Jump to content

Firewall traffic rules: Difference between revisions

no edit summary
No edit summary
No edit summary
Line 74: Line 74:
=== Allow a single host to access a web server in WAN network. ===
=== Allow a single host to access a web server in WAN network. ===
----
----
<br>Let’s imagine that we would like to restrict traffic for this LAN network (192.168.1.0/24) and only one host needs to have access to the web server (185.xxx.xxx.xxx) on the internet. To achieve this, traffic rules could be configured.
Let’s imagine that we would like to restrict traffic for this LAN network (192.168.1.0/24) and only one host needs to have access to the web server (185.xxx.xxx.xxx) on the internet.
 
[[File:Firewall traffic rules topology v3.png||border|class=tlt-border|800x800px]]


Two traffic rules would be required for this scenario:
Two traffic rules would be required for this scenario:
Line 83: Line 85:
All network traffic coming from the specified host (192.168.1.11) will match the first rule and will be allowed. All other traffic coming from other hosts on the local Network will not match the first rule, but will match the second rule and will be dropped.  
All network traffic coming from the specified host (192.168.1.11) will match the first rule and will be allowed. All other traffic coming from other hosts on the local Network will not match the first rule, but will match the second rule and will be dropped.  


In this scenario only the host named ‘PC2’ on the '''LAN''' will be able to reach a web server in '''WAN'''.
In this scenario, only the host named ‘PC2’ on the '''LAN''' will be able to reach a web server in '''WAN'''.


<br>
====Traffic rule to block all traffic to WAN====
 
[[File:Firewall traffic rules topology v3.png||border|class=tlt-border|800x800px]]
 
==== Traffic rules configuration to allow only a single host in LAN to access the webserver ====
----
----
Create and configure the first rule to block all local traffic to WAN network.
Create and configure the first rule to block all local traffic to WAN network.
Line 113: Line 111:
[[File:Networking_rutos_configuration_example_firewall_traffic_rules_1-3_v1.png||border|class=tlt-border|679x61px]]
[[File:Networking_rutos_configuration_example_firewall_traffic_rules_1-3_v1.png||border|class=tlt-border|679x61px]]


====Traffic rule to allow the host access====
----
Create and configure the second rule to allow the host to access the web server:
Create and configure the second rule to allow the host to access the web server:


Line 119: Line 119:
*Choose '''LAN''' as source zone.
*Choose '''LAN''' as source zone.
*Choose '''WAN''' as destination zone.
*Choose '''WAN''' as destination zone.
*Click '''‘Add’'''.<br>
*Click '''‘Add’'''.


[[File:Networking_rutos_configuration_example_firewall_traffic_rules_2-1_v1.png|alt=Firewall traffic rule to allow single host to web server|border|class=tlt-border|694x152px]]
[[File:Networking_rutos_configuration_example_firewall_traffic_rules_2-1_v1.png|alt=Firewall traffic rule to allow single host to web server|border|class=tlt-border|694x152px]]
Line 133: Line 133:


[[File:Networking_rutos_configuration_example_firewall_traffic_rules_2-2_v3.png|alt=Firewall traffic rule to allow a single host to web server configuration|border|class=tlt-border|521x576px]]
[[File:Networking_rutos_configuration_example_firewall_traffic_rules_2-2_v3.png|alt=Firewall traffic rule to allow a single host to web server configuration|border|class=tlt-border|521x576px]]


You can specify additional settings as you wish. For example, you can set times when this rule should apply. This way, the host will be able to access the web server only at certain times.
You can specify additional settings as you wish. For example, you can set times when this rule should apply. This way, the host will be able to access the web server only at certain times.
Line 139: Line 138:
Scroll down and press '''‘Save & Apply’'''.
Scroll down and press '''‘Save & Apply’'''.


The new rule is created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled. In addition, we need to move the second rule and ensure that the second rule is above the first rule.<br>
<br>The new rule is created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled. In addition, we need to move the second rule and ensure that the second rule is above the first rule.<br>


[[File:Networking_rutos_configuration_example_firewall_traffic_rules_2-3_v3.png|alt=Firewall two traffic rules to allow only a single host to access web server enabled|border|class=tlt-border|880x153px]]
[[File:Networking_rutos_configuration_example_firewall_traffic_rules_2-3_v3.png|alt=Firewall two traffic rules to allow only a single host to access web server enabled|border|class=tlt-border|880x153px]]


These rules indicate that traffic from the host '''192.168.1.11''' in '''LAN''' destined to the IP address of '''185.xxx.xxx.xxx''' on ports '''80''' and '''443''' in '''WAN''' must be accepted. The '''‘Accept forward’''' indicates the action (accept). The slider on the right side shows that the rule is enabled. The rule is above the Deny-LAN-WAN rule, so that traffic from host 192.168.1.11 (PC2) matches the first rule and is accepted. Traffic from other hosts in LAN will match the second rule and will be dropped.
These rules indicate that traffic from the host '''192.168.1.11''' in '''LAN''' destined to the IP address of '''185.xxx.xxx.xxx''' on ports '''80''' and '''443''' in '''WAN''' must be accepted. The '''‘Accept forward’''' indicates the action (accept). The slider on the right side shows that the rule is enabled. The rule is above the Deny-LAN-WAN rule, so that traffic from host 192.168.1.11 (PC2) matches the first rule and is accepted. Traffic from other hosts in LAN will match the second rule and will be dropped.
Line 157: Line 155:
[[File:Networking_rutos_configuration_example_firewall_traffic_rules_3-1_v1.png|alt=Firewall traffic rule to open a port of a device||border|class=tlt-border|708x155px]]
[[File:Networking_rutos_configuration_example_firewall_traffic_rules_3-1_v1.png|alt=Firewall traffic rule to open a port of a device||border|class=tlt-border|708x155px]]


A new window will pop-out where you will be able to specify additional settings. For the purpose of just opening a port, no additional settings are required. Scroll down and press '''‘Save & Apply’'''.


<br>A new window will pop-out where you will be able to specify additional settings. For the purpose of just opening a port, no additional settings are required. Scroll down and press '''‘Save & Apply’'''.
<br>The new rule is created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled.
 
<br>The new rule is created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled.<br>


[[File:Networking_rutos_configuration_example_firewall_traffic_rules_3-2_v1.png|alt=Firewall traffic rule to open a port on a device enabled||border|class=tlt-border|677x56px]]
[[File:Networking_rutos_configuration_example_firewall_traffic_rules_3-2_v1.png|alt=Firewall traffic rule to open a port on a device enabled||border|class=tlt-border|677x56px]]


<br>
Here we can see that a new rule was created. It accepts '''TCP, UDP''' traffic from any host in '''WAN''' coming to the router on port '''8080'''. The slider on the right side is set to '''‘on’''' indicating that the rule is enabled.
Here we can see that a new rule was created. It accepts '''TCP, UDP''' traffic from any host in '''WAN''' coming to the router on port '''8080'''. The slider on the right side is set to '''‘on’''' indicating that the rule is enabled.


Line 170: Line 166:
----
----
To open a port for only one host on LAN you would need to create 2 traffic rules. One rule to block LAN traffic from accessing the port on device, and the second rule to allow only a single host to access that port. Both rules have similarities. The steps below describe how to create and configure both rules with differences mentioned.
To open a port for only one host on LAN you would need to create 2 traffic rules. One rule to block LAN traffic from accessing the port on device, and the second rule to allow only a single host to access that port. Both rules have similarities. The steps below describe how to create and configure both rules with differences mentioned.


First rule:
First rule:
Line 186: Line 181:
*Choose '''LAN''' as the source zone.
*Choose '''LAN''' as the source zone.
*Leave the source IP field '''‘any’''' or specify a LAN network to block.
*Leave the source IP field '''‘any’''' or specify a LAN network to block.
*In the action field choose '''‘Drop’'''.<br>
*In the action field choose '''‘Drop’'''.


[[File:Networking_rutos_configuration_example_firewall_traffic_rules_4-2_v1.png|alt=Firewall traffic rule to deny single port for LAN network configuration|border|class=tlt-border|470x516px]]
[[File:Networking_rutos_configuration_example_firewall_traffic_rules_4-2_v1.png|alt=Firewall traffic rule to deny single port for LAN network configuration|border|class=tlt-border|470x516px]]


Scroll down and press '''‘Save & Apply’'''.
Scroll down and press '''‘Save & Apply’'''.


The second rule:
The second rule:
Line 201: Line 193:
*Select '''<nowiki/>'TCP+UDP'''' as protocols.
*Select '''<nowiki/>'TCP+UDP'''' as protocols.
*Enter an external port to allow.
*Enter an external port to allow.
*Click '''‘Add’.''' <br>
*Click '''‘Add’.'''


[[File:Networking_rutos_configuration_example_firewall_traffic_rules_5-1_v1.png|alt=Firewall traffic rule to allow a single host on one port|border|class=tlt-border|696x156px]]
[[File:Networking_rutos_configuration_example_firewall_traffic_rules_5-1_v1.png|alt=Firewall traffic rule to allow a single host on one port|border|class=tlt-border|696x156px]]
Line 209: Line 201:


[[File:Networking_rutos_configuration_example_firewall_traffic_rules_5-2_v1.png|alt=Firewall traffic rule to allow a single host on one port configuration|border|class=tlt-border|470x515px]]
[[File:Networking_rutos_configuration_example_firewall_traffic_rules_5-2_v1.png|alt=Firewall traffic rule to allow a single host on one port configuration|border|class=tlt-border|470x515px]]


Scroll down and press '''‘Save & Apply’'''.
Scroll down and press '''‘Save & Apply’'''.
Line 261: Line 251:
*Choose '''LAN''' as the source zone.
*Choose '''LAN''' as the source zone.
*Choose '''WAN''' as the destination zone.
*Choose '''WAN''' as the destination zone.
*Click '''‘Add’'''.<br>
*Click '''‘Add’'''.
 


[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7-1_v2.png|border|class=tlt-border|699x156px]]
[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7-1_v2.png|border|class=tlt-border|699x156px]]
Line 271: Line 260:
*Select '''<nowiki/>'TCP+UDP'''' as protocol.
*Select '''<nowiki/>'TCP+UDP'''' as protocol.
*In the destination port field enter the range of ports you wish to deny (For example, '''‘1500-1700’'''), or list specific ports by leaving spaces in-between port numbers (For example, '''‘80 443'''’).
*In the destination port field enter the range of ports you wish to deny (For example, '''‘1500-1700’'''), or list specific ports by leaving spaces in-between port numbers (For example, '''‘80 443'''’).
*In the action field choose '''‘Drop’'''.<br>
*In the action field choose '''‘Drop’'''.
 
[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7-2_v2.png|alt=Firewall traffic rule to block a range of ports|border|class=tlt-border|473x521px]]
[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7-2_v2.png|alt=Firewall traffic rule to block a range of ports|border|class=tlt-border|473x521px]]


You can specify additional settings as you wish.
Scroll down and press '''‘Save & Apply’'''.<br>
The new rule is created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled.


<br>
You can specify additional settings as you wish.<br>
Scroll down and press '''‘Save & Apply’'''.<br>
The new rule is created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled.<br>
[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7-3_v2.png|alt=Firewall traffic rule to block a range of ports enabled|border|class=tlt-border|677x58px]]
[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7-3_v2.png|alt=Firewall traffic rule to block a range of ports enabled|border|class=tlt-border|677x58px]]


Line 302: Line 292:
[[File:Networking_rutos_configuration_example_firewall_traffic_rules_8-2_v2.png|alt=Firewall traffic rule to block host MAC on certain times configuration|border|class=tlt-border|419x606px]]
[[File:Networking_rutos_configuration_example_firewall_traffic_rules_8-2_v2.png|alt=Firewall traffic rule to block host MAC on certain times configuration|border|class=tlt-border|419x606px]]


You can specify additional settings as you wish.<br>Scroll down and press '''‘Save & Apply’'''.


<br>You can specify additional settings as you wish.<br>Scroll down and press '''‘Save & Apply’'''.<br>The new rule is created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled.<br>
<br>The new rule is created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled.<br>


[[File:Networking_rutos_configuration_example_firewall_traffic_rules_8-3_v2.png|alt=Firewall traffic rule to block host MAC on certain times enabled|border|class=tlt-border|679x60px]]
[[File:Networking_rutos_configuration_example_firewall_traffic_rules_8-3_v2.png|alt=Firewall traffic rule to block host MAC on certain times enabled|border|class=tlt-border|679x60px]]


<br>
This rule indicates that the PC with mac address of '''00:00:5e:xx:xx:xx''' will not be able to send traffic to '''WAN'''. The '''‘Discard forward’''' indicates the action (drop).  The rule does not show the times at which this rule is applied, but the times can be found on the settings page ('''‘Pencil’''' button). This rule will be applied for the first time on the 12th of February, 2023. Then, every Monday, Tuesday, Wednesday, Thursday, and Friday, from 8 AM to 4 PM this PC  will not be able to send traffic to '''WAN'''.
This rule indicates that the PC with mac address of '''00:00:5e:xx:xx:xx''' will not be able to send traffic to '''WAN'''. The '''‘Discard forward’''' indicates the action (drop).  The rule does not show the times at which this rule is applied, but the times can be found on the settings page ('''‘Pencil’''' button). This rule will be applied for the first time on the 12th of February, 2023. Then, every Monday, Tuesday, Wednesday, Thursday, and Friday, from 8 AM to 4 PM this PC  will not be able to send traffic to '''WAN'''.