Template:Networking rutos manual firewall: Difference between revisions
Template:Networking rutos manual firewall (view source)
Revision as of 13:41, 5 January 2024
, 5 Januaryno edit summary
No edit summary |
|||
(18 intermediate revisions by 2 users not shown) | |||
Line 476: | Line 476: | ||
<td><span style="color:blue">Mark</span>: Set Target value</td> | <td><span style="color:blue">Mark</span>: Set Target value</td> | ||
<td>hex; default: <b>none</b></td> | <td>hex; default: <b>none</b></td> | ||
<td>If specified, target traffic against the given firewall mark, e.g. | <td>If specified, target traffic against the given firewall mark, e.g. FF or ff to target mark 255.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 491: | Line 491: | ||
<td><span style="color:blue">Mark</span>: Set Match value</td> | <td><span style="color:blue">Mark</span>: Set Match value</td> | ||
<td>hex; default: <b>none</b></td> | <td>hex; default: <b>none</b></td> | ||
<td>If specified, match traffic against the given firewall mark, e.g. | <td>If specified, match traffic against the given firewall mark, e.g. FF or ff to match mark 255.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 537: | Line 537: | ||
<td>Time in UTC</td> | <td>Time in UTC</td> | ||
<td>off | on; default: <b>no</b></td> | <td>off | on; default: <b>no</b></td> | ||
<td>Specifies whether the device should use UTC time. If this is disabled, the time zone specified in the | <td>Specifies whether the device should use UTC time. If this is disabled, the time zone specified in the System → Administration → [[{{{name}}}_Administration#NTP|NTP]] page will be used.</td> | ||
</tr> | </tr> | ||
</table> | </table> | ||
Line 620: | Line 620: | ||
The <b>Add New Source NAT</b> section is used to create new source NAT rules. | The <b>Add New Source NAT</b> section is used to create new source NAT rules. | ||
[[File: | [[File:Networking_rutos_manual_firewall_nat_rules_add_new_source_nat_v2.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 662: | Line 662: | ||
===Source NAT Configuration=== | ===Source NAT Configuration=== | ||
---- | ---- | ||
In order to begin editing a traffic rule, click the button | In order to begin editing a traffic rule, click the edit button [[File:Networking_rutx_trb14x_manual_edit_button_v2.png|20px]] next to it: | ||
[[File:Networking_rutos_manual_firewall_nat_rules_source_nat_edit_button_v2.png|border|class=tlt-border]] | |||
You will be redirected to that rule's configuration page: | You will be redirected to that rule's configuration page: | ||
[[File: | [[File:Networking rutos manual firewall nat rules configuration mobile general.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 707: | Line 704: | ||
<td>Source port</td> | <td>Source port</td> | ||
<td>integer [0..65535] | range of integers [0..65534] - [1..65535] | port inversion [!0..!65535]; default: <b>none</b></td> | <td>integer [0..65535] | range of integers [0..65534] - [1..65535] | port inversion [!0..!65535]; default: <b>none</b></td> | ||
<td>Mathes traffic originated from specified port number.<td> | <td>Mathes traffic originated from specified port number.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 713: | Line 710: | ||
<td>firewall zone; default: <b>wan</b></td> | <td>firewall zone; default: <b>wan</b></td> | ||
<td>Matches traffic destined for the specified zone.</td> | <td>Matches traffic destined for the specified zone.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Destination IP address</td> | <td>Destination IP address</td> | ||
Line 725: | Line 722: | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Rewrite port</td> | |||
<td> | <td>integer [0..65535] | range of integers [0..65534] - [1..65535] | port inversion [!0..!65535]; default: <b>No rewrite</b></td> | ||
<td> | <td>Rewrite matched traffic to the given source port.</td> | ||
</tr> | </tr> | ||
</table> | |||
[[File:Networking rutos manual firewall nat rules configuration mobile advanced.png|border|class=tlt-border]] | |||
<table class="nd-mantable"> | |||
<tr> | <tr> | ||
< | <th>Field</th> | ||
<th>Value</th> | |||
<th>Description</th> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 738: | Line 740: | ||
<td>string; default: <b>none</b></td> | <td>string; default: <b>none</b></td> | ||
<td>Adds extra .iptables options to the rule.</td> | <td>Adds extra .iptables options to the rule.</td> | ||
</tr> | |||
</table> | |||
[[File:Networking rutos manual firewall nat rules configuration mobile time restriction.png|border|class=tlt-border]] | |||
<table class="nd-mantable"> | |||
<tr> | |||
<th>Field</th> | |||
<th>Value</th> | |||
<th>Description</th> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 772: | Line 784: | ||
<td>Time in UTC</td> | <td>Time in UTC</td> | ||
<td>off | on; default: <b>no</b></td> | <td>off | on; default: <b>no</b></td> | ||
<td>Specifies whether the device should use UTC time. If this is disabled, the time zone specified in the | <td>Specifies whether the device should use UTC time. If this is disabled, the time zone specified in the System → Administration → [[{{{name}}}_Administration#NTP|NTP]] page will be used.</td> | ||
</tr> | </tr> | ||
</table> | </table> | ||
Line 784: | Line 796: | ||
<b>SYN Flood Protection</b> allows you to protect yourself from attacks that exploit part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive. Essentially, with SYN flood DDOS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network over-saturation. | <b>SYN Flood Protection</b> allows you to protect yourself from attacks that exploit part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive. Essentially, with SYN flood DDOS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network over-saturation. | ||
[[File: | [[File:Networking_rutos_manual_firewall_attack_prevention_syn_flood_protection_v2.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 800: | Line 812: | ||
<td>SYN flood rate</td> | <td>SYN flood rate</td> | ||
<td>integer; default: <b>5</b></td> | <td>integer; default: <b>5</b></td> | ||
<td>Set rate limit (packets per second) for SYN packets above which the traffic is considered | <td>Set rate limit (packets per second) for SYN packets above which the traffic is considered flooded</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>SYN flood burst</td> | <td>SYN flood burst</td> | ||
<td>integer; default: <b>10</b></td> | <td>integer; default: <b>10</b></td> | ||
<td>Sets burst limit for SYN packets above which the traffic is considered flooded if it exceeds the allowed | <td>Sets burst limit for SYN packets above which the traffic is considered flooded if it exceeds the allowed rate</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>TCP SYN cookies</td> | <td>TCP SYN cookies</td> | ||
<td>off | on; default: <b> | <td>off | on; default: <b>on</b></td> | ||
<td>Enables the use of SYN cookies (particular choices of initial TCP sequence numbers by TCP servers) | <td>Enables the use of SYN cookies (particular choices of initial TCP sequence numbers by TCP servers)</td> | ||
</tr> | </tr> | ||
</table> | </table> | ||
Line 818: | Line 830: | ||
Some attackers use <b>ICMP echo request</b> packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. You can set up some custom restrictions to help protect your router from ICMP bursts. | Some attackers use <b>ICMP echo request</b> packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. You can set up some custom restrictions to help protect your router from ICMP bursts. | ||
[[File: | [[File:Networking_rutos_manual_firewall_attack_prevention_remote_icmp_requests_v2.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 857: | Line 869: | ||
This protection prevent <b>SSH attacks</b> by limiting connections in a defined period. | This protection prevent <b>SSH attacks</b> by limiting connections in a defined period. | ||
[[File: | [[File:Networking_rutos_manual_firewall_attack_prevention_ssh_attack_prevention_v2.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 877: | Line 889: | ||
<tr> | <tr> | ||
<td>Limit</td> | <td>Limit</td> | ||
<td>integer; default: <b> | <td>integer [1..10000]; default: <b>none</b></td> | ||
<td>Maximum SSH connections during the set period</td> | <td>Maximum SSH connections during the set period</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Limit burst</td> | <td>Limit burst</td> | ||
<td>integer; default: <b> | <td>integer [1..10000]; default: <b>none</b></td> | ||
<td>Indicates the maximum burst before the above limit kicks in.</td> | <td>Indicates the maximum burst before the above limit kicks in.</td> | ||
</tr> | </tr> | ||
Line 891: | Line 903: | ||
An <b>HTTP attack</b> sends a complete, legitimate HTTP header, which includes a 'Content-Length' field to specify the size of the message body to follow. However, the attacker then proceeds to send the actual message body at an extremely slow rate (e.g. 1 byte/100 seconds.) Due to the entire message being correct and complete, the target server will attempt to obey the 'Content-Length' field in the header, and wait for the entire body of the message to be transmitted, hence slowing it down. | An <b>HTTP attack</b> sends a complete, legitimate HTTP header, which includes a 'Content-Length' field to specify the size of the message body to follow. However, the attacker then proceeds to send the actual message body at an extremely slow rate (e.g. 1 byte/100 seconds.) Due to the entire message being correct and complete, the target server will attempt to obey the 'Content-Length' field in the header, and wait for the entire body of the message to be transmitted, hence slowing it down. | ||
[[File: | [[File:Networking_rutos_manual_firewall_attack_prevention_http_attack_prevention_v2.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 911: | Line 923: | ||
<tr> | <tr> | ||
<td>Limit</td> | <td>Limit</td> | ||
<td>integer; default: <b> | <td>integer [1..10000]; default: <b>none</b></td> | ||
<td>Maximum HTTP connections during the set period< | <td>Maximum HTTP connections during the set period.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Limit burst</td> | <td>Limit burst</td> | ||
<td>integer; default: <b> | <td>integer [1..10000]; default: <b>none</b></td> | ||
<td>Indicates the maximum burst before the above limit kicks in.</td> | <td>Indicates the maximum burst before the above limit kicks in.</td> | ||
</tr> | </tr> | ||
Line 927: | Line 939: | ||
In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the perpetrator secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. | In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the perpetrator secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. | ||
[[File: | [[File:Networking_rutos_manual_firewall_attack_prevention_https_attack_prevention_v2.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 947: | Line 959: | ||
<tr> | <tr> | ||
<td>Limit</td> | <td>Limit</td> | ||
<td>integer; default: <b> | <td>integer [1..10000]; default: <b>none</b></td> | ||
<td>Maximum HTTPS connections during the set period.</td> | <td>Maximum HTTPS connections during the set period.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Limit burst</td> | <td>Limit burst</td> | ||
<td>integer; default: <b> | <td>integer [1..10000]; default: <b>none</b></td> | ||
<td>Indicates the maximum burst number before the above limit kicks in.</td> | <td>Indicates the maximum burst number before the above limit kicks in.</td> | ||
</tr> | </tr> | ||
Line 962: | Line 974: | ||
Port scanning is usually done in the initial phase of a penetration test in order to discover all network entry points into the target system. The Port Scan section provides you with the possibility to enable protection against port scanning software. The Defending Type section provides the possibility for the user to enable protections from certain types of online attacks. These include <b>SYN-FIN</b>, <b>SYN-RST</b>, <b>X-Mas</b>, <b>FIN scan</b> and <b>NULLflags</b> attacks. | Port scanning is usually done in the initial phase of a penetration test in order to discover all network entry points into the target system. The Port Scan section provides you with the possibility to enable protection against port scanning software. The Defending Type section provides the possibility for the user to enable protections from certain types of online attacks. These include <b>SYN-FIN</b>, <b>SYN-RST</b>, <b>X-Mas</b>, <b>FIN scan</b> and <b>NULLflags</b> attacks. | ||
[[File: | [[File:Networking_rutos_manual_firewall_attack_prevention_port_scan_v2.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 977: | Line 989: | ||
<tr> | <tr> | ||
<td>Scan count</td> | <td>Scan count</td> | ||
<td>integer [5.. | <td>integer [5..10000]; default: <b>none</b></td> | ||
<td>How many port scans before blocked.</td> | <td>How many port scans before blocked.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Interval</td> | <td>Interval</td> | ||
<td>integer [10.. | <td>integer [10..4096]; default: <b>none</b></td> | ||
<td>Time interval in seconds in which port scans are counted.</td> | <td>Time interval in seconds in which port scans are counted.</td> | ||
</tr> | </tr> | ||
Line 1,032: | Line 1,044: | ||
The <b>DMZ</b> is a security concept. It comprises the separation of the LAN-side network into at least two networks: the user LAN and the DMZ. Generally the DMZ is imprisoned: only access to certain ports from the Internet are allowed into the DMZ, while the DMZ is not allowed to establish new connections to the WAN-side or LAN-side networks. That way, if a server inside of the DMZ is hacked the potential damage that can be done remains restricted! The whole point of the DMZ is to cleanly create a unique firewall rule set that dramatically restricts access in to, and out of the, DMZ. | The <b>DMZ</b> is a security concept. It comprises the separation of the LAN-side network into at least two networks: the user LAN and the DMZ. Generally the DMZ is imprisoned: only access to certain ports from the Internet are allowed into the DMZ, while the DMZ is not allowed to establish new connections to the WAN-side or LAN-side networks. That way, if a server inside of the DMZ is hacked the potential damage that can be done remains restricted! The whole point of the DMZ is to cleanly create a unique firewall rule set that dramatically restricts access in to, and out of the, DMZ. | ||
[[File:Networking rutos manual network firewall | [[File:Networking rutos manual network firewall dmz_v2.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> |