.g., ping).
  • All: Accept all protocols
  • Custom protocol: sctp
Outband zone firewall zone; default: lan Only match traffic leaving the given firewall zone.
Source IP address ip address; default: Any Only match traffic coming from the given network address.
    Possible variants:
  • Any: Match everything
  • IP address: 192.168.1.1
  • Subnet: 192.168.1.0/24
  • IPv6 address: 123:1::5:6:7
  • IPv6 Subnet: 123:1:5:6::0/64
  • All except value: !value
Source port FTP data (20) | FTP cmd (21) | SSH (22) | Old SMTP (25) | DNS (53) | HTTP (80) | NTP (123) | BGP (179) | HTTPS (443) | ISAKMP (500) | Modern SMTP (587) | RDP (3389) | + Add new; default: Any Only match traffic coming from the given port.
    Possible variants:
  • Any: Match everything
  • Port: 422
  • Port range: 1000-2000
  • All except value: !value
Destination IP address ip address; default: Any Only match traffic being forwarded to the given network address.
    Possible variants:
  • Any: Match everything
  • IP address: 192.168.1.1
  • Subnet: 192.168.1.0/24
  • All except value: !value
Destination port FTP data (20) | FTP cmd (21) | SSH (22) | Old SMTP (25) | DNS (53) | HTTP (80) | NTP (123) | BGP (179) | HTTPS (443) | ISAKMP (500) | Modern SMTP (587) | RDP (3389) | + Add new; default: Any Only match traffic being forwarded to the given port.
    Possible variants:
  • Any: Match everything
  • Port: 422
  • Port range: 1000-2000
  • All except value: !value
Action SNAT | MASQUERADE | ACCEPT; default SNAT NAT action to use on matched traffic.
    Possible variants:
  • SNAT: rewrite to specific source IP or port.
  • MASQUERADE: automatically rewrite to outbound interface IP.
  • ACCEPT: blacklist from having IP or port rewritten.
Rewrite IP address ip address; default: Any Only match traffic being forwarded to the given network address.
    Possible variants:
  • Any: Match everything
  • IP address: 192.168.1.1
  • Subnet: 192.168.1.0/24
  • All except value: !value

Field Value Description
Extra arguments string; default: none Passes additional arguments to iptables. Use with care!

Field Value Description
Week days days of the week [Monday..Sunday]; default: none Specifies on which days of the week the rule is valid.
Month days days of the month [1..31]; default: none Specifies on which days of the month the rule is valid.
Start Time (hh:mm:ss) time [0..23:0..59:0..59]; default: none Indicates the beginning of the time period during which the rule is valid.
Stop Time (hh:mm:ss) time [0..23:0..59:0..59]; default: none Indicates the end of the time period during which the rule is valid.
Start Date (yyyy-mm-dd) date [0000..9999:1..12:1..31]; default: none Indicates the first day of the date of the period during which the rule is valid.
Stop Date (yyyy-mm-dd) date [0000..9999:1..12:1..31]; default: none Indicates the last day of the date of the period during which the rule is valid.
Time in UTC off | on; default: no Specifies whether the device should use UTC time. If this is disabled, the time zone specified in the System → Administration → NTP page will be used.

Attack Prevention

The Attack Prevention menu tab provides the possibility to configure protections against certain types of online attacks.

Field Value Description
Attack type Name of attack prevention type.
Enable off | on Enable attack from WAN zone prevention (except SYN flood which applies to all zones).
Advanced settings -interactive button (Edit) Opens attack prevention configuration window.

Note: the individual attack prevention configuration windows are shown below.

SYN flood

SYN Flood attack prevention allows you to protect yourself from attacks that exploit part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive. Essentially, with SYN flood DDOS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network over-saturation.

Field Value Description
Enable attack prevention off | on; default: on Enable new connection throttle for the "SYN flood" to prevent flood attacks from all zones. It uses token bucket algorithm.
Limit integer [1..10000]; default: 25 The maximum theoretical rate. It represents how quickly the burst refills.
Burst integer [1..10000]; default: 50 Sets burst limit for SYN packets above which the traffic is considered flooded if it exceeds the allowed rate
TCP SYN cookies off | on; default: on Enables the use of SYN cookies (particular choices of initial TCP sequence numbers by TCP servers)

Ping flood

Some attackers use ICMP echo request packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. You can set up some custom restrictions to help protect your router from ICMP bursts.

Field Value Description
Enable remote ping requests off | on; default: on Allows remote (WAN zone) ICMP echo-request type.
Enable attack prevention off | on; default: off Enable new connection throttle for the "Ping flood" to prevent flood attacks from WAN zone. It uses token bucket algorithm.
Limit integer [1..10000]; default: 60 The maximum theoretical rate. It represents how quickly the burst refills.
Limit period Second | Minute | Hour | Day; default: Second Period length for matching the conditions of the rule.
Burst integer [1..10000]; default: 60 The maximum number of new connections that can occur in a short time. This is the token bucket, which is depleted with each new connection. It refills at the rate defined by the limit, and if empty, new connections are blocked.
Enable logging off | on; default: off Flood detection events will be logged to System log.

SSH flood

This protection prevent SSH attacks by limiting connections in a defined period.

Field Value Description
Enable attack prevention off | on; default: off Enable new connection throttle for the "SSH flood" to prevent flood attacks from WAN zone. It uses token bucket algorithm.
Limit integer [1..10000]; default: 100 The maximum theoretical rate. It represents how quickly the burst refills.
Limit period Second | Minute | Hour | Day; default: Second Period length for matching the conditions of the rule.
Burst integer [1..10000]; default: 100 The maximum number of new connections that can occur in a short time. This is the token bucket, which is depleted with each new connection. It refills at the rate defined by the limit, and if empty, new connections are blocked.
Enable logging off | on; default: off Flood detection events will be logged to System log.

HTTP flood

An HTTP attack sends a complete, legitimate HTTP header, which includes a 'Content-Length' field to specify the size of the message body to follow. However, the attacker then proceeds to send the actual message body at an extremely slow rate (e.g. 1 byte/100 seconds.) Due to the entire message being correct and complete, the target server will attempt to obey the 'Content-Length' field in the header, and wait for the entire body of the message to be transmitted, hence slowing it down.

Field Value Description
Enable attack prevention off | on; default: off Enable new connection throttle for the "HTTP flood" to prevent flood attacks from WAN zone. It uses token bucket algorithm.
Limit integer [1..10000]; default: 120 The maximum theoretical rate. It represents how quickly the burst refills.
Limit period Second | Minute | Hour | Day; default: Second Period length for matching the conditions of the rule.
Burst integer [1..10000]; default: 120 The maximum number of new connections that can occur in a short time. This is the token bucket, which is depleted with each new connection. It refills at the rate defined by the limit, and if empty, new connections are blocked.
Enable logging off | on; default: off Flood detection events will be logged to System log.

HTTPS flood

This section allows you to enable protection against HTTPS attacks, also known as "man-in-the-middle" attacks (MITM).

In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the perpetrator secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.

Field Value Description
Enable attack prevention off | on; default: off Enable new connection throttle for the "HTTPS flood" to prevent flood attacks from WAN zone. It uses token bucket algorithm.
Limit integer [1..10000]; default: 120 The maximum theoretical rate. It represents how quickly the burst refills.
Limit period Second | Minute | Hour | Day; default: Second Period length for matching the conditions of the rule.
Burst integer [1..10000]; default: 120 The maximum number of new connections that can occur in a short time. This is the token bucket, which is depleted with each new connection. It refills at the rate defined by the limit, and if empty, new connections are blocked.
Enable logging off | on; default: off Flood detection events will be logged to System log.

Port Scan

Port Scan attacks scan which of the targeted host's ports are open. Network ports are the entry points to a machine that is connected to the Internet. A service that listens on a port is able to receive data from a client application, process it and send a response back. Malicious clients can sometimes exploit vulnerabilities in the server code so they gain access to sensitive data or execute malicious code on the machine remotely. Port scanning is usually done in the initial phase of a penetration test in order to discover all network entry points into the target system. The Port Scan section provides you with the possibility to enable protection against port scanning software. The Defending Type section provides the possibility for the user to enable protections from certain types of online attacks. These include SYN-FIN, SYN-RST, X-Mas, FIN scan and NULLflags attacks.

Field Value Description
Enable port scan prevention off | on; default: off Enable brute force port scan prevention from WAN zone. If there is too much TCP packets from same host without responses they start to be rejected.
Scan count integer [5..255]; default: 5 Port scan (TCP packet without response) count before packets are rejected.
Interval integer [10..1000]; default: 10 Time span (in seconds) in which 'scan count' has to be reached before packets are rejected.
SYN-FIN attack off | on; default: off Turns protection from SYN-FIN attacks on or off.
SYN-RST attack off | on; default: off Turns protection from SYN-RST attacks on or off.
X-Mas attack off | on; default: off Turns protection from X-Mas attacks on or off.
FIN scan off | on; default: off Protect from nmap FIN scan.
NULLflags attack off | on; default: off Turns protection from NULLflags attacks on or off.

Custom Rules

The Custom rules tab provides you with the possibility to execute iptables commands which are not otherwise covered by the device's firewall framework. The commands are executed after each firewall restart, right after the default rule set has been loaded.

Note: Custom rules are not recommended to be used with hostnames. The rules will not remain active after reboot due to security reasons.

The figure below is an example of the Custom rules tab:

The rules added here are saved in the /etc/firewall.user file. Feel free to edit that file instead for the same effect in case you don't have access to the device's WebUI.

The Save button restarts the firewall service. Thus, adding the custom rules specified in this section to the device's list of firewall rules.

The Reset button resets the custom rules field to its default state.

DMZ

The DMZ is a security concept. It comprises the separation of the LAN-side network into at least two networks: the user LAN and the DMZ. Generally the DMZ is imprisoned: only access to certain ports from the Internet are allowed into the DMZ, while the DMZ is not allowed to establish new connections to the WAN-side or LAN-side networks. That way, if a server inside of the DMZ is hacked the potential damage that can be done remains restricted! The whole point of the DMZ is to cleanly create a unique firewall rule set that dramatically restricts access in to, and out of the, DMZ.

Field Value Description
Enable off | on; default: off Enables the DMZ configuration.
Status state; default: Displays the status of the DMZ.
Counter count of packets; default: Only the first packet of connection is usually counted due to stateful packet inspection (SPI). This also affects connectionless protocols.
Host IP ipv4; default: none Specifies the IP address of the DMZ host.
Protocol All | TCP | UDP | ICMP; default: None Specifies for which protocols the DMZ will be used.
Ports 0..65535 | port range | port negation; default: none Match incoming traffic directed at the given destination port or port range on DMZ host IP.
Retrieved from "https://wiki.teltonika-networks.com/index.php?title=RUT900_Firewall&oldid=82185"