Changes

Template:Networking rutos manual firewall (view source)

Revision as of 11:37, 19 August 2020

55 bytes removed , 11:37, 19 August 2020

no edit summary

Line 26: Line 26:

<tr>

<td>Enable SYN flood protection</td>

−

<td>off | on; ~~Default~~: on</td>

+

<td>off | on; default: on</td>

<td>Enables protection from SYN flood type attacks. A SYN flood is a type of denial-of-service (DOS) attack where an attacker sends bursts of SYN requests in an attempt to make the target host machine consume enough resources and become unresponsive.</td>

</tr>

<tr>

<td>Drop invalid packets</td>

−

<td>off | on; ~~Default~~: off</td>

+

<td>off | on; default: off</td>

<td>If enabled, a "Drop" action will be performed on packets that are determined to be invalid.</td>

</tr>

<tr>

<td>Input</td>

−

<td>Reject | Drop | Accept; ~~Default~~: Accept</td>

+

<td>Reject | Drop | Accept; default: Accept</td>

<td>Default action* of the INPUT chain if a packet does not match any existing rule on that chain.</td>

</tr>

<tr>

<td>Output</td>

−

<td>Reject | Drop | Accept; ~~Default~~: Accept</td>

+

<td>Reject | Drop | Accept; default: Accept</td>

<td>Default action* of the OUTPUT chain if a packet does not match any existing rule on that chain.</td>

</tr>

<tr>

<td>Forward</td>

−

<td>Reject | Drop | Accept; ~~Default~~: Reject</td>

+

<td>Reject | Drop | Accept; default: Reject</td>

<td>Default action* of the FORWARD chain if a packet does not match any existing rule on that chain.</td>

</tr>

Line 85: Line 85:

<tr>

<td>Input</td>

−

<td>Reject | Drop | Accept; ~~Default~~: Accept</td>

+

<td>Reject | Drop | Accept; default: Accept</td>

<td>Default policy for traffic entering the zone.</td>

</tr>

<tr>

<td>Output</td>

−

<td>Reject | Drop | Accept; ~~Default~~: Accept</td>

+

<td>Reject | Drop | Accept; default: Accept</td>

<td>Default policy for traffic originating from and leaving the zone.</td>

</tr>

<tr>

<td>Forward</td>

−

<td>Reject | Drop | Accept; ~~Default~~: Reject</td>

+

<td>Reject | Drop | Accept; default: Reject</td>

<td>Default policy for traffic forwarded between the networks belonging to the zone.</td>

</tr>

Line 454: Line 454:

<tr>

−

<td>~~yes~~ | no; default: no</td>

+

<td>off | on; default: no</td>

<td>Specifies whether the device should use UTC time. If this is disabled, the time zone specified in the Services → [[{{{name}}} NTP|NTP]] page will be used.</td>

</tr>

Line 689: Line 689:

<tr>

−

<td>~~yes~~ | no; default: no</td>

+

<td>off | on; default: no</td>

<td>Specifies whether the device should use UTC time. If this is disabled, the time zone specified in the Services → [[{{{name}}} NTP|NTP]] page will be used.</td>

</tr>

Line 726: Line 726:

<tr>

−

<td>off <nowiki>|</nowiki> on; ~~Default~~: off</td>

+

<td>off <nowiki>|</nowiki> on; default: off</td>

<td>Turns H323 filtering on or off.</td>

</tr>

<tr>

−

<td>off <nowiki>|</nowiki> on; ~~Default~~: off</td>

+

<td>off <nowiki>|</nowiki> on; default: off</td>

<td>Turns SIP filtering on or off.</td>

</tr>

Line 745: Line 745:

<tr>

−

<th>~~field name~~</th>

+

<th>Field</th>

−

<th>~~value~~</th>

+

<th>Value</th>

−

<th>~~description~~</th>

+

<th>Description</th>

</tr>

<tr>

<td>Enable SYN flood protection</td>

−

<td>~~yes~~ | no; ~~Default~~: ~~'''yes'''~~</td>

+

<td>off | on; default: on</td>

−

<td>~~Toggles~~ the rule ON or ~~OFF~~</td>

+

<td>Turns the rule on or off.</td>

</tr>

<tr>

<td>SYN flood rate</td>

−

<td>integer; ~~Default~~: ~~'''~~5~~'''~~</td>

+

<td>integer; default: 5</td>

−

<td>Set rate limit (packets per second) for SYN packets above which the traffic is considered ~~flooded~~</td>

+

<td>Set rate limit (packets per second) for SYN packets above which the traffic is considered floodedb</td>

</tr>

<tr>

<td>SYN flood burst</td>

−

<td>integer; ~~Default~~: ~~'''~~10~~'''~~</td>

+

<td>integer; default: 10</td>

−

<td>~~Set~~ burst limit for SYN packets above which the traffic is considered flooded if it exceeds the allowed ~~rate~~</td>

+

<td>Sets burst limit for SYN packets above which the traffic is considered flooded if it exceeds the allowed ratbe</td>

</tr>

<tr>

<td>TCP SYN cookies</td>

−

<td>~~yes~~ | no; ~~Default~~: ~~'''no'''~~</td>

+

<td>off | on; default: off</td>

−

<td>~~Enable~~ the use of SYN cookies (particular choices of initial TCP sequence numbers by TCP servers)</td>

+

<td>Enables the use of SYN cookies (particular choices of initial TCP sequence numbers by TCP servers)b</td>

</tr>

</table>

Line 773: Line 773:

===Remote ICMP Requests===

----

−

Some attackers use ~~'''~~ICMP echo~~'''~~ request packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. You can set up some custom restrictions to help protect your router from ICMP bursts.

+

Some attackers use ICMP echo request packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. You can set up some custom restrictions to help protect your router from ICMP bursts.

[[File:Networking_rutos_manual_firewall_attack_prevention_icmp.PNG|border|class=tlt-border]]

−

<tr>

−

<th>~~field name~~</th>

+

<th>Field</th>

−

<th>~~value~~</th>

+

<th>Value</th>

−

<th>~~description~~</th>

+

<th>Description</th>

</tr>

<tr>

<td>Enable ICMP requests</td>

−

<td>~~yes~~ | no; ~~Default~~: ~~'''yes'''~~</td>

+

<td>off | on; default: on</td>

−

<td>~~Toggles~~ the rule ON or ~~OFF~~</td>

+

<td>Turns the rule on or off.</td>

</tr>

<tr>

<td>Enable ICMP limit</td>

−

<td>~~yes~~ | no; ~~Default~~: ~~'''~~no~~'''~~</td>

+

<td>off | on; default: no</td>

−

<td>~~Toggles~~ ICMP echo-request limit in selected period ON or ~~OFF~~</td>

+

<td>Turns ICMP echo-request limit in selected period on or off.</td>

</tr>

<tr>

<td>Limit period</td>

−

<td>Second | Minute | Hour | Day; ~~Default~~: ~~'''~~Second~~'''~~</td>

+

<td>Second | Minute | Hour | Day; default: Second</td>

−

<td>~~Select ICMP echo-request period limit~~</td>

+

<td>Period length for matching the conditions of the rule.</td>

</tr>

<tr>

<td>Limit</td>

−

<td>integer; ~~Default~~: ~~'''~~5~~'''~~</td>

+

<td>integer; default: 5</td>

−

<td>Maximum ICMP echo-request number during the period</td>

+

<td>Maximum ICMP echo-request number during the period.</td>

</tr>

<tr>

<td>Limit burst</td>

−

<td>integer; ~~Default~~: ~~'''~~10~~'''~~</td>

+

<td>integer; default: 10</td>

−

<td>~~Indicate~~ the maximum burst before the above limit kicks in</td>

+

<td>Indicates the maximum burst before the above limit kicks in.</td>

</tr>

</table>

Line 813: Line 812:

===SSH Attack Prevention===

----

−

~~Prevent~~ SSH ~~(allows a user to run commands on a machine's command prompt without them being physically present near the machine)~~ attacks by limiting connections in a defined period.

+

This protection prevent SSH attacks by limiting connections in a defined period.

[[File:Networking_rutos_manual_firewall_attack_prevention_ssh.PNG|border|class=tlt-border]]

Line 820: Line 819:

<tr>

−

<th>~~field name~~</th>

+

<th>Field</th>

−

<th>~~value~~</th>

+

<th>Value</th>

−

<th>~~description~~</th>

+

<th>Description</th>

</tr>

<tr>

<td>Enable SSH limit</td>

−

<td>~~yes~~ | no; ~~Default~~: ~~'''no'''~~</td>

+

<td>off | on; default: off</td>

−

<td>~~Toggles~~ the rule ON or ~~OFF~~</td>

+

<td>Turns the rule on or off.</td>

</tr>

<tr>

<td>Limit period</td>

−

<td>Second | Minute | Hour | Day; ~~Default~~: ~~'''~~Second~~'''~~</td>

+

<td>Second | Minute | Hour | Day; default: Second</td>

−

<td>~~The period in which SSH connections are to be limited~~</td>

+

<td>Period length for matching the conditions of the rule.</td>

</tr>

<tr>

<td>Limit</td>

−

<td>integer; ~~Default~~: ~~'''~~5~~'''~~</td>

+

<td>integer; default: 5</td>

<td>Maximum SSH connections during the set period</td>

</tr>

<tr>

<td>Limit burst</td>

−

<td>integer; ~~Default~~: ~~'''~~10~~'''~~</td>

+

<td>integer; default: 10</td>

−

<td>~~Indicate~~ the maximum burst before the above limit kicks in</td>

+

<td>Indicates the maximum burst before the above limit kicks in.</td>

</tr>

</table>

Line 848: Line 847:

===HTTP Attack Prevention===

----

−

An HTTP attack sends a complete, legitimate HTTP header, which includes a 'Content-Length' field to specify the size of the message body to follow. However, the attacker then proceeds to send the actual message body at an extremely slow rate (e.g. 1 byte/100 seconds.) Due to the entire message being correct and complete, the target server will attempt to obey the 'Content-Length' field in the header, and wait for the entire body of the message to be transmitted, hence slowing it down.

+

An HTTP attack sends a complete, legitimate HTTP header, which includes a 'Content-Length' field to specify the size of the message body to follow. However, the attacker then proceeds to send the actual message body at an extremely slow rate (e.g. 1 byte/100 seconds.) Due to the entire message being correct and complete, the target server will attempt to obey the 'Content-Length' field in the header, and wait for the entire body of the message to be transmitted, hence slowing it down.

[[File:Networking_rutos_manual_firewall_attack_prevention_http.PNG|border|class=tlt-border]]

−

<tr>

−

<th>~~field name~~</th>

+

<th>Field</th>

−

<th>~~value~~</th>

+

<th>Value</th>

−

<th>~~description~~</th>

+

<th>Description</th>

</tr>

<tr>

<td>Enable HTTP limit</td>

−

<td>~~yes~~ | no; ~~Default~~: ~~'''no'''~~</td>

+

<td>off | on; default: off</td>

−

<td>~~Toggles~~ the rule ON or ~~OFF~~</td>

+

<td>Turns the rule on or off.</td>

</tr>

<tr>

<td>Limit period</td>

−

<td>Second | Minute | Hour | Day; ~~Default~~: ~~'''~~Second~~'''~~</td>

+

<td>Second | Minute | Hour | Day; default: Second</td>

−

<td>~~The period in which HTTP connections are to be limited~~</td>

+

<td>Period length for matching the conditions of the rule.</td>

</tr>

<tr>

<td>Limit</td>

−

<td>integer; ~~Default~~: ~~'''~~5~~'''~~</td>

+

<td>integer; default: 5</td>

−

<td>Maximum HTTP connections during the set period</td>

+

<td>Maximum HTTP connections during the set period<./td>

</tr>

<tr>

<td>Limit burst</td>

−

<td>integer; ~~Default~~: ~~'''~~10~~'''~~</td>

+

<td>integer; default: 10</td>

−

<td>~~Indicate~~ the maximum burst before the above limit kicks in</td>

+

<td>Indicates the maximum burst before the above limit kicks in.</td>

</tr>

</table>

Line 883: Line 881:

===HTTPS Attack Prevention===

----

−

This section allows you to enable protection against ~~'''~~HTTPS~~'''~~ attacks, also known as ~~'''~~man-in-the-middle attacks~~'''~~ (~~'''~~MITM~~'''~~).

+

This section allows you to enable protection against HTTPS attacks, also known as "man-in-the-middle" attacks (MITM).

In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the perpetrator secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.

Line 891: Line 889:

<tr>

−

<th>~~field name~~</th>

+

<th>Field</th>

−

<th>~~value~~</th>

+

<th>Value</th>

−

<th>~~description~~</th>

+

<th>Description</th>

</tr>

<tr>

<td>Enable HTTPS limit</td>

−

<td>~~yes~~ | no; ~~Default~~: ~~'''no'''~~</td>

+

<td>off | on; default: off</td>

−

<td>~~Toggles~~ the rule ON or ~~OFF~~</td>

+

<td>Turns the rule on or off.</td>

</tr>

<tr>

<td>Limit period</td>

−

<td>Second | Minute | Hour | Day; ~~Default~~: ~~'''~~Second~~'''~~</td>

+

<td>Second | Minute | Hour | Day; default: Second</td>

−

<td>~~The period in which HTTPS connections are to be limited~~</td>

+

<td>Period length for matching the conditions of the rule.</td>

</tr>

<tr>

<td>Limit</td>

−

<td>integer; ~~Default~~: ~~'''~~5~~'''~~</td>

+

<td>integer; default: 5</td>

−

<td>Maximum HTTPS connections during the set period</td>

+

<td>Maximum HTTPS connections during the set period.</td>

</tr>

<tr>

<td>Limit burst</td>

−

<td>integer; ~~Default~~: ~~'''~~10~~'''~~</td>

+

<td>integer; default: 10</td>

−

<td>~~Indicate~~ the maximum burst before the above limit kicks in</td>

+

<td>Indicates the maximum burst number before the above limit kicks in.</td>

</tr>

</table>

−

==Port Scan ~~Prevention~~==

+

===Port Scan===

−

Port scan attacks scan which of the targeted host's ports are open. Network ports are the entry points to a machine that is connected to the Internet. A service that listens on a port is able to receive data from a client application, process it and send a response back. Malicious clients can sometimes exploit vulnerabilities in the server code so they gain access to sensitive data or execute malicious code on the machine remotely.

−

Port scanning is usually done in the initial phase of a penetration test in order to discover all network entry points into the target system. The Port Scan section provides you with the possibility to enable protection against port scanning software. The Defending Type section provides the possibility for the user to enable protections from certain types of online attacks. These include '''SYN-FIN''', '''SYN-RST''', '''X-Mas''', '''FIN scan''' and '''NULLflags''' attacks.

+

Port Scan attacks scan which of the targeted host's ports are open. Network ports are the entry points to a machine that is connected to the Internet. A service that listens on a port is able to receive data from a client application, process it and send a response back. Malicious clients can sometimes exploit vulnerabilities in the server code so they gain access to sensitive data or execute malicious code on the machine remotely.

+

Port scanning is usually done in the initial phase of a penetration test in order to discover all network entry points into the target system. The Port Scan section provides you with the possibility to enable protection against port scanning software. The Defending Type section provides the possibility for the user to enable protections from certain types of online attacks. These include SYN-FIN, SYN-RST, X-Mas, FIN scan and NULLflags attacks.

[[File:Networking_rutos_manual_firewall_attack_prevention_port_scan_def.PNG|border|class=tlt-border]]

Line 927: Line 924:

<tr>

−

<th>~~field name~~</th>

+

<th>Field</th>

−

<th>~~value~~</th>

+

<th>Value</th>

−

<th>~~description~~</th>

+

<th>Description</th>

</tr>

<tr>

<td>Enable</td>

−

<td>~~yes~~ | no; ~~Default~~: ~~'''no'''~~</td>

+

<td>off | on; default: off</td>

−

<td>~~Toggles~~ the function ON or ~~OFF~~</td>

+

<td>Turns the function on or off.</td>

</tr>

<tr>

<td>Scan count</td>

−

<td>integer [5..65534]; ~~Default~~: ~~'''~~5~~'''~~</td>

+

<td>integer [5..65534]; default: 5</td>

−

<td>How many port scans before blocked</td>

+

<td>How many port scans before blocked.</td>

</tr>

<tr>

<td>Interval</td>

−

<td>integer [10..60]; ~~Default~~: ~~'''~~10~~'''~~</td>

+

<td>integer [10..60]; default: 10</td>

−

<td>Time interval in seconds in which port scans are counted</td>

+

<td>Time interval in seconds in which port scans are counted.</td>

</tr>

<tr>

<td>SYN-FIN attack</td>

−

<td>~~yes~~ | no; ~~Default~~: ~~'''no'''~~</td>

+

<td>off | on; default: off</td>

−

<td>~~Toggles~~ protection from SYN-FIN attacks ON or ~~OFF~~</td>

+

<td>Turns protection from SYN-FIN attacks on or off.</td>

</tr>

<tr>

<td>SYN-RST attack</td>

−

<td>~~yes~~ | no; ~~Default~~: ~~'''no'''~~</td>

+

<td>off | on; default: off</td>

−

<td>~~Toggles~~ protection from SYN-RST attacks ON or ~~OFF~~</td>

+

<td>Turns protection from SYN-RST attacks on or off.</td>

</tr>

<tr>

<td>X-Mas attack</td>

−

<td>~~yes~~ | no; ~~Default~~: ~~'''no'''~~</td>

+

<td>off | on; default: off</td>

−

<td>~~Toggles~~ protection from X-Mas attacks ON or ~~OFF~~</td>

+

<td>Turns protection from X-Mas attacks on or off.</td>

</tr>

<tr>

−

<td>~~yes~~ | no; ~~Default~~: ~~'''no'''~~</td>

+

<td>off | on; default: off</td>

−

<td>~~Toggles~~ protection from FIN scan attacks ON or ~~OFF~~</td>

+

<td>Turns protection from FIN scan attacks on or off.</td>

</tr>

<tr>

<td>NULLflags attack</td>

−

<td>~~yes~~ | no; ~~Default~~: ~~'''no'''~~</td>

+

<td>off | on; default: off</td>

−

<td>~~Toggles~~ protection from NULLflags attacks ON or ~~OFF~~</td>

+

<td>Turns protection from NULLflags attacks on or off.</td>

</tr>

</table>

[[Category:{{{name}}} Network section]]

Dziugas

Bureaucrats, Interface administrators, Administrators

31,703

edits

Namespaces

Variants

Views

More

Search

Changes

Template:Networking rutos manual firewall (view source)

Revision as of 11:37, 19 August 2020

Navigation menu

Personal tools

NAVIGATION

Tools

Categories