Changes

153 bytes added , 5 January

no edit summary

Line 99: Line 99:

[[File:Networking_rutos_manual_firewall_general_settings_zones_v2.png|border|class=tlt-border]]

----

−

You can change a zone's settings from this page by interacting with entries in the zones table. For a more in-depth configuration click the button ~~that looks like a pencil~~ [[File:Networking_rutx_trb14x_manual_edit_button_v2.png|20px]] next to a zone:

+

You can change a zone's settings from this page by interacting with entries in the zones table. For a more in-depth configuration click the edit button [[File:Networking_rutx_trb14x_manual_edit_button_v2.png|20px]] next to a zone:

[[File:Networking_rutos_manual_firewall_general_settings_zones_edit_button_v2.png|border|class=tlt-border]]

Line 105: Line 105:

====Zones: General Settings====

----

−

[[File:~~Networking_rutos_manual_firewall_general_settings_zones_general_settings~~.png|border|class=tlt-border]]

+

[[File:Networking_rutos_manual_firewall_general_settings_zones_general_settings_v2.png|border|class=tlt-border]]

Line 152: Line 152:

====Zones: Advanced Settings====

----

−

[[File:~~Networking_rutos_manual_firewall_general_settings_zones_advanced_settings_v3~~.png|border|class=tlt-border]]

+

[[File:Networking_rutos_manual_firewall_general_settings_zones_advanced_settings_v4.png|border|class=tlt-border]]

Line 201: Line 201:

The <b>Inter-zone forwarding</b> options control the forwarding policies between the currently edited zone and other zones.

−

[[File:Networking_rutos_manual_firewall_general_settings_zones_inter-~~zone_forwarding_mobile_{{{mobile}}}_dualsim_{{{dualsim}}}_wired_{{{wired}}}~~.png|border|class=tlt-border]]

+

[[File:Networking_rutos_manual_firewall_general_settings_zones_inter-zone_forwarding_v1.png|border|class=tlt-border]]

Line 229: Line 229:

The Port forwards table displays configured port forwarding rules currently configured on the device.

−

[[File:~~Networking_rutos_manual_firewall_port_forwards_port_forwards~~.png|border|class=tlt-border]]

+

[[File:Networking_rutos_manual_firewall_port_forwards_port_forwards_v2.png|border|class=tlt-border]]

===Add New Port Forward===

Line 235: Line 235:

The <b>Add New Port Forward</b> section is used to quickly add additional port forwarding rules. The figure below is an example of the Add New Port Forward section and the table below provides information on the fields contained in that section:

−

[[File:~~Networking_rutos_manual_firewall_port_forwards_add_new_port_forward_v2~~.png|border|class=tlt-border]]

+

[[File:Networking_rutos_manual_firewall_port_forwards_add_new_port_forward_v3.png|border|class=tlt-border]]

Line 267: Line 267:

===Port Forwards Configuration===

----

−

While the New port forward section provides the possibility to add port forwarding rules fast, it does not contain all possible configuration options to customize a rule. In order to create a more complicated rule, add one using the New port forward section and click the button ~~that looks like a pencil~~ [[File:~~Networking_rutx_trb14x_manual_edit_button_v1~~.png|20px]] next to it:

+

While the New port forward section provides the possibility to add port forwarding rules fast, it does not contain all possible configuration options to customize a rule. In order to create a more complicated rule, add one using the New port forward section and click the edit button [[File:Networking_rutx_trb14x_manual_edit_button_v2.png|20px]] next to it:

−

[[File:~~Networking_rutos_manual_firewall_port_forwards_edit_button_v2~~.png|border|class=tlt-border]]

+

[[File:Networking_rutos_manual_firewall_port_forwards_edit_button_v3.png|border|class=tlt-border]]

You will be redirected to that rule's configuration general settings page:

−

[[File:~~Networking_rutos_manual_firewall_port_forwards_configuration_v2~~.png|border|class=tlt-border]]

+

[[File:Networking_rutos_manual_firewall_port_forwards_configuration_v3.png|border|class=tlt-border]]

Line 325: Line 325:

Advanced settings:

−

[[File:Networking rutos manual firewall port forwards configuration ~~advanced~~.png|border|class=tlt-border]]

+

[[File:Networking rutos manual firewall port forwards configuration advanced_v2.png|border|class=tlt-border]]

Line 369: Line 369:

The <b>Traffic rules</b> tab is used to set firewall rules that filter traffic moving through the device. The figure below is an example of the Traffic rules table:

−

[[File:~~Networking_rutos_manual_firewall_traffic_rules~~.png|border|class=tlt-border]]

+

[[File:Networking_rutos_manual_firewall_traffic_rules_v2.png|border|class=tlt-border]]

===Traffic Rule Configuration===

----

−

In order to begin editing a traffic rule, click the button ~~that looks like a pencil~~ [[File:~~Networking_rutx_trb14x_manual_edit_button_v1~~.png|20px]] next to it:

+

In order to begin editing a traffic rule, click the edit button [[File:Networking rutx trb14x manual edit button v2.png|20px]] next to it:

−

[[File:~~Networking_rutos_manual_firewall_traffic_rules_edit_button~~.png|border|class=tlt-border]]

+

[[File:Networking_rutos_manual_firewall_traffic_rules_edit_button_v2.png|border|class=tlt-border]]

You will be redirected to that rule's configuration page:

Line 381: Line 381:

====General settings====

----

−

[[File:~~Networking_rutos_manual_firewall_traffic_rules_configuration_general_settings~~.png|border|class=tlt-border]]

+

[[File:Networking_rutos_manual_firewall_traffic_rules_configuration_general_settings_v2.png|border|class=tlt-border]]

<tr>

Line 453: Line 453:

</tr>

</table>

−

+

====Advanced settings====

----

−

[[File:~~Networking_rutos_manual_firewall_traffic_rules_configuration_advanced_settings~~.png|border|class=tlt-border]]

+

[[File:Networking_rutos_manual_firewall_traffic_rules_configuration_advanced_settings_v2.png|border|class=tlt-border]]

<tr>

Line 476: Line 476:

<td><span style="color:blue">Mark</span>: Set Target value</td>

<td>hex; default: <b>none</b></td>

−

<td>If specified, target traffic against the given firewall mark, e.g. ~~0xFF~~ to target mark 255 ~~or 0x0/0x1 to target any even mark value~~.</td>

+

<td>If specified, target traffic against the given firewall mark, e.g. FF or ff to target mark 255.</td>

</tr>

<tr>

Line 491: Line 491:

<td><span style="color:blue">Mark</span>: Set Match value</td>

<td>hex; default: <b>none</b></td>

−

<td>If specified, match traffic against the given firewall mark, e.g. ~~0xFF~~ to match mark 255 ~~or 0x0/0x1 to match any even mark value~~.</td>

+

<td>If specified, match traffic against the given firewall mark, e.g. FF or ff to match mark 255.</td>

</tr>

<tr>

Line 502: Line 502:

====Time restrictions====

----

−

[[File:~~Networking_rutos_manual_firewall_traffic_rules_configuration_time_restrictions~~.png|border|class=tlt-border]]

+

[[File:Networking_rutos_manual_firewall_traffic_rules_configuration_time_restrictions_v2.png|border|class=tlt-border]]

<tr>

Line 537: Line 537:

<td>off | on; default: <b>no</b></td>

−

<td>Specifies whether the device should use UTC time. If this is disabled, the time zone specified in the ~~Services~~ → [[{{{name}}} NTP|NTP]] page will be used.</td>

+

<td>Specifies whether the device should use UTC time. If this is disabled, the time zone specified in the System → Administration → [[{{{name}}}_Administration#NTP|NTP]] page will be used.</td>

</tr>

</table>

Line 545: Line 545:

In the <b>Add new instance</b> section, select <b>Open ports on router</b>. This provides a quick way to set simple rules that allow traffic on specified ports of the device. The figure below is an example of the Open ports on device section and the table below provides information on the fields contained in that section:

−

[[File:~~Networking_rutos_manual_firewall_traffic_rules_open_ports_on_router~~.png|border|class=tlt-border]]

+

[[File:Networking_rutos_manual_firewall_traffic_rules_open_ports_on_router_v2.png|border|class=tlt-border]]

Line 574: Line 574:

In the <b>Add new instance</b> section, select <b>Add new forward rule</b>. This is used to create firewall rules that control traffic on the FORWARD chain. The figure below is an example of the Add New Forward Rule section and the table below provides information on the fields contained in that section:

−

[[File:~~Networking_rutos_manual_firewall_traffic_rules_add_new_forward_rule~~.png|border|class=tlt-border]]

+

[[File:Networking_rutos_manual_firewall_traffic_rules_add_new_forward_rule_v2.png|border|class=tlt-border]]

Line 614: Line 614:

The Source NAT section displays currently existing SNAT rules.

−

[[File:~~Networking_rutos_manual_firewall_nat_rules_source_nat~~.png|border|class=tlt-border]]

+

[[File:Networking_rutos_manual_firewall_nat_rules_source_nat_v2.png|border|class=tlt-border]]

===Add New Source NAT===

Line 620: Line 620:

The <b>Add New Source NAT</b> section is used to create new source NAT rules.

−

[[File:~~Networking_rutos_manual_firewall_nat_rules_add_new_source_nat~~.png|border|class=tlt-border]]

+

[[File:Networking_rutos_manual_firewall_nat_rules_add_new_source_nat_v2.png|border|class=tlt-border]]

Line 662: Line 662:

===Source NAT Configuration===

----

−

In order to begin editing a traffic rule, click the button ~~that looks like a pencil~~ [[File:~~Networking_rutx_trb14x_manual_edit_button_v1~~.png|20px]] next to it:

+

In order to begin editing a traffic rule, click the edit button [[File:Networking_rutx_trb14x_manual_edit_button_v2.png|20px]] next to it:

−

~~{{#ifeq: {{{series}}} | TRB1~~

+

[[File:Networking_rutos_manual_firewall_nat_rules_source_nat_edit_button_v2.png|border|class=tlt-border]]

−

~~| [[File:Networking_trb1_manual_firewall_nat_rules_source_nat_edit_button.png|border|class=tlt-border]]~~

−

| [[File:~~Networking_rutos_manual_firewall_nat_rules_source_nat_edit_button~~.png|border|class=tlt-border]]

−

}}

You will be redirected to that rule's configuration page:

−

[[File:~~Networking_rutos_manual_firewall_nat_rules_configuration_mobile_{{{~~mobile~~}}}_dualsim_{{{dualsim}}}_wired_{{{wired}}}~~.png|border|class=tlt-border]]

+

[[File:Networking rutos manual firewall nat rules configuration mobile general.png|border|class=tlt-border]]

Line 707: Line 704:

<td>Source port</td>

<td>integer [0..65535] | range of integers [0..65534] - [1..65535] | port inversion [!0..!65535]; default: <b>none</b></td>

−

<td>Mathes traffic originated from specified port number.<td>

+

<td>Mathes traffic originated from specified port number.</td>

</tr>

<tr>

Line 713: Line 710:

<td>firewall zone; default: <b>wan</b></td>

<td>Matches traffic destined for the specified zone.</td>

−

</tr>

+

</tr>

<tr>

<td>Destination IP address</td>

Line 725: Line 722:

</tr>

<tr>

−

<td>~~SNAT address~~</td>

+

<td>Rewrite port</td>

−

<td>ip; default: <b>~~none~~</b></td>

+

<td>integer [0..65535] | range of integers [0..65534] - [1..65535] | port inversion [!0..!65535]; default: <b>No rewrite</b></td>

−

<td>~~Changes~~ matched traffic ~~packet source IP address~~ to the ~~value specified in this field~~.</td>

+

<td>Rewrite matched traffic to the given source port.</td>

</tr>

+

</table>

+

[[File:Networking rutos manual firewall nat rules configuration mobile advanced.png|border|class=tlt-border]]

+

<tr>

−

+

<th>Field</th>

−

<~~td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b~~></td>

+

<th>Value</th>

−

<td>~~Changes matched traffic packet source port number to the value specified in this field.~~</td>

+

<th>Description</th>

</tr>

<tr>

Line 738: Line 740:

<td>string; default: <b>none</b></td>

<td>Adds extra .iptables options to the rule.</td>

+

</tr>

+

</table>

+

[[File:Networking rutos manual firewall nat rules configuration mobile time restriction.png|border|class=tlt-border]]

+

+

<tr>

+

<th>Field</th>

+

<th>Value</th>

+

<th>Description</th>

</tr>

<tr>

Line 772: Line 784:

<td>off | on; default: <b>no</b></td>

−

<td>Specifies whether the device should use UTC time. If this is disabled, the time zone specified in the ~~Services~~ → [[{{{name}}} NTP|NTP]] page will be used.</td>

+

<td>Specifies whether the device should use UTC time. If this is disabled, the time zone specified in the System → Administration → [[{{{name}}}_Administration#NTP|NTP]] page will be used.</td>

</tr>

</table>

Line 784: Line 796:

<b>SYN Flood Protection</b> allows you to protect yourself from attacks that exploit part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive. Essentially, with SYN flood DDOS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network over-saturation.

−

[[File:~~Networking_rutos_manual_firewall_attack_prevention_syn_flood_protection~~.png|border|class=tlt-border]]

+

[[File:Networking_rutos_manual_firewall_attack_prevention_syn_flood_protection_v2.png|border|class=tlt-border]]

Line 800: Line 812:

<td>SYN flood rate</td>

<td>integer; default: <b>5</b></td>

−

<td>Set rate limit (packets per second) for SYN packets above which the traffic is considered ~~floodedb~~</td>

+

<td>Set rate limit (packets per second) for SYN packets above which the traffic is considered flooded</td>

</tr>

<tr>

<td>SYN flood burst</td>

<td>integer; default: <b>10</b></td>

−

<td>Sets burst limit for SYN packets above which the traffic is considered flooded if it exceeds the allowed ~~ratbe~~</td>

+

<td>Sets burst limit for SYN packets above which the traffic is considered flooded if it exceeds the allowed rate</td>

</tr>

<tr>

<td>TCP SYN cookies</td>

−

<td>off | on; default: <b>~~off<b>~~</b></td>

+

<td>off | on; default: <b>on</b></td>

−

<td>Enables the use of SYN cookies (particular choices of initial TCP sequence numbers by TCP servers)b</td>

+

<td>Enables the use of SYN cookies (particular choices of initial TCP sequence numbers by TCP servers)</td>

</tr>

</table>

Line 818: Line 830:

Some attackers use <b>ICMP echo request</b> packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. You can set up some custom restrictions to help protect your router from ICMP bursts.

−

[[File:~~Networking_rutos_manual_firewall_attack_prevention_remote_icmp_requests~~.png|border|class=tlt-border]]

+

[[File:Networking_rutos_manual_firewall_attack_prevention_remote_icmp_requests_v2.png|border|class=tlt-border]]

Line 857: Line 869:

This protection prevent <b>SSH attacks</b> by limiting connections in a defined period.

−

[[File:~~Networking_rutos_manual_firewall_attack_prevention_ssh_attack_prevention~~.png|border|class=tlt-border]]

+

[[File:Networking_rutos_manual_firewall_attack_prevention_ssh_attack_prevention_v2.png|border|class=tlt-border]]

Line 877: Line 889:

<tr>

<td>Limit</td>

−

<td>integer; default: <b>5</b></td>

+

<td>integer [1..10000]; default: <b>none</b></td>

<td>Maximum SSH connections during the set period</td>

</tr>

<tr>

<td>Limit burst</td>

−

<td>integer; default: <b>10</b></td>

+

<td>integer [1..10000]; default: <b>none</b></td>

<td>Indicates the maximum burst before the above limit kicks in.</td>

</tr>

Line 891: Line 903:

An <b>HTTP attack</b> sends a complete, legitimate HTTP header, which includes a 'Content-Length' field to specify the size of the message body to follow. However, the attacker then proceeds to send the actual message body at an extremely slow rate (e.g. 1 byte/100 seconds.) Due to the entire message being correct and complete, the target server will attempt to obey the 'Content-Length' field in the header, and wait for the entire body of the message to be transmitted, hence slowing it down.

−

[[File:~~Networking_rutos_manual_firewall_attack_prevention_http_attack_prevention~~.png|border|class=tlt-border]]

+

[[File:Networking_rutos_manual_firewall_attack_prevention_http_attack_prevention_v2.png|border|class=tlt-border]]

Line 911: Line 923:

<tr>

<td>Limit</td>

−

<td>integer; default: <b>5</b></td>

+

<td>integer [1..10000]; default: <b>none</b></td>

−

<td>Maximum HTTP connections during the set period<./td>

+

<td>Maximum HTTP connections during the set period.</td>

</tr>

<tr>

<td>Limit burst</td>

−

<td>integer; default: <b>10</b></td>

+

<td>integer [1..10000]; default: <b>none</b></td>

<td>Indicates the maximum burst before the above limit kicks in.</td>

</tr>

Line 927: Line 939:

In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the perpetrator secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.

−

[[File:~~Networking_rutos_manual_firewall_attack_prevention_https_attack_prevention~~.png|border|class=tlt-border]]

+

[[File:Networking_rutos_manual_firewall_attack_prevention_https_attack_prevention_v2.png|border|class=tlt-border]]

Line 947: Line 959:

<tr>

<td>Limit</td>

−

<td>integer; default: <b>5</b></td>

+

<td>integer [1..10000]; default: <b>none</b></td>

<td>Maximum HTTPS connections during the set period.</td>

</tr>

<tr>

<td>Limit burst</td>

−

<td>integer; default: <b>10</b></td>

+

<td>integer [1..10000]; default: <b>none</b></td>

<td>Indicates the maximum burst number before the above limit kicks in.</td>

</tr>

Line 962: Line 974:

Port scanning is usually done in the initial phase of a penetration test in order to discover all network entry points into the target system. The Port Scan section provides you with the possibility to enable protection against port scanning software. The Defending Type section provides the possibility for the user to enable protections from certain types of online attacks. These include <b>SYN-FIN</b>, <b>SYN-RST</b>, <b>X-Mas</b>, <b>FIN scan</b> and <b>NULLflags</b> attacks.

−

[[File:~~Networking_rutos_manual_firewall_attack_prevention_port_scan~~.png|border|class=tlt-border]]

+

[[File:Networking_rutos_manual_firewall_attack_prevention_port_scan_v2.png|border|class=tlt-border]]

Line 977: Line 989:

<tr>

<td>Scan count</td>

−

<td>integer [5..~~65534~~]; default: <b>5</b></td>

+

<td>integer [5..10000]; default: <b>none</b></td>

<td>How many port scans before blocked.</td>

</tr>

<tr>

<td>Interval</td>

−

<td>integer [10..60]; default: <b>10</b></td>

+

<td>integer [10..4096]; default: <b>none</b></td>

<td>Time interval in seconds in which port scans are counted.</td>

</tr>

Line 1,032: Line 1,044:

The <b>DMZ</b> is a security concept. It comprises the separation of the LAN-side network into at least two networks: the user LAN and the DMZ. Generally the DMZ is imprisoned: only access to certain ports from the Internet are allowed into the DMZ, while the DMZ is not allowed to establish new connections to the WAN-side or LAN-side networks. That way, if a server inside of the DMZ is hacked the potential damage that can be done remains restricted! The whole point of the DMZ is to cleanly create a unique firewall rule set that dramatically restricts access in to, and out of the, DMZ.

−

[[File:Networking rutos manual network firewall ~~dmz~~.png|border|class=tlt-border]]

+

[[File:Networking rutos manual network firewall dmz_v2.png|border|class=tlt-border]]

Vainius.l

Administrators

7,851

edits

Changes

Template:Networking rutos manual firewall (view source)

Revision as of 14:41, 5 January 2024