Jump to content

Template:Networking rutos manual firewall: Difference between revisions

no edit summary
No edit summary
(58 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{Template: Networking_rutos_manual_fw_disclosure
{{Template: Networking_device_manual_fw_disclosure
| fw_version ={{Template: Networking_rutos_manual_latest_fw
| series = {{{series}}}
| name  = {{{name}}}
| fw_version ={{Template: Networking_device_manual_latest_fw
  | series = {{{series}}}
  | series = {{{series}}}
| name  = {{{name}}}
  }}
  }}
}}
}}
{{#ifeq: {{{series}}} | RUT9 |<br><i><b>Note</b>: <b>[[{{{name}}} Firewall (legacy WebUI)|click here]]</b> for the old style WebUI (FW version {{Template: Networking_rutos_manual_latest_fw | series = RUT9XX}} and earlier) user manual page.</i>|}}
{{#ifeq: {{{series}}} | RUT9 |<br><i><b>Note</b>: <b>[[{{{name}}} Firewall (legacy WebUI)|click here]]</b> for the old style WebUI (FW version {{Template: Networking_device_manual_latest_fw | series = RUT9XX}} and earlier) user manual page.</i>|}}
{{#ifeq: {{{series}}} | RUT2 |<br><i><b>Note</b>: <b>[[{{{name}}} Firewall (legacy WebUI)|click here]]</b> for the old style WebUI (FW version {{Template: Networking_rutos_manual_latest_fw | series = RUT2XX}} and earlier) user manual page.</i>|}}
{{#ifeq: {{{series}}} | RUT2 |<br><i><b>Note</b>: <b>[[{{{name}}} Firewall (legacy WebUI)|click here]]</b> for the old style WebUI (FW version {{Template: Networking_device_manual_latest_fw | series = RUT2XX}} and earlier) user manual page.</i>|}}
==Summary==
==Summary==


Line 20: Line 23:
The <b>General Settings</b> section is used to configure the main policies of the device's firewall. The figure below is an example of the General Settings section and the table below provides information on the fields contained in that section:
The <b>General Settings</b> section is used to configure the main policies of the device's firewall. The figure below is an example of the General Settings section and the table below provides information on the fields contained in that section:


[[File:Networking_rutos_manual_firewall_general_settings_general_settings.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_general_settings_general_settings_v3.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 62: Line 65:
</ul>
</ul>


===Routing/NAT Offloading===
{{#ifeq: {{{name}}} | TRB500 | | ===Routing/NAT Offloading===
----
----
The <b>Routing/NAT Offloading</b> is used to turns software flow offloading on or off.
The <b>Routing/NAT Offloading</b> is used to turns software flow offloading on or off.


The device checks whether the flow (sequence of related packets) is of a received a packed is known. Packets of unknown flow are forwarded to the networking stack. Meanwhile, if the flow is known, NAT is applied (if matched) and the packet is forwarded to the correct destination port. This process is called <b>software flow offloading</b>.
The device checks whether the flow (sequence of related packets) is of a received a packed is known. Packets of unknown flow are forwarded to the networking stack. Meanwhile, if the flow is known, NAT is applied (if matched) and the packet is forwarded to the correct destination port. This process is called <b>software flow offloading</b>. {{#switch: {{{series}}} | RUTX | RUTM = <b>Hardware flow offloading</b> is used to execute functions of the router using the hardware directly, instead of a process of software functions. | #default =}}
 
[[File:Networking_rutos_manual_firewall_general_settings_routing_nat_offloading.png|border|class=tlt-border]]


{{#switch: {{{series}}}
| RUTX | RUTM = [[File:Networking_rutos_manual_firewall_general_settings_routing_nat_offloading_rutx_v2.png|border|class=tlt-border]]
| #default =[[File:Networking_rutos_manual_firewall_general_settings_routing_nat_offloading_v2.png|border|class=tlt-border]]}}
<table class="nd-mantable">
<table class="nd-mantable">
     <tr>
     <tr>
Line 78: Line 82:
     <tr>
     <tr>
         <td>Software flow offloading</td>
         <td>Software flow offloading</td>
         <td>off {{!}} on; default: <b>off</b></td>
         <td>off {{!}} on; default: <b>on</b></td>
         <td>Turns software flow offloading on or off.</td>
         <td>Turns software flow offloading on or off.</td>
     </tr>
     </tr>
</table>
{{#switch: {{{series}}} | RUTX | RUTM = 
    <tr>
        <td>Hardware flow offloading</td>
        <td>off {{!}} on; default: <b>on</b></td>
        <td>Turns hardware flow offloading on or off.</td>
    </tr>| #default =}}
</table>}}


===Zones===
===Zones===
Line 87: Line 97:
The <b>Zones</b> section is used to manage default traffic forwarding policies between different device zones. The figure below is an example of the Zones section and the table below provides information on the fields contained in that section:
The <b>Zones</b> section is used to manage default traffic forwarding policies between different device zones. The figure below is an example of the Zones section and the table below provides information on the fields contained in that section:


[[File:Networking_rutos_manual_firewall_general_settings_zones.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_general_settings_zones_v2.png|border|class=tlt-border]]
----
----
You can change a zone's settings from this page by interacting with entries in the zones table. For a more in-depth configuration click the button that looks like a pencil [[File:Networking_rutx_trb14x_manual_edit_button_v1.png|20px]] next to a zone:
You can change a zone's settings from this page by interacting with entries in the zones table. For a more in-depth configuration click the edit button [[File:Networking_rutx_trb14x_manual_edit_button_v2.png|20px]] next to a zone:


[[File:Networking_rutos_manual_firewall_general_settings_zones_edit_button.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_general_settings_zones_edit_button_v2.png|border|class=tlt-border]]


====Zones: General Settings====
====Zones: General Settings====
----
----
[[File:Networking_rutos_manual_firewall_general_settings_zones_general_settings.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_general_settings_zones_general_settings_v2.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 142: Line 152:
====Zones: Advanced Settings====
====Zones: Advanced Settings====
----
----
[[File:Networking_rutos_manual_firewall_general_settings_zones_advanced_settings_v3.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_general_settings_zones_advanced_settings_v4.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 191: Line 201:
The <b>Inter-zone forwarding</b> options control the forwarding policies between the currently edited zone and other zones.  
The <b>Inter-zone forwarding</b> options control the forwarding policies between the currently edited zone and other zones.  


[[File:Networking_rutos_manual_firewall_general_settings_zones_inter-zone_forwarding_mobile_{{{mobile}}}_dualsim_{{{dualsim}}}_wired_{{{wired}}}.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_general_settings_zones_inter-zone_forwarding_v1.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 219: Line 229:
The Port forwards table displays configured port forwarding rules currently configured on the device.
The Port forwards table displays configured port forwarding rules currently configured on the device.


[[File:Networking_rutos_manual_firewall_port_forwards_port_forwards.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_port_forwards_port_forwards_v2.png|border|class=tlt-border]]


===Add New Port Forward===
===Add New Port Forward===
Line 225: Line 235:
The <b>Add New Port Forward</b> section is used to quickly add additional port forwarding rules. The figure below is an example of the Add New Port Forward section and the table below provides information on the fields contained in that section:
The <b>Add New Port Forward</b> section is used to quickly add additional port forwarding rules. The figure below is an example of the Add New Port Forward section and the table below provides information on the fields contained in that section:


[[File:Networking_rutos_manual_firewall_port_forwards_add_new_port_forward.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_port_forwards_add_new_port_forward_v3.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 240: Line 250:
     <tr>
     <tr>
         <td>External port</td>
         <td>External port</td>
         <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td>
         <td>integer [0..65535] | range of integers [0..65534] - [1..65535] | port inversion [!0..!65535]; default: <b>none</b></td>
         <td>The port number to which hosts will be connecting.<td>
         <td>The port number to which hosts will be connecting.</td>
     </tr>
     </tr>
     <tr>
     <tr>
Line 250: Line 260:
     <tr>
     <tr>
         <td>Internal port</td>
         <td>Internal port</td>
         <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td>
         <td>integer [0..65535] | range of integers [0..65534] - [1..65535] | port inversion [!0..!65535]; default: <b>none</b></td>
         <td>The port number to which the incoming connection will be redirected.</td>
         <td>The port number to which the incoming connection will be redirected.</td>
     </tr>
     </tr>
Line 257: Line 267:
===Port Forwards Configuration===
===Port Forwards Configuration===
----
----
While the New port forward section provides the possibility to add port forwarding rules fast, it does not contain all possible configuration options to customize a rule. In order to create a more complicated rule, add one using the New port forward section and click the button that looks like a pencil [[File:Networking_rutx_trb14x_manual_edit_button_v1.png|20px]] next to it:
While the New port forward section provides the possibility to add port forwarding rules fast, it does not contain all possible configuration options to customize a rule. In order to create a more complicated rule, add one using the New port forward section and click the edit button [[File:Networking_rutx_trb14x_manual_edit_button_v2.png|20px]] next to it:


[[File:Networking_rutos_manual_firewall_port_forwards_edit_button.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_port_forwards_edit_button_v3.png|border|class=tlt-border]]


You will be redirected to that rule's configuration page:
You will be redirected to that rule's configuration general settings page:


[[File:Networking_rutos_manual_firewall_port_forwards_configuration.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_port_forwards_configuration_v3.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 283: Line 293:
     <tr>
     <tr>
         <td>Protocol</td>
         <td>Protocol</td>
         <td>TCP+UDP | TCP | UDP | Other; default: <b>TCP+UDP</b></td>
         <td>TCP | UDP | ICMP | All | +Add new; default: <b>TCP+UDP</b></td>
         <td>Specifies to which protocols the rule should apply.</td>
         <td>Specifies to which protocols the rule should apply.</td>
     </tr>
     </tr>
Line 290: Line 300:
         <td>firewall zone name; default: <b>wan</b></td>
         <td>firewall zone name; default: <b>wan</b></td>
         <td>The zone to which the third party will be connecting. (Same thing as "External zone" in the New port forward section.)</td>
         <td>The zone to which the third party will be connecting. (Same thing as "External zone" in the New port forward section.)</td>
    </tr>
    <tr>
        <td>External port</td>
        <td>integer [0..65535] | range of integers [0..65534] - [1..65535] | port inversion [!0..!65535]; default: <b>none</b></td>
        <td>Port number(s) to which hosts will be connecting.<br>The rule will apply only to hosts that connect to the port number(s) specified in this field. Leave empty to make the rule skip external port matching.</td>
    </tr>
    <tr>
        <td>Internal zone</td>
        <td>firewall zone name; default: <b>lan</b></td>
        <td>The zone to which the incoming connection will be redirected.</td>
    </tr>
    <tr>
        <td>Internal IP address</td>
        <td>Device LAN IP; default: <b>Device LAN IP</b></td>
        <td>The IP address to which the incoming connection will be redirected.</td>
    </tr>
    <tr>
        <td>Internal port</td>
        <td>integer [0..65535] | range of integers [0..65534] - [1..65535] | port inversion [!0..!65535]; default: <b>none</b></td>
        <td>The port number to which the incoming connection will be redirected.</td>
    </tr>
</table>
Advanced settings:
[[File:Networking rutos manual firewall port forwards configuration advanced_v2.png|border|class=tlt-border]]
<table class="nd-mantable">
    <tr>
        <th>Field</th>
        <th>Value</th>
        <th>Description</th>
     </tr>
     </tr>
     <tr>
     <tr>
Line 303: Line 345:
     <tr>
     <tr>
         <td>Source port</td>
         <td>Source port</td>
         <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td>
         <td>integer [0..65535] | range of integers [0..65534] - [1..65535] | port inversion [!0..!65535]; default: <b>none</b></td>
         <td>Port number(s) used by the connecting host.<br>The rule will match the source port used by the connecting host with the port number(s) specified in this field. Leave empty to make the rule skip source port matching.<td>
         <td>Port number(s) used by the connecting host.<br>The rule will match the source port used by the connecting host with the port number(s) specified in this field. Leave empty to make the rule skip source port matching.</td>
     </tr>
     </tr>
     <tr>
     <tr>
Line 310: Line 352:
         <td>ip | ip/netmask; default: <b>any</b></td>
         <td>ip | ip/netmask; default: <b>any</b></td>
         <td>IP address or network segment to which hosts will be connecting.<br>The rule will apply only to hosts that connect to IP addresses specified in this field.<br>To specify a subnet instead of one IP, add a forward slash followed by the netmask length after the network indication (for example, <i>10.0.0.0/8</i>).</td>
         <td>IP address or network segment to which hosts will be connecting.<br>The rule will apply only to hosts that connect to IP addresses specified in this field.<br>To specify a subnet instead of one IP, add a forward slash followed by the netmask length after the network indication (for example, <i>10.0.0.0/8</i>).</td>
    </tr>
    <tr>
        <td>External port</td>
        <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td>
        <td>Port number(s) to which hosts will be connecting.<br>The rule will apply only to hosts that connect to the port number(s) specified in this field. Leave empty to make the rule skip external port matching.<td>
    </tr>
    <tr>
        <td>Internal zone</td>
        <td>firewall zone name; default: <b>lan</b></td>
        <td>The zone to which the incoming connection will be redirected.</td>
    </tr>
    <tr>
        <td>Internal IP address</td>
        <td>ip; default: <b>none</b></td>
        <td>The IP address to which the incoming connection will be redirected.</td>
    </tr>
    <tr>
        <td>Internal port</td>
        <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td>
        <td>The port number to which the incoming connection will be redirected.</td>
     </tr>
     </tr>
     <tr>
     <tr>
Line 347: Line 369:
The <b>Traffic rules</b> tab is used to set firewall rules that filter traffic moving through the device. The figure below is an example of the Traffic rules table:
The <b>Traffic rules</b> tab is used to set firewall rules that filter traffic moving through the device. The figure below is an example of the Traffic rules table:


[[File:Networking_rutos_manual_firewall_traffic_rules.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_traffic_rules_v2.png|border|class=tlt-border]]


===Traffic Rule Configuration===
===Traffic Rule Configuration===
----
----
In order to begin editing a traffic rule, click the button that looks like a pencil [[File:Networking_rutx_trb14x_manual_edit_button_v1.png|20px]] next to it:
In order to begin editing a traffic rule, click the edit button [[File:Networking rutx trb14x manual edit button v2.png|20px]] next to it:


[[File:Networking_rutos_manual_firewall_traffic_rules_edit_button.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_traffic_rules_edit_button_v2.png|border|class=tlt-border]]


You will be redirected to that rule's configuration page:
You will be redirected to that rule's configuration page:


[[File:Networking_rutos_manual_firewall_traffic_rules_configuration_mobile_{{{mobile}}}_dualsim_{{{dualsim}}}_wired_{{{wired}}}.png|border|class=tlt-border]]
====General settings====
 
----
[[File:Networking_rutos_manual_firewall_traffic_rules_configuration_general_settings_v2.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">
     <tr>
     <tr>
Line 376: Line 399:
     </tr>
     </tr>
     <tr>
     <tr>
      <td>Restrict to address family</td>
    <td>Protocol</td>
      <td>IPv4 and IPv6 | IPv4 only | IPv6 only; default: <b>IPv4 and IPv6</b></td>
        <td>TCP | UDP | All | +Add new |<span style="color:red">ICMP</span>; default: <b>depends on the rule</b></td>
      <td>IP address family to which the rule will apply to.</td>
        <td>Specifies to which protocols the rule should apply.</td>
     </tr>
     </tr>
     <tr>
     <tr>
    <td>Protocol</td>
        <td><span style="color:red"> Match ICMP type</span></td>
         <td>TCP+UDP | TCP | UDP | ICMP | -- custom --; default: <b>TCP+UDP</b></td>
         <td>Any | ICMP-type | + Add new; default: '''none'''</td>
         <td>Specifies to which protocols the rule should apply.</td>
         <td>Allows matching specific ICMP types.</td>
     </tr>
     </tr>
     <tr>
     <tr>
Line 391: Line 414:
     </tr>
     </tr>
     <tr>
     <tr>
         <td>Source MAC address</td>
         <td>Source IP address</td>
        <td>mac; default: <b>none</b></td>
        <td>MAC address(es) of connecting hosts.<br>The rule will apply only to hosts that match MAC addresses specified in this field. Leave empty to make the rule skip MAC address matching.</td>
    </tr>
    <tr>
        <td>Source address</td>
         <td>ip | ip/netmask; default: <b>any</b></td>
         <td>ip | ip/netmask; default: <b>any</b></td>
         <td>IP address or network segment used by connecting hosts.<br>The rule will apply only to hosts that connect from IP addresses specified in this field.<br>To specify a network segment instead of one IP address, add a forward slash followed by the netmask length after the network indication (for example, <i>10.0.0.0/8</i>).</td>
         <td>IP address or network segment used by connecting hosts.<br>The rule will apply only to hosts that connect from IP addresses specified in this field.<br>To specify a network segment instead of one IP address, add a forward slash followed by the netmask length after the network indication (for example, <i>10.0.0.0/8</i>).</td>
Line 402: Line 420:
     <tr>
     <tr>
         <td>Source port</td>
         <td>Source port</td>
         <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td>
         <td>integer [0..65535] | range of integers [0..65534] - [1..65535] | port inversion [!0..!65535]; default: <b>none</b></td>
         <td>Port number(s) used by the connecting host.<br>The rule will match the source port used by the connecting host with the port number(s) specified in this field. Leave empty to make the rule skip source port matching.<td>
         <td>Port number(s) used by the connecting host.<br>The rule will match the source port used by the connecting host with the port number(s) specified in this field. Leave empty to make the rule skip source port matching. Port negation using is also available, for ex. <b>!1</b>.<td>
     </tr>
     </tr>
     <tr>
     <tr>
Line 417: Line 435:
     <tr>
     <tr>
     <td>Destination port</td>
     <td>Destination port</td>
         <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td>
         <td>integer [0..65535] | range of integers [0..65534] - [1..65535] | port inversion [!0..!65535]; default: <b>none</b></td>
         <td>Tagert port or range of ports of the incoming connection.</td>
         <td>Tagert port or range of ports of the incoming connection. Port negation using is also available, for ex. <b>!1</b>.</td>
     </tr>
     </tr>
     <tr>
     <tr>
     <td>Action</td>
     <td>Action</td>
         <td>Drop | Accept | Reject | Don't track; default: <b>Accept</b></td>
         <td>Drop | Accept | Reject | Don't track | <span style="color:green">DSCP</span> | <span style="color:blue">Mark</span>; default: <b>Accept</b></td>
         <td>Action that is to be taken when a packet matches the conditions of the rule.
         <td>Action that is to be taken when a packet matches the conditions of the rule.
             <ul>
             <ul>
Line 429: Line 447:
                 <li><b>Reject</b> – packet is stopped, deleted and, differently from Drop, an ICMP packet containing a message of rejection is sent to the source from which the dropped packet came.</li>
                 <li><b>Reject</b> – packet is stopped, deleted and, differently from Drop, an ICMP packet containing a message of rejection is sent to the source from which the dropped packet came.</li>
                 <li><b>Don't track</b> – packet is no longer tracked as it moves forward.</li>
                 <li><b>Don't track</b> – packet is no longer tracked as it moves forward.</li>
                <li><b>DSCP</b> – packet is marked with specified DiffServ Code Point value.</li>
                <li><b>Mark</b> – packet is marked with specified firewall mark..</li>
             </ul>
             </ul>
         </td>
         </td>
    </tr>
  </table>
====Advanced settings====
----
[[File:Networking_rutos_manual_firewall_traffic_rules_configuration_advanced_settings_v2.png|border|class=tlt-border]]
<table class="nd-mantable">
    <tr>
      <td>Restrict to address family</td>
      <td>IPv4 and IPv6 | IPv4 only | IPv6 only; default: <b>IPv4 and IPv6</b></td>
      <td>IP address family to which the rule will apply to.</td>
    </tr>
    <tr>
        <td>Source MAC address</td>
        <td>mac; default: <b>none</b></td>
        <td>MAC address(es) of connecting hosts.<br>The rule will apply only to hosts that match MAC addresses specified in this field. Leave empty to make the rule skip MAC address matching.</td>
    </tr>
  <tr>
    <td><span style="color:green">DSCP</span>: Set Target value</td>
        <td>Default | DSCP values; default: <b>Default</b></td>
        <td>If specified, target traffic against the given firewall DSCP value.</td>
    </tr>
    <tr>
    <td><span style="color:blue">Mark</span>: Set Target value</td>
        <td>hex; default: <b>none</b></td>
        <td>If specified, target traffic against the given firewall mark, e.g. FF or ff to target mark 255.</td>
    </tr>
    <tr>
    <td>Match</td>
        <td><span style="color:green">DSCP</span> | <span style="color:blue">Mark</span>; default: <b>none</b></td>
        <td>Match traffic against the given DSCP value or firewall mark</td>
    </tr>
    <tr>
    <td><span style="color:green">DSCP</span>: Set Match value</td>
        <td>Default | DSCP values; default: <b>Default</b></td>
        <td>Match traffic against the given firewall DSCP value.</td>
    </tr>
    <tr>
    <td><span style="color:blue">Mark</span>: Set Match value</td>
        <td>hex; default: <b>none</b></td>
        <td>If specified, match traffic against the given firewall mark, e.g. FF or ff to match mark 255.</td>
     </tr>
     </tr>
     <tr>
     <tr>
Line 437: Line 498:
         <td>Adds extra .iptables options to the rule.</td>
         <td>Adds extra .iptables options to the rule.</td>
     </tr>
     </tr>
</table>
====Time restrictions====
----
[[File:Networking_rutos_manual_firewall_traffic_rules_configuration_time_restrictions_v2.png|border|class=tlt-border]]
<table class="nd-mantable">
     <tr>
     <tr>
     <td>Week days</td>
     <td>Week days</td>
         <td>days of the week [Sunday..Saturday]; default: <b>none</b></td>
         <td>days of the week [Monday..Sunday]; default: <b>none</b></td>
         <td>Specifies on which days of the week the rule is valid.</td>
         <td>Specifies on which days of the week the rule is valid.</td>
     </tr>
     </tr>
Line 470: Line 537:
     <td>Time in UTC</td>
     <td>Time in UTC</td>
         <td>off | on; default: <b>no</b></td>
         <td>off | on; default: <b>no</b></td>
         <td>Specifies whether the device should use UTC time. If this is disabled, the time zone specified in the Services → [[{{{name}}} NTP|NTP]] page will be used.</td>
         <td>Specifies whether the device should use UTC time. If this is disabled, the time zone specified in the System → Administration → [[{{{name}}}_Administration#NTP|NTP]] page will be used.</td>
     </tr>
     </tr>
</table>
</table>
Line 478: Line 545:
In the <b>Add new instance</b> section, select <b>Open ports on router</b>. This provides a quick way to set simple rules that allow traffic on specified ports of the device. The figure below is an example of the Open ports on device section and the table below provides information on the fields contained in that section:
In the <b>Add new instance</b> section, select <b>Open ports on router</b>. This provides a quick way to set simple rules that allow traffic on specified ports of the device. The figure below is an example of the Open ports on device section and the table below provides information on the fields contained in that section:


[[File:Networking_rutos_manual_firewall_traffic_rules_open_ports_on_router.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_traffic_rules_open_ports_on_router_v2.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 493: Line 560:
     <tr>
     <tr>
     <td>Protocol</td>
     <td>Protocol</td>
         <td>TCP+UDP | TCP | UDP | Other; default: <b>TCP+UDP</b></td>
         <td>TCP | UDP | ICMP | All | +Add new; default: <b>none</b></td>
         <td>Specifies to which protocols the rule should apply.</td>
         <td>Specifies to which protocols the rule should apply.</td>
     </tr>
     </tr>
     <tr>
     <tr>
     <td>External port</td>
     <td>External port</td>
         <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td>
         <td>integer [0..65535] | range of integers [0..65534] - [1..65535] | port inversion [!0..!65535]; default: <b>none</b></td>
         <td>Specifies which port(s) should be opened.</td>
         <td>Specifies which port(s) should be opened.</td>
     </tr>
     </tr>
Line 507: Line 574:
In the <b>Add new instance</b> section, select <b>Add new forward rule</b>. This is used to create firewall rules that control traffic on the FORWARD chain. The figure below is an example of the Add New Forward Rule section and the table below provides information on the fields contained in that section:
In the <b>Add new instance</b> section, select <b>Add new forward rule</b>. This is used to create firewall rules that control traffic on the FORWARD chain. The figure below is an example of the Add New Forward Rule section and the table below provides information on the fields contained in that section:


[[File:Networking_rutos_manual_firewall_traffic_rules_add_new_forward_rule.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_traffic_rules_add_new_forward_rule_v2.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 547: Line 614:
The Source NAT section displays currently existing SNAT rules.
The Source NAT section displays currently existing SNAT rules.


[[File:Networking_rutos_manual_firewall_nat_rules_source_nat.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_nat_rules_source_nat_v2.png|border|class=tlt-border]]


===Add New Source NAT===
===Add New Source NAT===
Line 553: Line 620:
The <b>Add New Source NAT</b> section is used to create new source NAT rules.
The <b>Add New Source NAT</b> section is used to create new source NAT rules.


[[File:Networking_rutos_manual_firewall_nat_rules_add_new_source_nat.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_nat_rules_add_new_source_nat_v2.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 583: Line 650:
     <tr>
     <tr>
     <td>To Source Port</td>
     <td>To Source Port</td>
         <td>integer [0..65335] | do not rewrite; default: <b>none</b></td>
         <td>integer [0..65335] | port inversion [!0..!65535] | do not rewrite; default: <b>none</b></td>
         <td>Changes the source port in the packet header to the value specified in this field.</td>
         <td>Changes the source port in the packet header to the value specified in this field.</td>
     </tr>
     </tr>
Line 595: Line 662:
===Source NAT Configuration===
===Source NAT Configuration===
----
----
In order to begin editing a traffic rule, click the button that looks like a pencil [[File:Networking_rutx_trb14x_manual_edit_button_v1.png|20px]] next to it:
In order to begin editing a traffic rule, click the edit button [[File:Networking_rutx_trb14x_manual_edit_button_v2.png|20px]] next to it:


{{#ifeq: {{{series}}} | TRB1
[[File:Networking_rutos_manual_firewall_nat_rules_source_nat_edit_button_v2.png|border|class=tlt-border]]
| [[File:Networking_trb1_manual_firewall_nat_rules_source_nat_edit_button.png|border|class=tlt-border]]
| [[File:Networking_rutos_manual_firewall_nat_rules_source_nat_edit_button.png|border|class=tlt-border]]
}}


You will be redirected to that rule's configuration page:
You will be redirected to that rule's configuration page:


[[File:Networking_rutos_manual_firewall_nat_rules_configuration_mobile_{{{mobile}}}_dualsim_{{{dualsim}}}_wired_{{{wired}}}.png|border|class=tlt-border]]
[[File:Networking rutos manual firewall nat rules configuration mobile general.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 624: Line 688:
     <tr>
     <tr>
     <td>Protocol</td>
     <td>Protocol</td>
         <td>All protocols | TCP+UDP | TCP | UDP | ICMP | -- custom --; default: <b>All protocols</b></td>
         <td>TCP | UDP | ICMP | +Add new; default: <b>All protocols</b></td>
         <td>Specifies to which protocols the rule should apply.</td>
         <td>Specifies to which protocols the rule should apply.</td>
     </tr>
     </tr>
Line 639: Line 703:
     <tr>
     <tr>
         <td>Source port</td>
         <td>Source port</td>
         <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td>
         <td>integer [0..65535] | range of integers [0..65534] - [1..65535] | port inversion [!0..!65535]; default: <b>none</b></td>
         <td>Mathes traffic originated from specified port number.<td>
         <td>Mathes traffic originated from specified port number.</td>
     </tr>
     </tr>
     <tr>
     <tr>
Line 646: Line 710:
         <td>firewall zone; default: <b>wan</b></td>
         <td>firewall zone; default: <b>wan</b></td>
         <td>Matches traffic destined for the specified zone.</td>
         <td>Matches traffic destined for the specified zone.</td>
     </tr>
     </tr>  
     <tr>
     <tr>
     <td>Destination IP address</td>
     <td>Destination IP address</td>
Line 654: Line 718:
     <tr>
     <tr>
     <td>Destination port</td>
     <td>Destination port</td>
         <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td>
         <td>integer [0..65535] | range of integers [0..65534] - [1..65535] | port inversion [!0..!65535]; default: <b>none</b></td>
         <td>Matches traffic destined for the specified port number.</td>
         <td>Matches traffic destined for the specified port number.</td>
     </tr>
     </tr>
     <tr>
     <tr>
        <td>SNAT address</td>
    <td>Rewrite port</td>
         <td>ip; default: <b>none</b></td>
         <td>integer [0..65535] | range of integers [0..65534] - [1..65535] | port inversion [!0..!65535]; default: <b>No rewrite</b></td>
         <td>Changes matched traffic packet source IP address to the value specified in this field.</td>
         <td>Rewrite matched traffic to the given source port.</td>
     </tr>
     </tr>
    </table>
   
    [[File:Networking rutos manual firewall nat rules configuration mobile advanced.png|border|class=tlt-border]]
   
    <table class="nd-mantable">
     <tr>
     <tr>
         <td>SNAT port</td>
         <th>Field</th>
        <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td>
      <th>Value</th>
        <td>Changes matched traffic packet source port number to the value specified in this field.</td>
      <th>Description</th>
     </tr>
     </tr>
     <tr>
     <tr>
Line 671: Line 740:
         <td>string; default: <b>none</b></td>
         <td>string; default: <b>none</b></td>
         <td>Adds extra .iptables options to the rule.</td>
         <td>Adds extra .iptables options to the rule.</td>
    </tr>
    </table>
   
    [[File:Networking rutos manual firewall nat rules configuration mobile time restriction.png|border|class=tlt-border]]
   
    <table class="nd-mantable">
    <tr>
        <th>Field</th>
      <th>Value</th>
      <th>Description</th>
     </tr>
     </tr>
     <tr>
     <tr>
     <td>Week days</td>
     <td>Week days</td>
         <td>days of the week [Sunday..Saturday]; default: <b>none</b></td>
         <td>days of the week [Monday..Sunday]; default: <b>none</b></td>
         <td>Specifies on which days of the week the rule is valid.</td>
         <td>Specifies on which days of the week the rule is valid.</td>
     </tr>
     </tr>
Line 705: Line 784:
     <td>Time in UTC</td>
     <td>Time in UTC</td>
         <td>off | on; default: <b>no</b></td>
         <td>off | on; default: <b>no</b></td>
         <td>Specifies whether the device should use UTC time. If this is disabled, the time zone specified in the Services → [[{{{name}}} NTP|NTP]] page will be used.</td>
         <td>Specifies whether the device should use UTC time. If this is disabled, the time zone specified in the System → Administration → [[{{{name}}}_Administration#NTP|NTP]] page will be used.</td>
     </tr>
     </tr>
</table>
</table>
Line 717: Line 796:
<b>SYN Flood Protection</b> allows you to protect yourself from attacks that exploit part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive. Essentially, with SYN flood DDOS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network over-saturation.
<b>SYN Flood Protection</b> allows you to protect yourself from attacks that exploit part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive. Essentially, with SYN flood DDOS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network over-saturation.


[[File:Networking_rutos_manual_firewall_attack_prevention_syn_flood_protection.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_attack_prevention_syn_flood_protection_v2.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 733: Line 812:
       <td>SYN flood rate</td>
       <td>SYN flood rate</td>
       <td>integer; default: <b>5</b></td>
       <td>integer; default: <b>5</b></td>
       <td>Set rate limit (packets per second) for SYN packets above which the traffic is considered floodedb</td>
       <td>Set rate limit (packets per second) for SYN packets above which the traffic is considered flooded</td>
     </tr>
     </tr>
     <tr>
     <tr>
     <td>SYN flood burst</td>
     <td>SYN flood burst</td>
         <td>integer; default: <b>10</b></td>
         <td>integer; default: <b>10</b></td>
         <td>Sets burst limit for SYN packets above which the traffic is considered flooded if it exceeds the allowed ratbe</td>
         <td>Sets burst limit for SYN packets above which the traffic is considered flooded if it exceeds the allowed rate</td>
     </tr>
     </tr>
     <tr>
     <tr>
     <td>TCP SYN cookies</td>
     <td>TCP SYN cookies</td>
         <td>off | on; default: <b>off<b></b></td>
         <td>off | on; default: <b>on</b></td>
         <td>Enables the use of SYN cookies (particular choices of initial TCP sequence numbers by TCP servers)b</td>
         <td>Enables the use of SYN cookies (particular choices of initial TCP sequence numbers by TCP servers)</td>
     </tr>
     </tr>
</table>
</table>
Line 751: Line 830:
Some attackers use <b>ICMP echo request</b> packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. You can set up some custom restrictions to help protect your router from ICMP bursts.  
Some attackers use <b>ICMP echo request</b> packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. You can set up some custom restrictions to help protect your router from ICMP bursts.  


[[File:Networking_rutos_manual_firewall_attack_prevention_remote_icmp_requests.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_attack_prevention_remote_icmp_requests_v2.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 790: Line 869:
This protection prevent <b>SSH attacks</b> by limiting connections in a defined period.
This protection prevent <b>SSH attacks</b> by limiting connections in a defined period.


[[File:Networking_rutos_manual_firewall_attack_prevention_ssh_attack_prevention.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_attack_prevention_ssh_attack_prevention_v2.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 810: Line 889:
     <tr>
     <tr>
     <td>Limit</td>
     <td>Limit</td>
         <td>integer; default: <b>5</b></td>
         <td>integer [1..10000]; default: <b>none</b></td>
         <td>Maximum SSH connections during the set period</td>
         <td>Maximum SSH connections during the set period</td>
     </tr>
     </tr>
     <tr>
     <tr>
     <td>Limit burst</td>
     <td>Limit burst</td>
         <td>integer; default: <b>10</b></td>
         <td>integer [1..10000]; default: <b>none</b></td>
         <td>Indicates the maximum burst before the above limit kicks in.</td>
         <td>Indicates the maximum burst before the above limit kicks in.</td>
     </tr>
     </tr>
Line 824: Line 903:
An <b>HTTP attack</b> sends a complete, legitimate HTTP header, which includes a 'Content-Length' field to specify the size of the message body to follow. However, the attacker then proceeds to send the actual message body at an extremely slow rate (e.g. 1 byte/100 seconds.) Due to the entire message being correct and complete, the target server will attempt to obey the 'Content-Length' field in the header, and wait for the entire body of the message to be transmitted, hence slowing it down.
An <b>HTTP attack</b> sends a complete, legitimate HTTP header, which includes a 'Content-Length' field to specify the size of the message body to follow. However, the attacker then proceeds to send the actual message body at an extremely slow rate (e.g. 1 byte/100 seconds.) Due to the entire message being correct and complete, the target server will attempt to obey the 'Content-Length' field in the header, and wait for the entire body of the message to be transmitted, hence slowing it down.


[[File:Networking_rutos_manual_firewall_attack_prevention_http_attack_prevention.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_attack_prevention_http_attack_prevention_v2.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 844: Line 923:
     <tr>
     <tr>
     <td>Limit</td>
     <td>Limit</td>
         <td>integer; default: <b>5</b></td>
         <td>integer [1..10000]; default: <b>none</b></td>
         <td>Maximum HTTP connections during the set period<./td>
         <td>Maximum HTTP connections during the set period.</td>
     </tr>
     </tr>
     <tr>
     <tr>
     <td>Limit burst</td>
     <td>Limit burst</td>
         <td>integer; default: <b>10</b></td>
         <td>integer [1..10000]; default: <b>none</b></td>
         <td>Indicates the maximum burst before the above limit kicks in.</td>
         <td>Indicates the maximum burst before the above limit kicks in.</td>
     </tr>
     </tr>
Line 860: Line 939:
In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the perpetrator secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.
In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the perpetrator secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.


[[File:Networking_rutos_manual_firewall_attack_prevention_https_attack_prevention.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_attack_prevention_https_attack_prevention_v2.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 880: Line 959:
     <tr>
     <tr>
     <td>Limit</td>
     <td>Limit</td>
         <td>integer; default: <b>5</b></td>
         <td>integer [1..10000]; default: <b>none</b></td>
         <td>Maximum HTTPS connections during the set period.</td>
         <td>Maximum HTTPS connections during the set period.</td>
     </tr>
     </tr>
     <tr>
     <tr>
     <td>Limit burst</td>
     <td>Limit burst</td>
         <td>integer; default: <b>10</b></td>
         <td>integer [1..10000]; default: <b>none</b></td>
         <td>Indicates the maximum burst number before the above limit kicks in.</td>
         <td>Indicates the maximum burst number before the above limit kicks in.</td>
     </tr>
     </tr>
Line 895: Line 974:
Port scanning is usually done in the initial phase of a penetration test in order to discover all network entry points into the target system. The Port Scan section provides you with the possibility to enable protection against port scanning software. The Defending Type section provides the possibility for the user to enable protections from certain types of online attacks. These include <b>SYN-FIN</b>, <b>SYN-RST</b>, <b>X-Mas</b>, <b>FIN scan</b> and <b>NULLflags</b> attacks.
Port scanning is usually done in the initial phase of a penetration test in order to discover all network entry points into the target system. The Port Scan section provides you with the possibility to enable protection against port scanning software. The Defending Type section provides the possibility for the user to enable protections from certain types of online attacks. These include <b>SYN-FIN</b>, <b>SYN-RST</b>, <b>X-Mas</b>, <b>FIN scan</b> and <b>NULLflags</b> attacks.


[[File:Networking_rutos_manual_firewall_attack_prevention_port_scan.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_attack_prevention_port_scan_v2.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 910: Line 989:
     <tr>
     <tr>
     <td>Scan count</td>
     <td>Scan count</td>
         <td>integer [5..65534]; default: <b>5</b></td>
         <td>integer [5..10000]; default: <b>none</b></td>
         <td>How many port scans before blocked.</td>
         <td>How many port scans before blocked.</td>
     </tr>
     </tr>
     <tr>
     <tr>
       <td>Interval</td>
       <td>Interval</td>
       <td>integer [10..60]; default: <b>10</b></td>
       <td>integer [10..4096]; default: <b>none</b></td>
       <td>Time interval in seconds in which port scans are counted.</td>
       <td>Time interval in seconds in which port scans are counted.</td>
     </tr>
     </tr>
Line 960: Line 1,039:


The <b>Reset</b> button resets the custom rules field to its default state.
The <b>Reset</b> button resets the custom rules field to its default state.
==DMZ==
The <b>DMZ</b> is a security concept. It comprises the separation of the LAN-side network into at least two networks: the user LAN and the DMZ. Generally the DMZ is imprisoned: only access to certain ports from the Internet are allowed into the DMZ, while the DMZ is not allowed to establish new connections to the WAN-side or LAN-side networks. That way, if a server inside of the DMZ is hacked the potential damage that can be done remains restricted! The whole point of the DMZ is to cleanly create a unique firewall rule set that dramatically restricts access in to, and out of the, DMZ.
[[File:Networking rutos manual network firewall dmz_v2.png|border|class=tlt-border]]
<table class="nd-mantable">
    <tr>
        <th>Field</th>
        <th>Value</th>
        <th>Description</th>
    </tr>
    <tr>
        <td>Enable</td>
        <td>off | on; default: <b>off</b></td>
        <td>Enables the DMZ configuration.</td>
    </tr>
    <tr>
        <td>Host IP</td>
        <td>ipv4; default: <b>none</b></td>
        <td>Specifies the IP address of the DMZ host.</td>
    </tr>
    <tr>
        <td>Protocol</td>
        <td>All | <span style="color:blue">TCP</span> | <span style="color:blue">UDP</span> | ICMP; default: <b>None</b></td>
        <td>Specifies for which protocols the DMZ will be used.</td>
    </tr>
    <tr>
        <td><span style="color:blue">Ports</span></td>
        <td>0..65535 | port range | port negation; default: <b>none</b></td>
        <td>Match incoming traffic directed at the given destination port or port range on DMZ host IP.</td>
    </tr>
</table>


[[Category:{{{name}}} Network section]]
[[Category:{{{name}}} Network section]]