9,312
edits
Changes
Template:Networking rutos manual firewall (view source)
Revision as of 11:51, 19 May 2022
, 11:51, 19 May 2022no edit summary
{{Template:Networking_rutos_manual_fw_disclosure
{{Template: Networking_rutos_manual_fw_disclosure
| fw_version = {{{series}}}_R_00.02.05
| fw_version ={{Template: Networking_rutos_manual_latest_fw
| series = {{{series}}}
| series = {{{series}}}
| name = {{{name}}}
}}
}}
}}
{{#ifeq: {{{series}}} | RUT9 |<br><i><b>Note</b>: <b>[[{{{name}}} Firewall (legacy WebUI)|click here]]</b> for the old style WebUI (FW version {{Template: Networking_rutos_manual_latest_fw | series = RUT9XX}} and earlier) user manual page.</i>|}}
{{#ifeq: {{{series}}} | RUT2 |<br><i><b>Note</b>: <b>[[{{{name}}} Firewall (legacy WebUI)|click here]]</b> for the old style WebUI (FW version {{Template: Networking_rutos_manual_latest_fw | series = RUT2XX}} and earlier) user manual page.</i>|}}
==Summary==
{{{name}}} devices use a standard Linux iptables package as its <b>firewall</b>, which uses routing chains and policies to facilitate control over inbound and outbound traffic.
This chapter of the user manual provides an overview of the Firewall page for {{{name}}} devices.
{{Template:Networking_rutos_manual_basic_advanced_webui_disclaimer
{{Template:Networking_rutos_manual_basic_advanced_webui_disclaimer
}}
}}
==General settings==
==General Settings==
The <b>General Settings</b> section is used to configure the main policies of the device's firewall. The figure below is an example of the General Settings section and the table below provides information on the fields contained in that section:
The <b>General Settings</b> section is used to configure the main policies of the device's firewall. The figure below is an example of the General Settings section and the table below provides information on the fields contained in that section:
<th>Value</th>
<th>Value</th>
<th>Description</th>
<th>Description</th>
</tr>
</tr>
<tr>
<tr>
<td>off | on; default: <b>off</b></td>
<td>off | on; default: <b>off</b></td>
<td>If enabled, a "Drop" action will be performed on packets that are determined to be invalid.</td>
<td>If enabled, a "Drop" action will be performed on packets that are determined to be invalid.</td>
</tr>
<tr>
<td>Automatic helper assignment</td>
<td>off | on; default: <b>on</b></td>
<td>Automatically assigns conntrack helpers based on traffic protocol and port. If turned off, conntrack helpers can be selected for each zone.</td>
</tr>
</tr>
<tr>
<tr>
<td>Input</td>
<td>Input</td>
<td>Reject | Drop | Accept; default: <b>Accept</b></td>
<td>Reject | Drop | Accept; default: <b>Reject</b></td>
<td>Default action<span class="asterisk">*</span> of the INPUT chain if a packet does not match any existing rule on that chain.</td>
<td>Default action<span class="asterisk">*</span> of the INPUT chain if a packet does not match any existing rule on that chain.</td>
</tr>
</tr>
<li><b>Reject</b> – packet is stopped, deleted and, differently from Drop, a message of rejection is sent to the source from which the packet came.</li>
<li><b>Reject</b> – packet is stopped, deleted and, differently from Drop, a message of rejection is sent to the source from which the packet came.</li>
</ul>
</ul>
===Routing/NAT Offloading===
----
The <b>Routing/NAT Offloading</b> is used to turns software flow offloading on or off.
The device checks whether the flow (sequence of related packets) is of a received a packed is known. Packets of unknown flow are forwarded to the networking stack. Meanwhile, if the flow is known, NAT is applied (if matched) and the packet is forwarded to the correct destination port. This process is called <b>software flow offloading</b>.
[[File:Networking_rutos_manual_firewall_general_settings_routing_nat_offloading.png|border|class=tlt-border]]
<table class="nd-mantable">
<tr>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
<tr>
<td>Software flow offloading</td>
<td>off {{!}} on; default: <b>off</b></td>
<td>Turns software flow offloading on or off.</td>
</tr>
</table>
===Zones===
===Zones===
====Zones: Advanced Settings====
====Zones: Advanced Settings====
----
----
[[File:Networking_rutos_manual_firewall_general_settings_zones_advanced_settings.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_general_settings_zones_advanced_settings_v3.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">
<tr>
<tr>
<td>Enable logging on this zone</td>
<td>Enable logging on this zone</td>
<td>off | <span style="color: red;">on</span>; default: <b>off</b></td>
<td>off | <span style="color: #1550bf; font-weight: bold;">on</span>; default: <b>off</b></td>
<td>Logs packets that hit this rule.</td>
<td>Logs packets that hit this rule.</td>
</tr>
</tr>
<tr>
<tr>
<td><span style="color: red;">Limit log messages</span></td>
<td><span style="color: #1550bf;">Limit log messages</span></td>
<td>integer/minute; default: <b>none</b></td>
<td>integer/minute; default: <b>none</b></td>
<td>Limit how many messages can be logged in the span of 1 minute. For example, to log 50 packets per minute use: <i>50/minute</i>.</td>
<td>Limit how many messages can be logged in the span of 1 minute. For example, to log 50 packets per minute use: <i>50/minute</i>.</td>
</tr>
<tr>
<td>Conntrack helpers</td>
<td> Amanda backup and archiving proto (AMANDA) | FTP passive connection tracking (FTP) | RAS proto tracking (RAS) | Q.931 proto tracking (Q.931) | IRC DCC connection tracking (IRC) | NetBIOS name service broadcast tracking (NETBIOS-NS) | PPTP VPN connection tracking (PPTP) | SIP VoIP connection tracking (SIP) | SNMP monitoring connection tracking (SNMP) | TFTP connection tracking (TFTP); default: <b>none</b></td>
<td><b>This option appears only when automatic helper assignment option in the firewall's general settings is disabled. </b>Explicitly choses allowed connection tracking helpers for zone traffic.</td>
</tr>
</tr>
</table>
</table>
<td>string; default: <b>none</b></td>
<td>string; default: <b>none</b></td>
<td>Name of the rule. This is used for easier management purposes.</td>
<td>Name of the rule. This is used for easier management purposes.</td>
</tr>
</tr>
<tr>
<tr>
<td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td>
<td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td>
<td>The port number to which hosts will be connecting.<td>
<td>The port number to which hosts will be connecting.<td>
</tr>
</tr>
<tr>
<tr>
You will be redirected to that rule's configuration page:
You will be redirected to that rule's configuration page:
[[File:Networking_rutos_manual_firewall_port_forwards_configuration_mobile_{{{mobile}}}_dualsim_{{{dualsim}}}_wired_{{{wired}}}.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_port_forwards_configuration.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">
<td>Source MAC address</td>
<td>Source MAC address</td>
<td>mac; default: <b>none</b></td>
<td>mac; default: <b>none</b></td>
<td>MAC address(es) of connecting hosts.<br>The rule will apply only to hosts that match MAC addresses specified in this field. Leave empty to make the rule skip MAC address matching.</td>
<td>MAC address of connecting hosts.<br>The rule will apply only to hosts that match MAC addresses specified in this field. Leave empty to make the rule skip MAC address matching.</td>
</tr>
</tr>
<tr>
<tr>
<tr>
<tr>
<td>Protocol</td>
<td>Protocol</td>
<td>TCP+UDP | TCP | UDP | ICMP | -- custom --; default: <b>TCP+UDP</b></td>
<td>TCP+UDP | TCP | UDP | <span style="color:red">ICMP</span> | -- custom --; default: <b>TCP+UDP</b></td>
<td>Specifies to which protocols the rule should apply.</td>
<td>Specifies to which protocols the rule should apply.</td>
</tr>
<tr>
<td><span style="color:red"> Match ICMP type</span></td>
<td>-- Custom -- | Any | ICMP-type; default: '''none'''</td>
<td>Allows matching specific ICMP types.</td>
</tr>
</tr>
<tr>
<tr>
===Open Ports on Router===
===Open Ports on Router===
----
----
In the <b>Add new instance</b> section, select <b>Open ports on router</b>. This provides a quick way to set simple rules that allow traffic on specified ports of the device. The figure below is an example of the Open ports on device section and the table below provides information on the fields contained in that section:
[[File:Networking_rutos_manual_firewall_traffic_rules_open_ports_on_router.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_traffic_rules_open_ports_on_router.png|border|class=tlt-border]]
===Add New Forward Rule===
===Add New Forward Rule===
----
----
In the <b>Add new instance</b> section, select <b>Add new forward rule</b>. This is used to create firewall rules that control traffic on the FORWARD chain. The figure below is an example of the Add New Forward Rule section and the table below provides information on the fields contained in that section:
[[File:Networking_rutos_manual_firewall_traffic_rules_add_new_forward_rule.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_traffic_rules_add_new_forward_rule.png|border|class=tlt-border]]
</table>
</table>
==Custom rules==
==Attack Prevention==
The <b>Custom rules</b> tab provides you with the possibility to execute <b>iptables</b> commands which are not otherwise covered by the device's firewall framework. The commands are executed after each firewall restart, right after the default rule set has been loaded.
The <b>Attack Prevention</b> menu tab provides the possibility to configure protections against certain types of online attacks.
===SYN Flood Protection===
===SYN Flood Protection===
<b>SYN Flood Protection</b> allows you to protect yourself from attacks that exploit part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive. Essentially, with SYN flood DDOS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network over-saturation.
<b>SYN Flood Protection</b> allows you to protect yourself from attacks that exploit part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive. Essentially, with SYN flood DDOS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network over-saturation.
[[File:Networking_rutos_manual_firewall_attack_prevention_syn.PNG|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_attack_prevention_syn_flood_protection.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">
Some attackers use <b>ICMP echo request</b> packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. You can set up some custom restrictions to help protect your router from ICMP bursts.
Some attackers use <b>ICMP echo request</b> packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. You can set up some custom restrictions to help protect your router from ICMP bursts.
[[File:Networking_rutos_manual_firewall_attack_prevention_icmp.PNG|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_attack_prevention_remote_icmp_requests.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">
<tr>
<tr>
<td>Enable ICMP limit</td>
<td>Enable ICMP limit</td>
<td>off | on; default: <b>no</b></td>
<td>off | <span style="color: #1550bf;">on</span>; default: <b>off</b></td>
<td>Turns ICMP echo-request limit in selected period on or off.</td>
<td>Turns ICMP echo-request limit in selected period on or off.</td>
</tr>
</tr>
<tr>
<tr>
<td>Limit period</td>
<td><span style="color: #1550bf;">Limit period</span></td>
<td>Second | Minute | Hour | Day; default: <b>Second</b></td>
<td>Second | Minute | Hour | Day; default: <b>Second</b></td>
<td>Period length for matching the conditions of the rule.</td>
<td>Period length for matching the conditions of the rule.</td>
</tr>
</tr>
<tr>
<tr>
<td>Limit</td>
<td><span style="color: #1550bf;">Limit</span></td>
<td>integer; default: <b>5</b></td>
<td>integer; default: <b>5</b></td>
<td>Maximum ICMP echo-request number during the period.</td>
<td>Maximum ICMP echo-request number during the period.</td>
</tr>
</tr>
<tr>
<tr>
<td>Limit burst</td>
<td><span style="color: #1550bf;">Limit burst</span></td>
<td>integer; default: <b>10</b></td>
<td>integer; default: <b>10</b></td>
<td>Indicates the maximum burst before the above limit kicks in.</td>
<td>Indicates the maximum burst before the above limit kicks in.</td>
This protection prevent <b>SSH attacks</b> by limiting connections in a defined period.
This protection prevent <b>SSH attacks</b> by limiting connections in a defined period.
[[File:Networking_rutos_manual_firewall_attack_prevention_ssh.PNG|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_attack_prevention_ssh_attack_prevention.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">
An <b>HTTP attack</b> sends a complete, legitimate HTTP header, which includes a 'Content-Length' field to specify the size of the message body to follow. However, the attacker then proceeds to send the actual message body at an extremely slow rate (e.g. 1 byte/100 seconds.) Due to the entire message being correct and complete, the target server will attempt to obey the 'Content-Length' field in the header, and wait for the entire body of the message to be transmitted, hence slowing it down.
An <b>HTTP attack</b> sends a complete, legitimate HTTP header, which includes a 'Content-Length' field to specify the size of the message body to follow. However, the attacker then proceeds to send the actual message body at an extremely slow rate (e.g. 1 byte/100 seconds.) Due to the entire message being correct and complete, the target server will attempt to obey the 'Content-Length' field in the header, and wait for the entire body of the message to be transmitted, hence slowing it down.
[[File:Networking_rutos_manual_firewall_attack_prevention_http.PNG|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_attack_prevention_http_attack_prevention.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">
In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the perpetrator secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.
In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the perpetrator secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.
[[File:Networking_rutos_manual_firewall_attack_prevention_hhtps.PNG|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_attack_prevention_https_attack_prevention.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">
===Port Scan===
===Port Scan===
----
<b>Port Scan</b> attacks scan which of the targeted host's ports are open. Network ports are the entry points to a machine that is connected to the Internet. A service that listens on a port is able to receive data from a client application, process it and send a response back. Malicious clients can sometimes exploit vulnerabilities in the server code so they gain access to sensitive data or execute malicious code on the machine remotely.
<b>Port Scan</b> attacks scan which of the targeted host's ports are open. Network ports are the entry points to a machine that is connected to the Internet. A service that listens on a port is able to receive data from a client application, process it and send a response back. Malicious clients can sometimes exploit vulnerabilities in the server code so they gain access to sensitive data or execute malicious code on the machine remotely.
Port scanning is usually done in the initial phase of a penetration test in order to discover all network entry points into the target system. The Port Scan section provides you with the possibility to enable protection against port scanning software. The Defending Type section provides the possibility for the user to enable protections from certain types of online attacks. These include <b>SYN-FIN</b>, <b>SYN-RST</b>, <b>X-Mas</b>, <b>FIN scan</b> and <b>NULLflags</b> attacks.
Port scanning is usually done in the initial phase of a penetration test in order to discover all network entry points into the target system. The Port Scan section provides you with the possibility to enable protection against port scanning software. The Defending Type section provides the possibility for the user to enable protections from certain types of online attacks. These include <b>SYN-FIN</b>, <b>SYN-RST</b>, <b>X-Mas</b>, <b>FIN scan</b> and <b>NULLflags</b> attacks.
[[File:Networking_rutos_manual_firewall_attack_prevention_port_scan_def.PNG|border|class=tlt-border]]
[[File:Networking_rutos_manual_firewall_attack_prevention_port_scan.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">
</tr>
</tr>
</table>
</table>
==Custom Rules==
The <b>Custom rules</b> tab provides you with the possibility to execute <b>iptables</b> commands which are not otherwise covered by the device's firewall framework. The commands are executed after each firewall restart, right after the default rule set has been loaded.
<b>Note: </b> Custom rules are not recommended to be used with <i>hostnames</i>. The rules will not remain active after reboot due to security reasons.
The figure below is an example of the Custom rules tab:
[[File:Networking_rutos_manual_firewall_custom_rules.png|border|class=tlt-border]]
The rules added here are saved in the <b>/etc/firewall.user</b> file. Feel free to edit that file instead for the same effect in case you don't have access to the device's WebUI.
The <b>Save</b> button restarts the firewall service. Thus, adding the custom rules specified in this section to the device's list of firewall rules.
The <b>Reset</b> button resets the custom rules field to its default state.
[[Category:{{{name}}} Network section]]
[[Category:{{{name}}} Network section]]
