Firewall traffic rules: Difference between revisions
no edit summary
mNo edit summary |
No edit summary |
||
Line 1: | Line 1: | ||
<p style="color:red">The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads '''00.07. | <p style="color:red">The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads '''00.07.08'''] firmware version. </p> | ||
==Introduction== | ==Introduction== | ||
Line 28: | Line 28: | ||
It is important to be mindful of the order of traffic rules. The rules can always be rearranged by simply clicking on the symbol on the left side of the rule and dragging the rule where it is needed. You can also change the configuration of each rule by finding your rule in the traffic rules and pressing a '''‘pencil’''' button to edit settings.<br> | It is important to be mindful of the order of traffic rules. The rules can always be rearranged by simply clicking on the symbol on the left side of the rule and dragging the rule where it is needed. You can also change the configuration of each rule by finding your rule in the traffic rules and pressing a '''‘pencil’''' button to edit settings.<br> | ||
[[File: | [[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_1.png|alt=firewall traffic rules rule order|border|class=tlt-border|1000px]] | ||
====Defining specific IP addresses and networks==== | ====Defining specific IP addresses and networks==== | ||
Line 97: | Line 97: | ||
*Click '''‘Add’'''.<br> | *Click '''‘Add’'''.<br> | ||
[[File: | [[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_2.png|alt=Firewall traffic rule to block LAN network.|border|class=tlt-border|1000px]] | ||
A new window will pop-out where you will be able to specify additional settings. | A new window will pop-out where you will be able to specify additional settings. | ||
# '''Enable the instance'''; | |||
# Choose Protocol: '''All'''; | |||
# Choose Source zone: '''lan'''; | |||
# Choose Destination zone: '''wan'''; | |||
# In the action field choose '''Drop''';<br> | |||
[[File: | [[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_3.png|alt=Firewall traffic rule to deny LAN network configuration|border|class=tlt-border|1000px]] | ||
Scroll down and press ''' | Scroll down and press '''Save & Apply'''. | ||
The new rule is created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled.<br> | The new rule is created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled.<br> | ||
[[File: | [[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_4.png||border|class=tlt-border|1000px]] | ||
====Traffic rule to allow the host access==== | ====Traffic rule to allow the host access==== | ||
Line 121: | Line 125: | ||
*Click '''‘Add’'''. | *Click '''‘Add’'''. | ||
[[File: | [[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_5.png|alt=Firewall traffic rule to allow single host to web server|border|class=tlt-border|694x152px]] | ||
A new window will pop-out where you will be able to specify additional settings. | A new window will pop-out where you will be able to specify additional settings. | ||
# '''Enable the instance'''; | |||
# Choose Protocol: '''UDP and TCP'''; | |||
# Choose Source zone: '''lan'''; | |||
# In the source IP address enter the IP address of the host in '''LAN''' that you wish to allow to access the web server. In this example, the IP address of PC2 is '''192.168.1.11'''. | |||
# Choose Destination zone: '''wan'''; | |||
# In the destination address field, enter the IP address of the web server, which is '''185.xxx.xxx.xxx''' in this example. | |||
# In the destination port field add ports '''’80’''' and '''‘443’'''. These are '''HTTP''' and '''HTTPS''' port numbers that are used for communication with a web server. | |||
# In the action field choose '''Accept''';<br> | |||
[[File: | [[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_6_v2.png|alt=Firewall traffic rule to allow a single host to web server configuration|border|class=tlt-border|521x576px]] | ||
You can specify additional settings as you wish. For example, you can set times when this rule should apply. This way, the host will be able to access the web server only at certain times. | You can specify additional settings as you wish. For example, you can set times when this rule should apply. This way, the host will be able to access the web server only at certain times. | ||
Line 140: | Line 146: | ||
<br>The new rule is created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled. In addition, we need to move the second rule and ensure that the second rule is above the first rule.<br> | <br>The new rule is created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled. In addition, we need to move the second rule and ensure that the second rule is above the first rule.<br> | ||
[[File: | [[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_7.png|alt=Firewall two traffic rules to allow only a single host to access web server enabled|border|class=tlt-border|1000px]] | ||
These rules indicate that traffic from the host '''192.168.1.11''' in '''LAN''' destined to the IP address of '''185.xxx.xxx.xxx''' on ports '''80''' and '''443''' in '''WAN''' must be accepted. The '''‘Accept forward’''' indicates the action (accept). The slider on the right side shows that the rule is enabled. The rule is above the Deny-LAN-WAN rule, so that traffic from host 192.168.1.11 (PC2) matches the first rule and is accepted. Traffic from other hosts in LAN will match the second rule and will be dropped. | These rules indicate that traffic from the host '''192.168.1.11''' in '''LAN''' destined to the IP address of '''185.xxx.xxx.xxx''' on ports '''80''' and '''443''' in '''WAN''' must be accepted. The '''‘Accept forward’''' indicates the action (accept). The slider on the right side shows that the rule is enabled. The rule is above the Deny-LAN-WAN rule, so that traffic from host 192.168.1.11 (PC2) matches the first rule and is accepted. Traffic from other hosts in LAN will match the second rule and will be dropped. | ||
Line 153: | Line 159: | ||
*Press the '''‘Add’''' button.<br> | *Press the '''‘Add’''' button.<br> | ||
[[File: | [[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_8.png|alt=Firewall traffic rule to open a port of a device||border|class=tlt-border|1000px]] | ||
A new window will pop-out where you will be able to specify additional settings. For the purpose of just opening a port, no additional settings are required. Scroll down and press '''‘Save & Apply’'''. | A new window will pop-out where you will be able to specify additional settings. For the purpose of just opening a port, no additional settings are required. Scroll down and press '''‘Save & Apply’'''. | ||
Line 159: | Line 165: | ||
<br>The new rule is created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled. | <br>The new rule is created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled. | ||
[[File: | [[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_9.png|alt=Firewall traffic rule to open a port on a device enabled||border|class=tlt-border|1000px]] | ||
Here we can see that a new rule was created. It accepts '''TCP, UDP''' traffic from any host in '''WAN''' coming to the router on port '''8080'''. The slider on the right side is set to '''‘on’''' indicating that the rule is enabled. | Here we can see that a new rule was created. It accepts '''TCP, UDP''' traffic from any host in '''WAN''' coming to the router on port '''8080'''. The slider on the right side is set to '''‘on’''' indicating that the rule is enabled. | ||
Line 176: | Line 182: | ||
*Click '''‘Add’.'''<br> | *Click '''‘Add’.'''<br> | ||
[[File: | [[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_10.png|alt=Firewall traffic rule to deny a single port for LAN network||border|class=tlt-border|1000px]] | ||
<br> | <br> | ||
A new window will pop-out where you will be able to specify additional settings. | A new window will pop-out where you will be able to specify additional settings. | ||
*'''Enable the instance''' | |||
*Choose '''LAN''' as the source zone. | *Choose '''LAN''' as the source zone. | ||
*Leave the source IP field '''‘any’''' or specify a LAN network to block. | *Leave the source IP field '''‘any’''' or specify a LAN network to block. | ||
*In the action field choose '''‘Drop’'''. | *In the action field choose '''‘Drop’'''. | ||
[[File: | [[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_11.png|alt=Firewall traffic rule to deny single port for LAN network configuration|border|class=tlt-border|1000px]] | ||
Scroll down and press '''‘Save & Apply’'''. | Scroll down and press '''‘Save & Apply’'''. | ||
Line 201: | Line 207: | ||
*Click '''‘Add’.''' | *Click '''‘Add’.''' | ||
[[File: | [[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_12.png|alt=Firewall traffic rule to allow a single host on one port|border|class=tlt-border|1000px]] | ||
* set the source IP address to the IP address of the host. | * set the source IP address to the IP address of the host. | ||
*In the action field choose '''‘Accept’'''.<br> | *In the action field choose '''‘Accept’'''.<br> | ||
[[File: | [[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_13.png|alt=Firewall traffic rule to allow a single host on one port configuration|border|class=tlt-border|1000px]] | ||
Scroll down and press '''‘Save & Apply’'''. | Scroll down and press '''‘Save & Apply’'''. | ||
Line 212: | Line 218: | ||
The new rules are created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled. These rules indicate that any traffic coming from host '''192.168.1.11''' in the '''LAN''' to port '''5000''' on the device will be accepted. The slider on the right side shows that the rule is enabled. Drag the second rule to be above the first rule, so the traffic from the host is matched against it and is allowed to access the device on port 5000. All other traffic from the local network coming to port 5000 on the router will be dropped because it will match the second rule. For example, if port is set to 53 (a port used by DNS), only this host would be allowed to use DNS service running on the device. Similarly, if the ports are set to 80 and 443, only that specific IP address will be able to access the WebUI of the device.<br> | The new rules are created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled. These rules indicate that any traffic coming from host '''192.168.1.11''' in the '''LAN''' to port '''5000''' on the device will be accepted. The slider on the right side shows that the rule is enabled. Drag the second rule to be above the first rule, so the traffic from the host is matched against it and is allowed to access the device on port 5000. All other traffic from the local network coming to port 5000 on the router will be dropped because it will match the second rule. For example, if port is set to 53 (a port used by DNS), only this host would be allowed to use DNS service running on the device. Similarly, if the ports are set to 80 and 443, only that specific IP address will be able to access the WebUI of the device.<br> | ||
[[File: | [[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_14.png|alt=Firewall two traffic rules to allow only a single host on one port enabled|border|class=tlt-border|1000px]] | ||
Line 224: | Line 230: | ||
*In the external port field, enter ports '''80''' and '''443 (HTTP(S))''' so that only the access to the WebUI is allowed. Click '''‘Add’'''.<br> | *In the external port field, enter ports '''80''' and '''443 (HTTP(S))''' so that only the access to the WebUI is allowed. Click '''‘Add’'''.<br> | ||
[[File: | [[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_15.png|alt=Firewall traffic rule to allow web access from WAN|border|class=tlt-border|1000px]] | ||
Line 234: | Line 240: | ||
*In the action field choose '''‘Accept’'''.<br> | *In the action field choose '''‘Accept’'''.<br> | ||
[[File: | [[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_16.png|alt=Firewall traffic rule to allow web access from WAN configuration|border|class=tlt-border|1000px]] | ||
Line 243: | Line 249: | ||
The new rule is created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled.<br> | The new rule is created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled.<br> | ||
[[File: | [[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_17.png|alt=Firewall traffic rule to allow web access from WAN enabled|border|class=tlt-border|1000px]] | ||
Line 259: | Line 265: | ||
*Click '''‘Add’'''. | *Click '''‘Add’'''. | ||
[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7 | [[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_18.png|border|class=tlt-border|1000px]] | ||
<br> | <br> | ||
Line 265: | Line 271: | ||
*Select '''<nowiki/>'TCP+UDP'''' as protocol. | *Select '''<nowiki/>'TCP+UDP'''' as protocol. | ||
*Select source zone '''lan'''. | |||
*In the destination port field enter the range of ports you wish to deny (For example, '''‘1500-1700’'''), or list specific ports by leaving spaces in-between port numbers (For example, '''‘80 443'''’). | *In the destination port field enter the range of ports you wish to deny (For example, '''‘1500-1700’'''), or list specific ports by leaving spaces in-between port numbers (For example, '''‘80 443'''’). | ||
*In the action field choose '''‘Drop’'''. | *In the action field choose '''‘Drop’'''. | ||
[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7 | [[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_19.png|alt=Firewall traffic rule to block a range of ports|border|class=tlt-border|1000px]] | ||
You can specify additional settings as you wish. | You can specify additional settings as you wish. | ||
Line 275: | Line 282: | ||
The new rule is created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled. | The new rule is created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled. | ||
[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7 | [[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_20.png|alt=Firewall traffic rule to block a range of ports enabled|border|class=tlt-border|1000px]] | ||
<br> | <br> | ||
Line 287: | Line 294: | ||
* Choose '''WAN''' as destination zone. | * Choose '''WAN''' as destination zone. | ||
*Click '''‘Add’'''.<br> | *Click '''‘Add’'''.<br> | ||
[[File: | [[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_21.png|alt=Firewall traffic rule to block host MAC on certain times|border|class=tlt-border|1000px]] | ||
<br> | <br> | ||
A new window will pop-out where you will be able to specify additional settings. | A new window will pop-out where you will be able to specify additional settings. | ||
#'''Enable the instance'''; | |||
#Choose Protocol: '''All'''; | |||
#Choose Source zone: '''lan'''; | |||
#Choose Action: '''Drop'''; | |||
#Open '''Advanced Settings''' section; | |||
[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_22.png|alt=Firewall traffic rule to block host MAC on certain times configuration|border|class=tlt-border|1000px]] | |||
<br> | |||
In the Advanced settings we will need to add Specific Source MAC address. | |||
#Choose Source MAC address '''Which you want to block on certain times'''; | |||
#Open '''Time Restrictions''' section; | |||
[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_23.png|alt=Firewall traffic rule to block host MAC on certain times configuration|border|class=tlt-border|1000px]] | |||
<br> | |||
In the Time Restrictions section we will need to specify the time when to block access. | |||
#Choose Week Days; | |||
#Choose Start Time; | |||
#Choose Stop Time; | |||
#Choose Start Date; | |||
#Choose Stop Date; | |||
[[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_24.png|alt=Firewall traffic rule to block host MAC on certain times configuration|border|class=tlt-border|1000px]] | |||
<br> | |||
You can specify additional settings as you wish.<br>Scroll down and press '''‘Save & Apply’'''. | You can specify additional settings as you wish.<br>Scroll down and press '''‘Save & Apply’'''. | ||
<br>The new rule is created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled.<br> | <br>The new rule is created and enabled. To verify, go to the last page in '''‘Traffic rules’''' and verify that the rule is configured correctly and is enabled.<br> | ||
[[File: | [[File:Networking_rutos_configuration_example_firewall_traffic_rules_7.8_25.png|alt=Firewall traffic rule to block host MAC on certain times enabled|border|class=tlt-border|1000px]] | ||
This rule indicates that the PC with mac address of '''00:00:5e:xx:xx:xx''' will not be able to send traffic to '''WAN'''. The ''' | This rule indicates that the PC with mac address of '''00:00:5e:xx:xx:xx''' will not be able to send traffic to '''WAN'''. The '''‘Drop forward’''' indicates the action (drop). The rule does not show the times at which this rule is applied, but the times can be found on the settings page ('''‘Pencil’''' button). This rule will be applied for the first time on the 9th of August, 2024. Then, every Monday, Tuesday, Wednesday, Thursday, and Friday, from 8 AM to 4 PM this PC will not be able to send traffic to '''WAN'''. |