Changes

7,029 bytes removed ,  13:59, 16 October 2020
no edit summary
Line 1: Line 1:  +
{{Template: Networking_rutxxx_manual_fw_disclosure
 +
| fw_version = RUT2XX_R_00.01.13
 +
}}
 
==Summary==
 
==Summary==
   Line 19: Line 22:  
     <tr>
 
     <tr>
 
       <td>Drop invalid packets</td>
 
       <td>Drop invalid packets</td>
       <td>yes {{!}} no; Default: '''no'''</td>
+
       <td>yes | no; Default: '''no'''</td>
 
       <td>A “Drop” action is performed on a packet that is determined to be invalid</td>
 
       <td>A “Drop” action is performed on a packet that is determined to be invalid</td>
 
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
 
       <td>Input</td>
 
       <td>Input</td>
       <td>Reject {{!}} Drop {{!}} Accept; Default: '''Accept'''</td>
+
       <td>Reject | Drop | Accept; Default: '''Accept'''</td>
 
       <td>Action<span style="color: #0054A6;">'''*'''</span> that is to be performed for packets that pass through the Input chain</td>
 
       <td>Action<span style="color: #0054A6;">'''*'''</span> that is to be performed for packets that pass through the Input chain</td>
 
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
 
     <td>Output</td>
 
     <td>Output</td>
         <td>Reject {{!}} Drop {{!}} Accept; Default: '''Accept'''</td>
+
         <td>Reject | Drop | Accept; Default: '''Accept'''</td>
 
         <td>Action<span style="color: #0054A6;">'''*'''</span> that is to be performed for packets that pass through the Output chain</td>
 
         <td>Action<span style="color: #0054A6;">'''*'''</span> that is to be performed for packets that pass through the Output chain</td>
 
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
 
     <td>Forward</td>
 
     <td>Forward</td>
         <td>Reject {{!}} Drop {{!}} Accept; Default: '''Reject'''</td>
+
         <td>Reject | Drop | Accept; Default: '''Reject'''</td>
 
         <td>Action<span style="color: #0054A6;">'''*'''</span> that is to be performed for packets that pass through the Forward chain</td>
 
         <td>Action<span style="color: #0054A6;">'''*'''</span> that is to be performed for packets that pass through the Forward chain</td>
 
     </tr>
 
     </tr>
Line 49: Line 52:  
----
 
----
 
By enabling '''DMZ''' for a specific internal host (e.g., your computer), you will expose that host and its services to the router’s WAN network (i.e. – the Internet).
 
By enabling '''DMZ''' for a specific internal host (e.g., your computer), you will expose that host and its services to the router’s WAN network (i.e. – the Internet).
      
[[Image:Network firewall general dmz.PNG]]
 
[[Image:Network firewall general dmz.PNG]]
      
<table class="nd-mantable">
 
<table class="nd-mantable">
Line 62: Line 63:  
     <tr>
 
     <tr>
 
       <td>Source zone</td>
 
       <td>Source zone</td>
       <td>yes {{!}} no; Default: '''no'''</td>
+
       <td>yes | no; Default: '''no'''</td>
 
       <td>Toggles DMZ On or Off</td>
 
       <td>Toggles DMZ On or Off</td>
 
     </tr>
 
     </tr>
Line 76: Line 77:  
A zone section groups one or more interfaces and serves as a source or destination for forwardings, rules and redirects. The '''Zone Forwarding''' section allows you to configure these forwardings.
 
A zone section groups one or more interfaces and serves as a source or destination for forwardings, rules and redirects. The '''Zone Forwarding''' section allows you to configure these forwardings.
   −
 
+
[[File:Networking_rut2_manual_firewall_general_settings_zone_forwarding.png|border|class=tlt-border]]
[[Image:Network firewall general zone.PNG]]
  −
 
      
<table class="nd-mantable">
 
<table class="nd-mantable">
 
     <tr>
 
     <tr>
         <th>field name</th>
+
         <th>Field</th>
       <th>value</th>
+
       <th>Value</th>
       <th>description</th>
+
       <th>Description</th>
 
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
 
       <td>Source zone</td>
 
       <td>Source zone</td>
       <td><span style="background:#9DB6BA"> gre: gre tunnel </span>  |  <span style="background:#FD9589"> hotspot: </span>  {{!}} <span style="background:#CEF58F"> l2tp: l2tp </span>  {{!}} <span style="background:#9BEAC3"> pptp: pptp </span>  {{!}} <span style="background:#96EBE8"> vpn: openvpn </span>  {{!}} <span style="background:#D0E1EF"> wan: ppp </span>  {{!}} <span style="background:#DDDDDD"> lan: lan </span></td>
+
       <td><span style="background:#9DB6BA"> gre: gre tunnel </span>  |  <span style="background:#FD9589"> hotspot: </span>  | <span style="background:#CEF58F"> l2tp: l2tp </span>  | <span style="background:#9BEAC3"> pptp: pptp </span>  | <span style="background:#96EBE8"> vpn: openvpn </span>  | <span style="background:#D0E1EF"> wan: ppp </span>  | <span style="background:#DDDDDD"> lan: lan </span></td>
 
       <td>The source zone from which data packets will redirected from</td>
 
       <td>The source zone from which data packets will redirected from</td>
 
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
 
       <td>Destination zones</td>
 
       <td>Destination zones</td>
       <td><span style="background:#9DB6BA"> gre: gre tunnel </span>  |  <span style="background:#FD9589"> hotspot: </span>  {{!}} <span style="background:#CEF58F"> l2tp: l2tp </span>  {{!}} <span style="background:#9BEAC3"> pptp: pptp </span>  {{!}} <span style="background:#96EBE8"> vpn: openvpn </span>  {{!}} <span style="background:#D0E1EF"> wan: ppp </span>  {{!}} <span style="background:#DDDDDD"> lan: lan </span></td>
+
       <td><span style="background:#9DB6BA"> gre: gre tunnel </span>  |  <span style="background:#FD9589"> hotspot: </span>  | <span style="background:#CEF58F"> l2tp: l2tp </span>  | <span style="background:#9BEAC3"> pptp: pptp </span>  | <span style="background:#96EBE8"> vpn: openvpn </span>  | <span style="background:#D0E1EF"> wan: ppp </span>  | <span style="background:#DDDDDD"> lan: lan </span></td>
       <td>The destination zone to which data packets will be redirected to</td>
+
       <td>The destination zone to which data packets will be redirected to.</td>
 +
    </tr>
 +
    <tr>
 +
        <td>Input</td>
 +
      <td>Reject | Drop | Accept; default: <b>Accept</b></td>
 +
        <td>Default policy for traffic entering the zone.</td>
 +
    </tr>
 +
    <tr>
 +
        <td>Output</td>
 +
      <td>Reject | Drop | Accept; default: <b>Accept</b></td>
 +
        <td>Default policy for traffic originating from and leaving the zone.</td>
 +
    </tr>
 +
    <tr>
 +
        <td>Forward</td>
 +
      <td>Reject | Drop | Accept; default: <b>Accept</b></td>
 +
        <td>Default policy for traffic forwarded between the networks belonging to the zone.</td>
 
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
    <td>Default forwarding action</td>
+
        <td>Masquerading</td>
         <td>Reject {{!}} Drop {{!}} Accept</td>
+
         <td>yes | no; default: <b>no</b></td>
         <td>Action to be performed with the redirected packets </td>
+
         <td>Turns Masquerading off or on. MASQUERADE is an iptables target that can be used instead of the SNAT (source NAT) target when the external IP of the network interface is not known at the moment of writing the rule (when the interface gets the external IP dynamically).</td>
 
     </tr>
 
     </tr>
 
</table>
 
</table>
Line 129: Line 143:  
     <tr>
 
     <tr>
 
       <td>Protocol</td>
 
       <td>Protocol</td>
       <td>TCP+UDP {{!}} TCP {{!}} UDP {{!}} ICMP {{!}} -- custom --; Default: '''TCP+UDP'''</td>
+
       <td>TCP+UDP | TCP | UDP | ICMP | -- custom --; Default: '''TCP+UDP'''</td>
 
       <td>Type of protocol of incoming packet</td>
 
       <td>Type of protocol of incoming packet</td>
 
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
 
     <td>External port</td>
 
     <td>External port</td>
         <td>integer [0..65535] {{!}} range of integers [0..65534] - [1..65535]; Default: " "</td>
+
         <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " "</td>
 
         <td>Traffic will be forwarded from this port on the WAN network</td>
 
         <td>Traffic will be forwarded from this port on the WAN network</td>
 
     </tr>
 
     </tr>
Line 144: Line 158:  
     <tr>
 
     <tr>
 
     <td>Internal port</td>
 
     <td>Internal port</td>
         <td>integer [0..65535] {{!}} range of integers [0..65534] - [1..65535]; Default: " "</td>
+
         <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " "</td>
 
         <td>The rule will redirect the traffic to this port on the internal machine</td>
 
         <td>The rule will redirect the traffic to this port on the internal machine</td>
 
     </tr>
 
     </tr>
Line 167: Line 181:  
     <tr>
 
     <tr>
 
       <td>Enable</td>
 
       <td>Enable</td>
       <td>yes {{!}} no; Default: '''no'''</td>
+
       <td>yes | no; Default: '''no'''</td>
 
       <td>Toggles a rule ON or OFF</td>
 
       <td>Toggles a rule ON or OFF</td>
 
     </tr>
 
     </tr>
Line 177: Line 191:  
     <tr>
 
     <tr>
 
     <td>Protocol</td>
 
     <td>Protocol</td>
         <td>TCP+UDP {{!}} TCP {{!}} UDP {{!}} ICMP {{!}} -- custom --; Default: '''TCP+UDP'''</td>
+
         <td>TCP+UDP | TCP | UDP | ICMP | -- custom --; Default: '''TCP+UDP'''</td>
 
         <td>Specifies to which protocols the rule should apply</td>
 
         <td>Specifies to which protocols the rule should apply</td>
 
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
 
     <td>Source zone</td>
 
     <td>Source zone</td>
         <td><span style="background:#9DB6BA"> gre: gre tunnel </span>  |  <span style="background:#FD9589"> hotspot: </span>  {{!}} <span style="background:#CEF58F"> l2tp: l2tp </span>  {{!}} <span style="background:#9BEAC3"> pptp: pptp </span>  {{!}} <span style="background:#96EBE8"> vpn: openvpn </span>  {{!}} <span style="background:#D0E1EF"> wan: ppp </span>  {{!}} <span style="background:#DDDDDD"> lan: lan </span> ; Default: '''<span style="background:#DDDDDD"> wan: ppp </span>'''</td>
+
         <td><span style="background:#9DB6BA"> gre: gre tunnel </span>  |  <span style="background:#FD9589"> hotspot: </span>  | <span style="background:#CEF58F"> l2tp: l2tp </span>  | <span style="background:#9BEAC3"> pptp: pptp </span>  | <span style="background:#96EBE8"> vpn: openvpn </span>  | <span style="background:#D0E1EF"> wan: ppp </span>  | <span style="background:#DDDDDD"> lan: lan </span> ; Default: '''<span style="background:#DDDDDD"> wan: ppp </span>'''</td>
 
         <td>The source zone from which data packets will redirected from</td>
 
         <td>The source zone from which data packets will redirected from</td>
 
     </tr>
 
     </tr>
Line 197: Line 211:  
     <tr>
 
     <tr>
 
     <td>Source port</td>
 
     <td>Source port</td>
         <td>integer [0..65535] {{!}} range of integers [0..65534] - [1..65535]; Default: " "</td>
+
         <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " "</td>
 
         <td>Matches incoming traffic originating from the given source port or port range on the client host only</td>
 
         <td>Matches incoming traffic originating from the given source port or port range on the client host only</td>
 
     </tr>
 
     </tr>
Line 207: Line 221:  
     <tr>
 
     <tr>
 
       <td>External port</td>
 
       <td>External port</td>
       <td>integer [0..65535] {{!}} range of integers [0..65534] - [1..65535]; Default: " "</td>
+
       <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " "</td>
 
       <td>Specifies the external port, i.e., the port from which the third party is connecting</td>
 
       <td>Specifies the external port, i.e., the port from which the third party is connecting</td>
 
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
 
       <td>Internal zone</td>
 
       <td>Internal zone</td>
       <td><span style="background:#9DB6BA"> gre: gre tunnel </span>  |  <span style="background:#FD9589"> hotspot: </span>  {{!}} <span style="background:#CEF58F"> l2tp: l2tp </span>  {{!}} <span style="background:#9BEAC3"> pptp: pptp </span>  {{!}} <span style="background:#96EBE8"> vpn: openvpn </span>  {{!}} <span style="background:#D0E1EF"> wan: ppp </span>  {{!}} <span style="background:#DDDDDD"> lan: lan </span> ; Default: '''<span style="background:#DDDDDD"> lan: lan </span>'''</td>
+
       <td><span style="background:#9DB6BA"> gre: gre tunnel </span>  |  <span style="background:#FD9589"> hotspot: </span>  | <span style="background:#CEF58F"> l2tp: l2tp </span>  | <span style="background:#9BEAC3"> pptp: pptp </span>  | <span style="background:#96EBE8"> vpn: openvpn </span>  | <span style="background:#D0E1EF"> wan: ppp </span>  | <span style="background:#DDDDDD"> lan: lan </span> ; Default: '''<span style="background:#DDDDDD"> lan: lan </span>'''</td>
 
       <td>Specifies the internal zone, i.e., the zone where the incoming connection will be redirected to</td>
 
       <td>Specifies the internal zone, i.e., the zone where the incoming connection will be redirected to</td>
 
     </tr>
 
     </tr>
Line 222: Line 236:  
     <tr>
 
     <tr>
 
     <td>Internal port</td>
 
     <td>Internal port</td>
         <td>integer [0..65535] {{!}} range of integers [0..65534] - [1..65535]; Default: " "</td>
+
         <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " "</td>
 
         <td>Specifies the internal port, i.e., the port to which the incoming connection will be redirected to</td>
 
         <td>Specifies the internal port, i.e., the port to which the incoming connection will be redirected to</td>
 
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
 
     <td>Enable NAT loopback</td>
 
     <td>Enable NAT loopback</td>
         <td>yes {{!}} no; Default: '''no'''</td>
+
         <td>yes | no; Default: '''no'''</td>
 
         <td>NAT loopback enables your local network (i.e., behind your router/modem) to connect to a forward-facing IP address (such as 208.112.93.73) of a machine that it also on your local network</td>
 
         <td>NAT loopback enables your local network (i.e., behind your router/modem) to connect to a forward-facing IP address (such as 208.112.93.73) of a machine that it also on your local network</td>
 
     </tr>
 
     </tr>
Line 296: Line 310:  
     <tr>
 
     <tr>
 
       <td>Enable</td>
 
       <td>Enable</td>
       <td>yes {{!}} no; Default: '''no'''</td>
+
       <td>yes | no; Default: '''no'''</td>
 
       <td>Turns the rule ON or OFF</td>
 
       <td>Turns the rule ON or OFF</td>
 
     </tr>
 
     </tr>
Line 306: Line 320:  
     <tr>
 
     <tr>
 
     <td>Restrict to address family</td>
 
     <td>Restrict to address family</td>
         <td>IPv4 and IPv6 {{!}} IPv4 only {{!}} IPv6 only; Default: '''IPv4 and IPv6'''</td>
+
         <td>IPv4 and IPv6 | IPv4 only | IPv6 only; Default: '''IPv4 and IPv6'''</td>
 
         <td>Name of the rule, used purely for easier management purposes</td>
 
         <td>Name of the rule, used purely for easier management purposes</td>
 
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
 
       <td>Protocol</td>
 
       <td>Protocol</td>
       <td>TCP+UDP {{!}} TCP {{!}} UDP {{!}} ICMP {{!}} -- custom --; Default: '''TCP+UDP'''</td>
+
       <td>TCP+UDP | TCP | UDP | ICMP | -- custom --; Default: '''TCP+UDP'''</td>
 
       <td>Specifies to which protocols the rule should apply</td>
 
       <td>Specifies to which protocols the rule should apply</td>
 
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
 
       <td>Source zone</td>
 
       <td>Source zone</td>
       <td><span style="background:#9DB6BA"> gre: gre tunnel </span>  |  <span style="background:#FD9589"> hotspot: </span>  {{!}} <span style="background:#CEF58F"> l2tp: l2tp </span>  {{!}} <span style="background:#9BEAC3"> pptp: pptp </span>  {{!}} <span style="background:#96EBE8"> vpn: openvpn </span>  {{!}} <span style="background:#D0E1EF"> wan: ppp </span>  {{!}} <span style="background:#DDDDDD"> lan: lan </span> ; Default: '''<span style="background:#DDDDDD"> wan: ppp </span>'''</td>
+
       <td><span style="background:#9DB6BA"> gre: gre tunnel </span>  |  <span style="background:#FD9589"> hotspot: </span>  | <span style="background:#CEF58F"> l2tp: l2tp </span>  | <span style="background:#9BEAC3"> pptp: pptp </span>  | <span style="background:#96EBE8"> vpn: openvpn </span>  | <span style="background:#D0E1EF"> wan: ppp </span>  | <span style="background:#DDDDDD"> lan: lan </span> ; Default: '''<span style="background:#DDDDDD"> wan: ppp </span>'''</td>
 
       <td>Specifies the external zone, i.e., the zone from which the third party connection will come</td>
 
       <td>Specifies the external zone, i.e., the zone from which the third party connection will come</td>
 
     </tr>
 
     </tr>
Line 331: Line 345:  
     <tr>
 
     <tr>
 
       <td>Source port</td>
 
       <td>Source port</td>
       <td>integer [0..65535] {{!}} range of integers [0..65534] - [1..65535]; Default: " "</td>
+
       <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " "</td>
 
       <td>Specifies the port or range of ports that the external host host will using as their source, i.e., the rule will apply only to hosts that use source ports specified in this field</td>
 
       <td>Specifies the port or range of ports that the external host host will using as their source, i.e., the rule will apply only to hosts that use source ports specified in this field</td>
 
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
 
       <td>External IP addres</td>
 
       <td>External IP addres</td>
       <td>ip {{!}} ip/netmask {{!}} ANY; Default: '''ANY'''</td>
+
       <td>ip | ip/netmask | ANY; Default: '''ANY'''</td>
 
       <td>Specifies the external IP address or range of external IPs of the local host, i.e., the rule will apply only to the external IP addresses specified in this field</td>
 
       <td>Specifies the external IP address or range of external IPs of the local host, i.e., the rule will apply only to the external IP addresses specified in this field</td>
 
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
 
     <td>External port</td>
 
     <td>External port</td>
         <td>integer [0..65535] {{!}} range of integers [0..65534] - [1..65535]; Default: " "</td>
+
         <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " "</td>
 
         <td>Specifies the external port, i.e., the port from which the third party is connecting</td>
 
         <td>Specifies the external port, i.e., the port from which the third party is connecting</td>
 
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
 
     <td>Destination zone</td>
 
     <td>Destination zone</td>
         <td><span style="background:#9DB6BA"> gre: gre tunnel </span>  |  <span style="background:#FD9589"> hotspot: </span>  {{!}} <span style="background:#CEF58F"> l2tp: l2tp </span>  {{!}} <span style="background:#9BEAC3"> pptp: pptp </span>  {{!}} <span style="background:#96EBE8"> vpn: openvpn </span>  {{!}} <span style="background:#D0E1EF"> wan: ppp </span>  {{!}} <span style="background:#DDDDDD"> lan: lan </span> ; Default: '''<span style="background:#DDDDDD"> lan: lan </span>'''</td>
+
         <td><span style="background:#9DB6BA"> gre: gre tunnel </span>  |  <span style="background:#FD9589"> hotspot: </span>  | <span style="background:#CEF58F"> l2tp: l2tp </span>  | <span style="background:#9BEAC3"> pptp: pptp </span>  | <span style="background:#96EBE8"> vpn: openvpn </span>  | <span style="background:#D0E1EF"> wan: ppp </span>  | <span style="background:#DDDDDD"> lan: lan </span> ; Default: '''<span style="background:#DDDDDD"> lan: lan </span>'''</td>
 
         <td>Match forwarded traffic to the given destination zone only</td>
 
         <td>Match forwarded traffic to the given destination zone only</td>
 
     </tr>
 
     </tr>
Line 356: Line 370:  
     <tr>
 
     <tr>
 
       <td>Destination port</td>
 
       <td>Destination port</td>
       <td>integer [0..65535] {{!}} range of integers [0..65534] - [1..65535]; Default: " "</td>
+
       <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " "</td>
 
       <td>Match forwarded traffic to the given destination port or port range only</td>
 
       <td>Match forwarded traffic to the given destination port or port range only</td>
 
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
 
     <td>Action</td>
 
     <td>Action</td>
         <td>Drop {{!}} Accept {{!}} Reject {{!}} Don't track; Default: '''no'''</td>
+
         <td>Drop | Accept | Reject | Don't track; Default: '''no'''</td>
 
         <td>Action to be taken on the packet if it matches the rule. You can also define additional options like limiting packet volume, and defining to which chain the rule belongs.
 
         <td>Action to be taken on the packet if it matches the rule. You can also define additional options like limiting packet volume, and defining to which chain the rule belongs.
   Line 394: Line 408:  
     <tr>
 
     <tr>
 
       <td>PROTOCOL</td>
 
       <td>PROTOCOL</td>
       <td>TCP+UDP {{!}} TCP {{!}} UDP {{!}} Other; Default: '''TCP+UDP'''</td>
+
       <td>TCP+UDP | TCP | UDP | Other; Default: '''TCP+UDP'''</td>
 
       <td>Specifies to which protocols the rule should apply</td>
 
       <td>Specifies to which protocols the rule should apply</td>
 
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
 
     <td>EXTERNAL PORT</td>
 
     <td>EXTERNAL PORT</td>
         <td>integer [0..65535] {{!}} range of integers [0..65534] - [1..65535]; Default: " "</td>
+
         <td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: " "</td>
 
         <td>Specifies which port should be opened</td>
 
         <td>Specifies which port should be opened</td>
 
     </tr>
 
     </tr>
Line 425: Line 439:  
     <tr>
 
     <tr>
 
       <td>Source</td>
 
       <td>Source</td>
       <td>RE {{!}} HOTSPOT {{!}} L2TP {{!}} LAN {{!}} PPTP {{!}} VPN {{!}} WAN; Default: '''LAN'''</td>
+
       <td>RE | HOTSPOT | L2TP | LAN | PPTP | VPN | WAN; Default: '''LAN'''</td>
 
       <td>Match incoming traffic from selected address family only</td>
 
       <td>Match incoming traffic from selected address family only</td>
 
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
 
     <td>Destination</td>
 
     <td>Destination</td>
         <td>GRE {{!}} HOTSPOT {{!}} L2TP {{!}} LAN {{!}} PPTP {{!}} VPN {{!}} WAN; Default: '''WAN'''</td>
+
         <td>GRE | HOTSPOT | L2TP | LAN | PPTP | VPN | WAN; Default: '''WAN'''</td>
 
         <td>Forward incoming traffic to selected address family only</td>
 
         <td>Forward incoming traffic to selected address family only</td>
 
     </tr>
 
     </tr>
Line 456: Line 470:  
     <tr>
 
     <tr>
 
       <td>Protocol</td>
 
       <td>Protocol</td>
       <td>TCP+UDP {{!}} TCP {{!}} UDP {{!}} Other...; Default: '''TCP+UDP'''</td>
+
       <td>TCP+UDP | TCP | UDP | Other...; Default: '''TCP+UDP'''</td>
 
       <td>Protocol of the packet that is being matched against traffic rules</td>
 
       <td>Protocol of the packet that is being matched against traffic rules</td>
 
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
 
     <td>Source</td>
 
     <td>Source</td>
         <td>GRE {{!}} HOTSPOT {{!}} L2TP {{!}} LAN {{!}} PPTP {{!}} VPN {{!}} WAN; Default: '''LAN'''</td>
+
         <td>GRE | HOTSPOT | L2TP | LAN | PPTP | VPN | WAN; Default: '''LAN'''</td>
 
         <td>Match incoming traffic from selected address family only</td>
 
         <td>Match incoming traffic from selected address family only</td>
 
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
 
     <td>Destination</td>
 
     <td>Destination</td>
         <td>GRE {{!}} HOTSPOT {{!}} L2TP {{!}} LAN {{!}} PPTP {{!}} VPN {{!}} WAN; Default: '''LAN'''</td>
+
         <td>GRE | HOTSPOT | L2TP | LAN | PPTP | VPN | WAN; Default: '''LAN'''</td>
 
         <td>Forward incoming traffic to selected address family only</td>
 
         <td>Forward incoming traffic to selected address family only</td>
 
     </tr>
 
     </tr>
Line 476: Line 490:  
     <tr>
 
     <tr>
 
     <td>Enable</td>
 
     <td>Enable</td>
         <td>yes {{!}} no; Default: '''no'''</td>
+
         <td>yes | no; Default: '''no'''</td>
 
         <td>Toggles the rule ON or OFF</td>
 
         <td>Toggles the rule ON or OFF</td>
 
     </tr>
 
     </tr>
Line 508: Line 522:  
     <tr>
 
     <tr>
 
       <td>Enable SYN flood protection</td>
 
       <td>Enable SYN flood protection</td>
       <td>yes {{!}} no; Default: '''yes'''</td>
+
       <td>yes | no; Default: '''yes'''</td>
 
       <td>Toggles the rule ON or OFF</td>
 
       <td>Toggles the rule ON or OFF</td>
 
     </tr>
 
     </tr>
Line 519: Line 533:  
     <td>SYN flood burst</td>
 
     <td>SYN flood burst</td>
 
         <td>integer; Default: '''50'''</td>
 
         <td>integer; Default: '''50'''</td>
         <td>Set rate limit (packets per second) for SYN packets above which the traffic is considered flooded</td>
+
         <td>Set burst limit for SYN packets above which the traffic is considered flooded if it exceeds the allowed rate</td>
 
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
 
     <td>TCP SYN cookies</td>
 
     <td>TCP SYN cookies</td>
         <td>yes {{!}} no; Default: '''no'''</td>
+
         <td>yes | no; Default: '''no'''</td>
 
         <td>Enable the use of SYN cookies (particular choices of initial TCP sequence numbers by TCP servers)</td>
 
         <td>Enable the use of SYN cookies (particular choices of initial TCP sequence numbers by TCP servers)</td>
 
     </tr>
 
     </tr>
Line 544: Line 558:  
     <tr>
 
     <tr>
 
       <td>Enable ICMP requests</td>
 
       <td>Enable ICMP requests</td>
       <td>yes {{!}} no; Default: '''yes'''</td>
+
       <td>yes | no; Default: '''yes'''</td>
 
       <td>Toggles the rule ON or OFF</td>
 
       <td>Toggles the rule ON or OFF</td>
 
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
 
       <td>Enable ICMP requests</td>
 
       <td>Enable ICMP requests</td>
       <td>yes {{!}} no; Default: '''yes'''</td>
+
       <td>yes | no; Default: '''yes'''</td>
 
       <td>Toggles ICMP echo-request limit in selected period ON or OFF</td>
 
       <td>Toggles ICMP echo-request limit in selected period ON or OFF</td>
 
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
 
     <td>Limit period</td>
 
     <td>Limit period</td>
         <td>Second {{!}} Minute {{!}} Hour {{!}} Day; Default: '''Second'''</td>
+
         <td>Second | Minute | Hour | Day; Default: '''Second'''</td>
 
         <td>Select ICMP echo-request period limit</td>
 
         <td>Select ICMP echo-request period limit</td>
 
     </tr>
 
     </tr>
Line 585: Line 599:  
     <tr>
 
     <tr>
 
       <td>Enable SSH limit</td>
 
       <td>Enable SSH limit</td>
       <td>yes {{!}} no; Default: '''yes'''</td>
+
       <td>yes | no; Default: '''yes'''</td>
 
       <td>Toggles the rule ON or OFF</td>
 
       <td>Toggles the rule ON or OFF</td>
 
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
 
       <td>Limit period</td>
 
       <td>Limit period</td>
       <td>Second {{!}} Minute {{!}} Hour {{!}} Day; Default: '''Second'''</td>
+
       <td>Second | Minute | Hour | Day; Default: '''Second'''</td>
 
       <td>The period in which SSH connections are to be limited</td>
 
       <td>The period in which SSH connections are to be limited</td>
 
     </tr>
 
     </tr>
Line 607: Line 621:  
===HTTP Attack Prevention===
 
===HTTP Attack Prevention===
 
----
 
----
 +
 
An HTTP attack sends a complete, legitimate HTTP header, which includes a 'Content-Length' field to specify the size of the message body to follow. However, the attacker then proceeds to send the actual message body at an extremely slow rate (e.g. 1 byte/100 seconds.) Due to the entire message being correct and complete, the target server will attempt to obey the 'Content-Length' field in the header, and wait for the entire body of the message to be transmitted, hence slowing it down.
 
An HTTP attack sends a complete, legitimate HTTP header, which includes a 'Content-Length' field to specify the size of the message body to follow. However, the attacker then proceeds to send the actual message body at an extremely slow rate (e.g. 1 byte/100 seconds.) Due to the entire message being correct and complete, the target server will attempt to obey the 'Content-Length' field in the header, and wait for the entire body of the message to be transmitted, hence slowing it down.
   Line 612: Line 627:  
[[Image:Network firewall ddos hhtp.PNG]]
 
[[Image:Network firewall ddos hhtp.PNG]]
   −
 
+
<table class="nd-mantable">
{| class="wikitable"
+
    <tr>
|+
+
        <th>field name</th>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | FIELD NAME
+
      <th>value</th>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | VALUE
+
      <th>description</th>
! style="width: 579px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | DESCRIPTION
+
    </tr>
|-
+
    <tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Enable HTTP limit
+
      <td>Enable HTTP limit</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''yes'''
+
      <td>yes | no; Default: '''yes'''</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles the rule ON or OFF
+
      <td>Toggles the rule ON or OFF</td>
|-
+
    </tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Limit period
+
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Second {{!}} Minute {{!}} Hour {{!}} Day; Default: '''Second'''
+
      <td>Limit period</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | The period in which HTTP connections are to be limited
+
      <td>Second | Minute | Hour | Day; Default: '''Second'''</td>
|-
+
      <td>The period in which HTTP connections are to be limited</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Limit
+
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | integer; Default: '''10'''
+
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Maximum HTTP connections during the set period
+
    <td>Limit</td>
|-
+
        <td>integer; Default: '''10'''</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Limit burst
+
        <td>Maximum HTTP connections during the set period</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | integer; Default: '''10'''
+
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Indicate the maximum burst before the above limit kicks in
+
    <tr>
|-
+
    <td>Limit burst</td>
|}
+
        <td>integer; Default: '''10'''</td>
 +
        <td>Indicate the maximum burst before the above limit kicks in</td>
 +
    </tr>
 +
</table>
    
===HTTPS Attack Prevention===
 
===HTTPS Attack Prevention===
Line 647: Line 665:       −
{| class="wikitable"
+
<table class="nd-mantable">
|+
+
    <tr>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | FIELD NAME
+
        <th>field name</th>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | VALUE
+
      <th>value</th>
! style="width: 579px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | DESCRIPTION
+
      <th>description</th>
|-
+
    </tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Enable HTTPS limit
+
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''yes'''
+
      <td>Enable HTTPS limit</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles the rule ON or OFF
+
      <td>yes | no; Default: '''yes'''</td>
|-
+
      <td>Toggles the rule ON or OFF</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Limit period
+
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Second {{!}} Minute {{!}} Hour {{!}} Day; Default: '''Second'''
+
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | The period in which HTTPS connections are to be limited
+
      <td>Limit period</td>
|-
+
      <td>Second | Minute | Hour | Day; Default: '''Second'''</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Limit
+
      <td>The period in which HTTPS connections are to be limited</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | integer; Default: '''10'''
+
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Maximum HTTPS connections during the set period
+
    <tr>
|-
+
    <td>Limit</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Limit burst
+
        <td>integer; Default: '''10'''</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | integer; Default: '''10'''
+
        <td>Maximum HTTPS connections during the set period</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Indicate the maximum burst before the above limit kicks in
+
    </tr>
|-
+
    <tr>
|}
+
    <td>Limit burst</td>
 +
        <td>integer; Default: '''10'''</td>
 +
        <td>Indicate the maximum burst before the above limit kicks in</td>
 +
    </tr>
 +
</table>
    
==Port Scan Prevention==
 
==Port Scan Prevention==
Line 683: Line 705:       −
{| class="wikitable"
+
<table class="nd-mantable">
|+
+
    <tr>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | FIELD NAME
+
        <th>field name</th>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | VALUE
+
      <th>value</th>
! style="width: 579px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | DESCRIPTION
+
      <th>description</th>
|-
+
    </tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Enable
+
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''yes'''
+
      <td>Enable</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles the function ON or OFF
+
      <td>yes | no; Default: '''yes'''</td>
|-
+
      <td>Toggles the function ON or OFF</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Interval
+
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | integer [10..60]; Default: '''30'''
+
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Time interval in seconds in which port scans are counted
+
      <td>Interval</td>
|-
+
      <td>integer [10..60]; Default: '''30'''</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Scan count
+
      <td>Time interval in seconds in which port scans are counted</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | integer [5..65534]; Default: '''10'''
+
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | How many port scans before blocked
+
    <tr>
|-
+
    <td>Scan count</td>
|}
+
        <td>integer [5..65534]; Default: '''10'''</td>
 +
        <td>How many port scans before blocked</td>
 +
    </tr>
 +
</table>
    
===Defending Type===
 
===Defending Type===
Line 711: Line 736:       −
{| class="wikitable"
+
<table class="nd-mantable">
|+
+
    <tr>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | FIELD NAME
+
        <th>field name</th>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | VALUE
+
      <th>value</th>
! style="width: 579px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | DESCRIPTION
+
      <th>description</th>
|-
+
    </tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | SYN-FIN attack
+
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''no'''
+
      <td>SYN-FIN attack</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles protection from SYN-FIN attacks ON or OFF
+
      <td>yes | no; Default: '''no'''</td>
|-
+
      <td>Toggles protection from SYN-FIN attacks ON or OFF</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | SYN-RST attack
+
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''no'''
+
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles protection from SYN-RST attacks ON or OFF
+
      <td>SYN-RST attack</td>
|-
+
      <td>yes | no; Default: '''no'''</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | X-Mas attack
+
      <td>Toggles protection from SYN-RST attacks ON or OFF</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''no'''
+
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles protection from X-Mas attacks ON or OFF
+
    <tr>
|-
+
    <td>X-Mas attack</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | FIN scan
+
        <td>yes | no; Default: '''no'''</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''no'''
+
        <td>Toggles protection from X-Mas attacks ON or OFF</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles protection from FIN scan attacks ON or OFF
+
    </tr>
|-
+
    <tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | NULLflags attack
+
    <td>FIN scan</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''no'''
+
        <td>yes | no; Default: '''no'''</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles protection from NULLflags attacks ON or OFF
+
        <td>Toggles protection from FIN scan attacks ON or OFF</td>
|-
+
    </tr>
|}
+
    <tr>
 +
    <td>NULLflags attack</td>
 +
        <td>yes | no; Default: '''no'''</td>
 +
        <td>Toggles protection from NULLflags attacks ON or OFF</td>
 +
    </tr>
 +
</table>
    
==Helpers==
 
==Helpers==
Line 752: Line 782:       −
{| class="wikitable"
+
<table class="nd-mantable">
|+
+
    <tr>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | FIELD NAME
+
        <th>field name</th>
! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | VALUE
+
      <th>value</th>
! style="width: 579px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | DESCRIPTION
+
      <th>description</th>
|-
+
    </tr>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | H323
+
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''no'''
+
      <td>H323</td>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles H323 filtering ON or OFF
+
      <td>yes | no; Default: '''no'''</td>
|-
+
      <td>Toggles H323 filtering ON or OFF</td>
! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | SIP
+
    </tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''no'''
+
    <tr>
| style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles SIP filtering ON or OFF
+
      <td>SIP</td>
|-
+
      <td>yes | no; Default: '''no'''</td>
|}
+
      <td>Toggles SIP filtering ON or OFF</td>
 +
    </tr>
 +
</table>
 +
 
 +
[[Category:{{{name}}} Network section]]

Navigation menu