Jump to content

Firewall traffic rules: Difference between revisions

no edit summary
No edit summary
No edit summary
Line 74: Line 74:
=== Allow a single host to access a web server in WAN network. ===
=== Allow a single host to access a web server in WAN network. ===
----
----
<br>Let’s imagine that we would like to restrict traffic for this LAN network (192.168.1.0/24) and only one host needs to have access to the web server (185.11.24.37) on the internet. To achieve this, traffic rules could be configured.
<br>Let’s imagine that we would like to restrict traffic for this LAN network (192.168.1.0/24) and only one host needs to have access to the web server (185.xxx.xxx.xxx) on the internet. To achieve this, traffic rules could be configured.


Two traffic rules would be required for this scenario:
Two traffic rules would be required for this scenario:
Line 90: Line 90:
[[File:Firewall traffic rules topology v2.png||border|class=tlt-border|800x800px]]
[[File:Firewall traffic rules topology v2.png||border|class=tlt-border|800x800px]]


==== Traffic rules configuration to allow only a single host in LAN to access the webserver ====
----
Create and configure the first rule to block all local traffic to WAN network.
Create and configure the first rule to block all local traffic to WAN network.


Line 115: Line 117:


[[File:Networking_rutos_configuration_example_firewall_traffic_rules_1-3_v1.png||border|class=tlt-border|800x800px]]
[[File:Networking_rutos_configuration_example_firewall_traffic_rules_1-3_v1.png||border|class=tlt-border|800x800px]]


Create and configure the second rule to allow the host to access the web server:
Create and configure the second rule to allow the host to access the web server:
Line 132: Line 133:


*In the source IP address enter the IP address of the host in '''LAN''' that you wish to allow to access the web server. In this example, the IP address of PC2 is '''192.168.1.11'''.
*In the source IP address enter the IP address of the host in '''LAN''' that you wish to allow to access the web server. In this example, the IP address of PC2 is '''192.168.1.11'''.
*In the destination address field, enter the IP address of the web server, which is '''185.11.24.37''' in this example.
*In the destination address field, enter the IP address of the web server, which is '''185.xxx.xxx.xxx''' in this example.
*In the destination port field add ports '''’80’''' and '''‘443’'''. These are '''HTTP''' and '''HTTPS''' port numbers that are used for communication with a web server.
*In the destination port field add ports '''’80’''' and '''‘443’'''. These are '''HTTP''' and '''HTTPS''' port numbers that are used for communication with a web server.
*In the action field choose '''‘Accept’'''.<br>
*In the action field choose '''‘Accept’'''.<br>
Line 148: Line 149:




These rules indicates that traffic from the host '''192.168.1.11''' in '''LAN''' destined to the IP address of 185.11.24.37 on ports '''80''' and '''443''' in '''WAN''' must be accepted. The '''‘Accept forward’''' indicates the action (accept). The slider on the right side shows that the rule is enabled. The rule is above the Deny-LAN-WAN rule, so that traffic from host 192.168.1.11 (PC2) matches the first rule and is accepted. Traffic from other hosts in LAN will match the second rule and will be dropped.
These rules indicate that traffic from the host '''192.168.1.11''' in '''LAN''' destined to the IP address of 185.xxx.xxx.xxx on ports '''80''' and '''443''' in '''WAN''' must be accepted. The '''‘Accept forward’''' indicates the action (accept). The slider on the right side shows that the rule is enabled. The rule is above the Deny-LAN-WAN rule, so that traffic from host 192.168.1.11 (PC2) matches the first rule and is accepted. Traffic from other hosts in LAN will match the second rule and will be dropped.


===Opening a port on the device. ===
===Opening a port on the device. ===
Line 254: Line 255:




The rule indicates that TCP traffic coming from the host  '''138.199.19.170''' in the '''WAN''' to the device (router) on ports '''80''' and '''443''' will be accepted. The '''‘Accept input’''' indicates the action (accept). The slider on the right side shows that the rule is enabled.
The rule indicates that TCP traffic coming from the host  '''84.xxx.xxx.xxx''' in the '''WAN''' to the device (router) on ports '''80''' and '''443''' will be accepted. The '''‘Accept input’''' indicates the action (accept). The slider on the right side shows that the rule is enabled.


In this scenario, only the host 138.199.19.170 will be able to access the WebUI of the router via it’s public IP. Similarly, if the port is set to 22 instead of 80 and 443, the remote host would be able to connect to the device via SSH, but not WebUI.
In this scenario, only the host 138.199.19.170 will be able to access the WebUI of the router via it’s public IP. Similarly, if the port is set to 22 instead of 80 and 443, the remote host would be able to connect to the device via SSH, but not WebUI.
Line 313: Line 314:


<br>
<br>
This rule indicates that the PC with mac address of '''00:00:5e:00:53:af''' will not be able to send traffic to '''WAN'''. The '''‘Discard forward’''' indicates the action (drop).  The rule does not show the times at which this rule is applied, but the times can be found on the settings page ('''‘Pencil’''' button). This rule will be applied for the first time on the 12th of February, 2023. Then, every Monday, Tuesday, Wednesday, Thursday, and Friday, from 8 AM to 4 PM this PC  will not be able to send traffic to '''WAN'''.
This rule indicates that the PC with mac address of '''00:00:5e:xx:xx:xx''' will not be able to send traffic to '''WAN'''. The '''‘Discard forward’''' indicates the action (drop).  The rule does not show the times at which this rule is applied, but the times can be found on the settings page ('''‘Pencil’''' button). This rule will be applied for the first time on the 12th of February, 2023. Then, every Monday, Tuesday, Wednesday, Thursday, and Friday, from 8 AM to 4 PM this PC  will not be able to send traffic to '''WAN'''.