2,530
edits
Changes
Template:Networking rutos manual firewall (view source)
Revision as of 09:39, 12 May 2020
, 09:39, 12 May 2020Created page with "{{Template:Networking_rutos_manual_fw_disclosure | fw_version = {{{series}}}_R_00.02.03 | series = {{{series}}} }} ==Summary== {{{name}}} devices use a standard Linux iptable..."
{{Template:Networking_rutos_manual_fw_disclosure
| fw_version = {{{series}}}_R_00.02.03
| series = {{{series}}}
}}
==Summary==
{{{name}}} devices use a standard Linux iptables package as its <b>firewall</b>, which uses routing chains and policies to facilitate control over inbound and outbound traffic. This chapter is an overview of the Firewall section for {{{name}}} devices.
{{Template:Networking_rutos_manual_basic_advanced_webui_disclaimer}}
==General settings==
The <b>General Settings</b> section is used to configure the main policies of the device's firewall. The figure below is an example of the General Settings section and the table below provides information on the fields contained in that section:
[[File:Networking_rutx_manual_firewall_general_settings_general_settings_v1.png]]
<table class="nd-mantable">
<tr>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
<tr>
<td>Enable SYN flood protection</td>
<td>off | on; Default: <b>on</b></td>
<td>Enables protection from SYN flood type attacks. A SYN flood is a type of denial-of-service (DOS) attack where an attacker sends bursts of SYN requests in an attempt to make the target host machine consume enough resources and become unresponsive.</td>
</tr>
<tr>
<td>Drop invalid packets</td>
<td>off | on; Default: <b>off</b></td>
<td>If enabled, a "Drop" action will be performed on packets that are determined to be invalid.</td>
</tr>
<tr>
<td>Input</td>
<td>Reject | Drop | Accept; Default: <b>Accept</b></td>
<td>Default action<span class="asterisk">*</span> of the INPUT chain if a packet does not match any existing rule on that chain.</td>
</tr>
<tr>
<td>Output</td>
<td>Reject | Drop | Accept; Default: <b>Accept</b></td>
<td>Default action<span class="asterisk">*</span> of the OUTPUT chain if a packet does not match any existing rule on that chain.</td>
</tr>
<tr>
<td>Forward</td>
<td>Reject | Drop | Accept; Default: <b>Reject</b></td>
<td>Default action<span class="asterisk">*</span> of the FORWARD chain if a packet does not match any existing rule on that chain.</td>
</tr>
</table>
<span class="asterisk">*</span> When a packet goes through a firewall chain it is matched against all the rules of that specific chain. If no rule matches said packet, an according Action (Drop, Reject or Accept) is performed:
<ul>
<li><b>Accept</b> – packet gets to continue to the next chain.</li>
<li><b>Drop</b> – packet is stopped and deleted.</li>
<li><b>Reject</b> – packet is stopped, deleted and, differently from Drop, a message of rejection is sent to the source from which the packet came.</li>
</ul>
===Zones===
----
The <b>Zones</b> section is used to manage default traffic forwarding policies between different device zones. The figure below is an example of the Zones section and the table below provides information on the fields contained in that section:
[[File::Networking_rutx_manual_firewall_general_settings_zones_v1.png]]
----
You can change a zone's settings from this page by interacting with entries in the zones table. For a more in-depth configuration click the button that looks like a pencil [[File:Networking_rutx_trb14x_manual_edit_button_v1.png|20px]] next to a zone:
[[File:Networking_rutx_manual_firewall_general_settings_zones_edit_v1.png]]
====Zones: general settings====
----
[[File:Networking_rutx_manual_firewall_general_settings_zones_general_settings_v1.png]]
<table class="nd-mantable">
<tr>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
<tr>
<td>Name</td>
<td>string; default: <b>newzone</b></td>
<td>A custom name for the zone. Used for easier management purposes.</td>
</tr>
<tr>
<td>Input</td>
<td>Reject | Drop | Accept; Default: <b>Accept</b></td>
<td>Default policy for traffic entering the zone.</td>
</tr>
<tr>
<td>Output</td>
<td>Reject | Drop | Accept; Default: <b>Accept</b></td>
<td>Default policy for traffic originating from and leaving the zone.</td>
</tr>
<tr>
<td>Forward</td>
<td>Reject | Drop | Accept; Default: <b>Reject</b></td>
<td>Default policy for traffic forwarded between the networks belonging to the zone.</td>
</tr>
<tr>
<td>Masquerading</td>
<td>off | on; default: <b>off</b></td>
<td>Turns Masquerading off or on. MASQUERADE is an iptables target that can be used instead of the SNAT (source NAT) target when the external IP of the network interface is not known at the moment of writing the rule (when the interface gets the external IP dynamically).</td>
</tr>
<tr>
<td>MSS clamping</td>
<td>off | on; default: <b>off</b></td>
<td>Turns MSS clamping off or on. MSS clamping is a workaround used to change the maximum segment size (MSS) of all TCP connections passing through links with an MTU lower than the Ethernet default of 1500.</td>
</tr>
<tr>
<td>Covered networks</td>
<td>name of interface; default: <b>none</b></td>
<td>Network or networks that belong to the zone.</td>
</tr>
</table>
====Zones: advanced settings====
----
[[File:Networking_rutx_manual_firewall_general_settings_zones_advanced_settings_v1.png]]
<table class="nd-mantable">
<tr>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
<tr>
<td>Restrict to address family</td>
<td>IPv4 and IPv6 | IPv4 only | IPv6 only; default: <b>IPv4 and IPv6</b></td>
<td>IP address family to which to rule will apply.</td>
</tr>
<tr>
<td>Restrict Masquerading to given source subnets</td>
<td>network/subnet; default: <b>none</b></td>
<td>Applies Masquerading only to the specified source network/subnet.</td>
</tr>
<tr>
<td>Restrict Masquerading to given destinations subnets</td>
<td>network/subnet; default: <b>none</b></td>
<td>Applies Masquerading only to the specified destination network/subnet.</td>
</tr>
<tr>
<td>Force connection tracking</td>
<td>off | on; default: <b>off</b></td>
<td>Always maintains connection state (NEW, ESTABLISHED, RELATED) information.</td>
</tr>
<tr>
<td>Enable logging on this zone</td>
<td>off | on; default: <b>off</b></td>
<td>Logs packets that hit this rule.</td>
</tr>
<tr>
<td>Limit log messages</td>
<td>integer/minute; default: <b>none</b></td>
<td>Limit how many messages can be logged in the span of 1 minute. For example, to log 50 packets per minute use: <i>50/minute</i>.</td>
</tr>
</table>
====Zones: inter-zone forwarding====
----
The <b>Inter-zone forwarding</b> options control the forwarding policies between the currently edited zone and other zones.
[[File:Networking_rutx09_rutx11_manual_firewall_general_settings_zones_inter-zone_forwarding_v1.png]]
<table class="nd-mantable">
<tr>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
<tr>
<td>Allow forward to destination zones</td>
<td>zone(s); default: <b>none</b></td>
<td>Allows forward traffic to specified destination zones. Destination zones cover forwarded traffic originating from this source zone.</td>
</tr>
<tr>
<td>Allow forward from source zones</td>
<td>zone(s); default: <b>none</b></td>
<td>Allows forward traffic to specified source zones. Source zones match forwarded traffic originating from other zones that is targeted at this zone.</td>
</tr>
</table>
==Port forwards==
<b>Port forwarding</b> is a way of redirecting an incoming connection to another IP address, port or the combination of both:
[[File:File:Networking_rutx_manual_firewall_port_forwards_scheme_v1.png]]
----
The Port forwards table displays configured port forwarding rules currently configured on the device.
[[File:Networking_rutx_manual_firewall_port_forwards_port_forwards_v1.png]]
===New port forward===
----
The <b>New port forward</b> section is used to quickly add additional port forwarding rules. The figure below is an example of the New port forward section and the table below provides information on the fields contained in that section:
[[File:Networking_rutx_manual_firewall_port_forwards_new_port_forward_v1.png]]
<table class="nd-mantable">
<tr>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
<tr>
<td>Name</td>
<td>string; default: <b>none</b></td>
<td>Name of the rule. This is used for easier management purposes.</td>
</tr>
<tr>
<td>Protocol</td>
<td>TCP+UDP | TCP | UDP | Other; default: <b>TCP+UDP</b></td>
<td>Specifies to which protocols the rule should apply.</td>
</tr>
<tr>
<td>External zone</td>
<td>firewall zone name; default: '''wan'''</td>
<td>The zone to which hosts will be connecting.</td>
</tr>
<tr>
<td>External port</td>
<td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td>
<td>The port number to which hosts will be connecting.<td>
</tr>
<tr>
<td>Internal zone</td>
<td>firewall zone name; default: '''lan'''</td>
<td>The zone to which the incoming connection will be redirected.</td>
</tr>
<tr>
<td>Internal IP address</td>
<td>ip; default: <b>none</b></td>
<td>The IP address to which the incoming connection will be redirected.</td>
</tr>
<tr>
<td>Internal port</td>
<td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td>
<td>The port number to which the incoming connection will be redirected.</td>
</tr>
</table>
===Port forwards configuration===
----
While the New port forward section provides the possibility to add port forwarding rules fast, it does not contain all possible configuration options to customize a rule. In order to create a more complicated rule, add one using the New port forward section and click the button that looks like a pencil [[File:Networking_rutx_trb14x_manual_edit_button_v1.png|20px]] next to it:
[[File:Networking_rutx_manual_firewall_port_forwards_edit_v1.png]]
You will be redirected to that rule's configuration page:
[[File:Networking_rutx_manual_firewall_port_forwards_configuration_v1.png]]
<table class="nd-mantable">
<tr>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
<tr>
<td>Enable</td>
<td>off | on ; default: <b>on</b></td>
<td>Turns the rule on or off</td>
</tr>
<tr>
<td>Name</td>
<td>string; default: <b>none</b></td>
<td>Name of the rule. This is used for easier management purposes.</td>
</tr>
<tr>
<td>Protocol</td>
<td>TCP+UDP | TCP | UDP | Other; default: <b>TCP+UDP</b></td>
<td>Specifies to which protocols the rule should apply.</td>
</tr>
<tr>
<td>Source zone</td>
<td>firewall zone name; default: '''wan'''</td>
<td>The zone to which the third party will be connecting. (Same thing as "External zone" in the New port forward section.)</td>
</tr>
<tr>
<td>Source MAC address</td>
<td>mac; default: <b>none</b></td>
<td>MAC address(es) of connecting hosts.<br>The rule will apply only to hosts that match MAC addresses specified in this field. Leave empty to make the rule skip MAC address matching.</td>
</tr>
<tr>
<td>Source IP address</td>
<td>ip | ip/netmask; default: <b>any</b></td>
<td>IP address or network segment used by connecting hosts.<br>The rule will apply only to hosts that connect from IP addresses specified in this field.<br>To specify a network segment instead of one IP address, add a forward slash followed by the netmask length after the network indication (for example, <i>10.0.0.0/8</i>).</td>
</tr>
<tr>
<td>Source port</td>
<td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td>
<td>Port number(s) used by the connecting host.<br>The rule will match the source port used by the connecting host with the port number(s) specified in this field. Leave empty to make the rule skip source port matching.<td>
</tr>
<tr>
<td>External IP address</td>
<td>ip | ip/netmask; default: <b>any</b></td>
<td>IP address or network segment to which hosts will be connecting.<br>The rule will apply only to hosts that connect to IP addresses specified in this field.<br>To specify a subnet instead of one IP, add a forward slash followed by the netmask length after the network indication (for example, <i>10.0.0.0/8</i>).</td>
</tr>
<tr>
<td>External port</td>
<td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td>
<td>Port number(s) to which hosts will be connecting.<br>The rule will apply only to hosts that connect to the port number(s) specified in this field. Leave empty to make the rule skip external port matching.<td>
</tr>
<tr>
<td>Internal zone</td>
<td>firewall zone name; default: '''lan'''</td>
<td>The zone to which the incoming connection will be redirected.</td>
</tr>
<tr>
<td>Internal IP address</td>
<td>ip; default: <b>none</b></td>
<td>The IP address to which the incoming connection will be redirected.</td>
</tr>
<tr>
<td>Internal port</td>
<td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td>
<td>The port number to which the incoming connection will be redirected.</td>
</tr>
<tr>
<td>Enable NAT loopback</td>
<td>off | on ; default: <b>on</b></td>
<td>NAT loopback a.k.a. NAT reflection a.k.a. NAT hairpinning is a method of accessing an internal server using a public IP. NAT loopback enables your local network (i.e., behind your NAT device) to connect to a forward-facing IP address of a machine that it also on your local network.</td>
</tr>
<tr>
<td>Extra arguments</td>
<td>string; default: <b>none</b></td>
<td>Adds extra iptables options to the rule.</td>
</tr>
</table>
==Traffic rules==
The <b>Traffic rules</b> tab is used to set firewall rules that filter traffic moving through the device. The figure below is an example of the Traffic rules table:
[[File:Networking_rutx_manual_firewall_traffic_rules_v1.png]]
===Traffic rules configuration===
----
In order to begin editing a traffic rule, click the button that looks like a pencil [[File:Networking_rutx_trb14x_manual_edit_button_v1.png|20px]] next to it:
[[File:Networking_rutx_manual_firewall_traffic_rules_edit_v1.png]]
You will be redirected to that rule's configuration page:
[[File:Networking_rutx09_rutx11_manual_firewall_traffic_rules_configuration_v1.png]]
<table class="nd-mantable">
<tr>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
<tr>
<td>Enable</td>
<td>off | on; Default <b>on</b></td>
<td>Turns the rule on or off.</td>
</tr>
<tr>
<td>Name</td>
<td>string; Default <b>none</b></td>
<td>Name of the rule. This is used for easier management purposes.</td>
</tr>
<tr>
<td>Restrict to address family</td>
<td>IPv4 and IPv6 | IPv4 only | IPv6 only; Default: <b>IPv4 and IPv6</b></td>
<td>IP address family to which the rule will apply to.</td>
</tr>
<tr>
<td>Protocol</td>
<td>TCP+UDP | TCP | UDP | ICMP | -- custom --; Default: <b>TCP+UDP</b></td>
<td>Specifies to which protocols the rule should apply.</td>
</tr>
<tr>
<td>Source zone</td>
<td>firewall zone name; default: '''wan'''</td>
<td>The zone to which the third party will be connecting.</td>
</tr>
<tr>
<td>Source MAC address</td>
<td>mac; default: <b>none</b></td>
<td>MAC address(es) of connecting hosts.<br>The rule will apply only to hosts that match MAC addresses specified in this field. Leave empty to make the rule skip MAC address matching.</td>
</tr>
<tr>
<td>Source address</td>
<td>ip | ip/netmask; default: <b>any</b></td>
<td>IP address or network segment used by connecting hosts.<br>The rule will apply only to hosts that connect from IP addresses specified in this field.<br>To specify a network segment instead of one IP address, add a forward slash followed by the netmask length after the network indication (for example, <i>10.0.0.0/8</i>).</td>
</tr>
<tr>
<td>Source port</td>
<td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td>
<td>Port number(s) used by the connecting host.<br>The rule will match the source port used by the connecting host with the port number(s) specified in this field. Leave empty to make the rule skip source port matching.<td>
</tr>
<tr>
<td>Destination zone</td>
<td>firewall zone; Default: <b>Device (input)</b></td>
<td>Target zone of the incoming connection.</td>
</tr>
<tr>
<td>Destination address</td>
<td>ip | ip/netmask; Default: <b>any</b></td>
<td>Tagert IP address or network segment of the incoming connection.</td>
</tr>
<tr>
<td>Destination port</td>
<td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: <b>none</b></td>
<td>Tagert port or range of ports of the incoming connection.</td>
</tr>
<tr>
<td>Action</td>
<td>DROP | ACCEPT | REJECT; Default: <b>ACCEPT</b></td>
<td>Action that is to be taken when a packet meets the MATCH conditions.
<ul>
<li><b>ACCEPT</b> – packet gets to continue to the next chain.</li>
<li><b>DROP</b> – packet is stopped and deleted.</li>
<li><b>REJECT</b> – packet is stopped, deleted and, differently from Drop, an ICMP packet containing a message of rejection is sent to the source from which the dropped packet came.</li>
</ul>
</td>
</tr>
<tr>
<td>Extra arguments</td>
<td>string; Default: <b>none</b></td>
<td>Adds extra .iptables options to the rule.</td>
</tr>
<tr>
<td>Week days</td>
<td>days of the week [Sunday..Saturday]; Default: <b>none</b></td>
<td>Specifies on which days of the week the rule is valid.</td>
</tr>
<tr>
<td>Month days</td>
<td>days of the month [1..31]; Default: <b>none</b></td>
<td>Specifies on which days of the month the rule is valid.</td>
</tr>
<tr>
<td>Start Time (hh:mm:ss)</td>
<td>time [0..23:0..59:0..59]; Default: <b>none</b></td>
<td>Indicates the beginning of the time period during which the rule is valid.</td>
</tr>
<tr>
<td>Stop Time (hh:mm:ss)</td>
<td>time [0..23:0..59:0..59]; Default: <b>none</b></td>
<td>Indicates the end of the time period during which the rule is valid.</td>
</tr>
<tr>
<td>Start Date (yyyy-mm-dd)</td>
<td>date [0000..9999:1..12:1..31]; Default: <b>none</b></td>
<td>Indicates the first day of the date of the period during which the rule is valid.</td>
</tr>
<tr>
<td>Stop Date (yyyy-mm-dd)</td>
<td>date [0000..9999:1..12:1..31]; Default: <b>none</b></td>
<td>Indicates the last day of the date of the period during which the rule is valid.</td>
</tr>
<tr>
<td>Time in UTC</td>
<td>yes | no; Default: <b>no</b></td>
<td>Specifies whether the device should use UTC time. If this is disabled, the time zone specified in the <b>[[{{{name}}}<nowiki> NTP|NTP]]</nowiki></b> section will be used.</td>
</tr>
</table>
===Open ports on device===
----
The <b>Open ports on device</b> section provides a quick way to set simple rules that allow traffic on specified ports of the device. The figure below is an example of the Open ports on device section and the table below provides information on the fields contained in that section:
[[File:{{{file_open_ports_on_device}}}]]
<table class="nd-mantable">
<tr>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
<tr>
<td>Name</td>
<td>string; Default: <b>none</b></td>
<td>The name of the rule. This is used for easier management purposes.<br>The name field is filled automatically when port numbers are specified, unless the name was specified beforehand by the user.</td>
</tr>
<tr>
<td>Protocol</td>
<td>TCP+UDP | TCP | UDP | Other; Default: <b>TCP+UDP</b></td>
<td>Specifies to which protocols the rule should apply.</td>
</tr>
<tr>
<td>External port</td>
<td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: <b>none</b></td>
<td>Specifies which port(s) should be opened.</td>
</tr>
</table>
===New forward rule===
----
The <b>New forward rule</b> section is used to create firewall rules that control traffic on the FORWARD chain. The figure below is an example of the New forward rule section and the table below provides information on the fields contained in that section:
[[File:Networking_rutx_manual_firewall_traffic_rules_new_forward_rule_v1.png]]
<table class="nd-mantable">
<tr>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
<tr>
<td>Name</td>
<td>string; Default: <b>none</b></td>
<td>The name of the rule. This is used for easier management purposes.</td>
</tr>
<tr>
<td>Source zone</td>
<td>firewall zone; Default: <b>WAN</b></td>
<td>The zone from which traffic has originated.</td>
</tr>
<tr>
<td>Destination zone</td>
<td>firewall zone; Default: <b>LAN</b></td>
<td>The zone to which traffic will be forwarded to.</td>
</tr>
<tr>
<td>Add</td>
<td>- (interactive button)</td>
<td>Creates the rule and redirects you to the rule's configuration page</td>
</tr>
</table>
===Source NAT===
----
<b>Source NAT</b> is a specific form of masquerading which allows fine grained control over the source IP used for outgoing traffic. For example, to map multiple WAN addresses to internal subnets.
====New source NAT====
----
The <b>New Source NAT</b> section is used to add custom source NAT rules. The figure below is an example of the New source NAT section and the table below provides information on the fields contained in that section:
[[File:Networking_rutx_manual_firewall_traffic_rules_source_nat_new_source_nat_v1.png| border | class=tlt-border| 1102x1102px]]
<table class="nd-mantable">
<tr>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
<tr>
<td>Name</td>
<td>string; Default: <b>none</b></td>
<td>The name of the rule. This is used for easier management purposes.</td>
</tr>
<tr>
<td>Source zone</td>
<td>firewall zone; Default: <b>LAN</b></td>
<td>The zone from which traffic has originated.</td>
</tr>
<tr>
<td>Destination zone</td>
<td>firewall zone; Default: <b>WAN</b></td>
<td>The zone to which traffic will be forwarded to.</td>
</tr>
<tr>
<td>To source IP</td>
<td>ip | do not rewrite; Default: <b>Do not rewrite</b></td>
<td>Changes the source IP in the packet header to the value specified in this field.</td>
</tr>
<tr>
<td>To source port</td>
<td>integer [0..65335] | do not rewrite; Default: <b>Do not rewrite</b></td>
<td>Changes the source port in the packet header to the value specified in this field.</td>
</tr>
<tr>
<td>Add</td>
<td>- (interactive button)</td>
<td>Creates the rule and redirects you to the rule's configuration page.</td>
</tr>
</table>
==Custom rules==
The <b>Custom rules</b> tab provides you with the possibility to execute <b>iptables</b> commands which are not otherwise covered by the device's firewall framework. The commands are executed after each firewall restart, right after the default rule set has been loaded.
The figure below is an example of the Custom rules tab:
[[File:Networking_rutx_manual_firewall_custom_rules_v1.png]]
The rules added here are saved in the <b>/etc/firewall.user</b> file. Feel free to edit that file instead for the same effect in case you don't have access to the device's WebUI.
The <b>Save</b> button restarts the firewall service. Thus, adding the custom rules specified in this section to the device's list of firewall rules.
The <b>Reset</b> button resets the custom rules field to its default state.
==NAT helpers==
The <b>NAT Helpers</b> section provides you with the possibility to add firewall exceptions for some VoIP protocols, namely SIP and H.323. In other words, these functions provide a pass-through for VoIP communications between the device's LAN and WAN.
<b>Technical explanation:</b>
FTP, SIP and H.323 protocols are harder to filter by firewalls since they violate layering by introducing OSI layer 3/4 parameters in the OSI layer 7. NAT helpers are modules that are able to assist the firewall in tracking these protocols. These helpers create the so-called expectations that can be used to open necessary ports for RELATED connections. For example, FTP, GRE and PPTP helpers are enabled by default.
[[File:Networking_rutx_manual_firewall_nat_helpers_v1.png]]
<table class="nd-mantable">
<tr>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
<tr>
<td>H323</td>
<td>off | on; Default: <b>off</b></td>
<td>Turns H323 filtering on or off.</td>
</tr>
<tr>
<td>SIP</td>
<td>off | on; Default: <b>off</b></td>
<td>Turns SIP filtering on or off.</td>
</tr>
</table>
overview
[[Category:{{{name}}} Network section]]
| fw_version = {{{series}}}_R_00.02.03
| series = {{{series}}}
}}
==Summary==
{{{name}}} devices use a standard Linux iptables package as its <b>firewall</b>, which uses routing chains and policies to facilitate control over inbound and outbound traffic. This chapter is an overview of the Firewall section for {{{name}}} devices.
{{Template:Networking_rutos_manual_basic_advanced_webui_disclaimer}}
==General settings==
The <b>General Settings</b> section is used to configure the main policies of the device's firewall. The figure below is an example of the General Settings section and the table below provides information on the fields contained in that section:
[[File:Networking_rutx_manual_firewall_general_settings_general_settings_v1.png]]
<table class="nd-mantable">
<tr>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
<tr>
<td>Enable SYN flood protection</td>
<td>off | on; Default: <b>on</b></td>
<td>Enables protection from SYN flood type attacks. A SYN flood is a type of denial-of-service (DOS) attack where an attacker sends bursts of SYN requests in an attempt to make the target host machine consume enough resources and become unresponsive.</td>
</tr>
<tr>
<td>Drop invalid packets</td>
<td>off | on; Default: <b>off</b></td>
<td>If enabled, a "Drop" action will be performed on packets that are determined to be invalid.</td>
</tr>
<tr>
<td>Input</td>
<td>Reject | Drop | Accept; Default: <b>Accept</b></td>
<td>Default action<span class="asterisk">*</span> of the INPUT chain if a packet does not match any existing rule on that chain.</td>
</tr>
<tr>
<td>Output</td>
<td>Reject | Drop | Accept; Default: <b>Accept</b></td>
<td>Default action<span class="asterisk">*</span> of the OUTPUT chain if a packet does not match any existing rule on that chain.</td>
</tr>
<tr>
<td>Forward</td>
<td>Reject | Drop | Accept; Default: <b>Reject</b></td>
<td>Default action<span class="asterisk">*</span> of the FORWARD chain if a packet does not match any existing rule on that chain.</td>
</tr>
</table>
<span class="asterisk">*</span> When a packet goes through a firewall chain it is matched against all the rules of that specific chain. If no rule matches said packet, an according Action (Drop, Reject or Accept) is performed:
<ul>
<li><b>Accept</b> – packet gets to continue to the next chain.</li>
<li><b>Drop</b> – packet is stopped and deleted.</li>
<li><b>Reject</b> – packet is stopped, deleted and, differently from Drop, a message of rejection is sent to the source from which the packet came.</li>
</ul>
===Zones===
----
The <b>Zones</b> section is used to manage default traffic forwarding policies between different device zones. The figure below is an example of the Zones section and the table below provides information on the fields contained in that section:
[[File::Networking_rutx_manual_firewall_general_settings_zones_v1.png]]
----
You can change a zone's settings from this page by interacting with entries in the zones table. For a more in-depth configuration click the button that looks like a pencil [[File:Networking_rutx_trb14x_manual_edit_button_v1.png|20px]] next to a zone:
[[File:Networking_rutx_manual_firewall_general_settings_zones_edit_v1.png]]
====Zones: general settings====
----
[[File:Networking_rutx_manual_firewall_general_settings_zones_general_settings_v1.png]]
<table class="nd-mantable">
<tr>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
<tr>
<td>Name</td>
<td>string; default: <b>newzone</b></td>
<td>A custom name for the zone. Used for easier management purposes.</td>
</tr>
<tr>
<td>Input</td>
<td>Reject | Drop | Accept; Default: <b>Accept</b></td>
<td>Default policy for traffic entering the zone.</td>
</tr>
<tr>
<td>Output</td>
<td>Reject | Drop | Accept; Default: <b>Accept</b></td>
<td>Default policy for traffic originating from and leaving the zone.</td>
</tr>
<tr>
<td>Forward</td>
<td>Reject | Drop | Accept; Default: <b>Reject</b></td>
<td>Default policy for traffic forwarded between the networks belonging to the zone.</td>
</tr>
<tr>
<td>Masquerading</td>
<td>off | on; default: <b>off</b></td>
<td>Turns Masquerading off or on. MASQUERADE is an iptables target that can be used instead of the SNAT (source NAT) target when the external IP of the network interface is not known at the moment of writing the rule (when the interface gets the external IP dynamically).</td>
</tr>
<tr>
<td>MSS clamping</td>
<td>off | on; default: <b>off</b></td>
<td>Turns MSS clamping off or on. MSS clamping is a workaround used to change the maximum segment size (MSS) of all TCP connections passing through links with an MTU lower than the Ethernet default of 1500.</td>
</tr>
<tr>
<td>Covered networks</td>
<td>name of interface; default: <b>none</b></td>
<td>Network or networks that belong to the zone.</td>
</tr>
</table>
====Zones: advanced settings====
----
[[File:Networking_rutx_manual_firewall_general_settings_zones_advanced_settings_v1.png]]
<table class="nd-mantable">
<tr>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
<tr>
<td>Restrict to address family</td>
<td>IPv4 and IPv6 | IPv4 only | IPv6 only; default: <b>IPv4 and IPv6</b></td>
<td>IP address family to which to rule will apply.</td>
</tr>
<tr>
<td>Restrict Masquerading to given source subnets</td>
<td>network/subnet; default: <b>none</b></td>
<td>Applies Masquerading only to the specified source network/subnet.</td>
</tr>
<tr>
<td>Restrict Masquerading to given destinations subnets</td>
<td>network/subnet; default: <b>none</b></td>
<td>Applies Masquerading only to the specified destination network/subnet.</td>
</tr>
<tr>
<td>Force connection tracking</td>
<td>off | on; default: <b>off</b></td>
<td>Always maintains connection state (NEW, ESTABLISHED, RELATED) information.</td>
</tr>
<tr>
<td>Enable logging on this zone</td>
<td>off | on; default: <b>off</b></td>
<td>Logs packets that hit this rule.</td>
</tr>
<tr>
<td>Limit log messages</td>
<td>integer/minute; default: <b>none</b></td>
<td>Limit how many messages can be logged in the span of 1 minute. For example, to log 50 packets per minute use: <i>50/minute</i>.</td>
</tr>
</table>
====Zones: inter-zone forwarding====
----
The <b>Inter-zone forwarding</b> options control the forwarding policies between the currently edited zone and other zones.
[[File:Networking_rutx09_rutx11_manual_firewall_general_settings_zones_inter-zone_forwarding_v1.png]]
<table class="nd-mantable">
<tr>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
<tr>
<td>Allow forward to destination zones</td>
<td>zone(s); default: <b>none</b></td>
<td>Allows forward traffic to specified destination zones. Destination zones cover forwarded traffic originating from this source zone.</td>
</tr>
<tr>
<td>Allow forward from source zones</td>
<td>zone(s); default: <b>none</b></td>
<td>Allows forward traffic to specified source zones. Source zones match forwarded traffic originating from other zones that is targeted at this zone.</td>
</tr>
</table>
==Port forwards==
<b>Port forwarding</b> is a way of redirecting an incoming connection to another IP address, port or the combination of both:
[[File:File:Networking_rutx_manual_firewall_port_forwards_scheme_v1.png]]
----
The Port forwards table displays configured port forwarding rules currently configured on the device.
[[File:Networking_rutx_manual_firewall_port_forwards_port_forwards_v1.png]]
===New port forward===
----
The <b>New port forward</b> section is used to quickly add additional port forwarding rules. The figure below is an example of the New port forward section and the table below provides information on the fields contained in that section:
[[File:Networking_rutx_manual_firewall_port_forwards_new_port_forward_v1.png]]
<table class="nd-mantable">
<tr>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
<tr>
<td>Name</td>
<td>string; default: <b>none</b></td>
<td>Name of the rule. This is used for easier management purposes.</td>
</tr>
<tr>
<td>Protocol</td>
<td>TCP+UDP | TCP | UDP | Other; default: <b>TCP+UDP</b></td>
<td>Specifies to which protocols the rule should apply.</td>
</tr>
<tr>
<td>External zone</td>
<td>firewall zone name; default: '''wan'''</td>
<td>The zone to which hosts will be connecting.</td>
</tr>
<tr>
<td>External port</td>
<td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td>
<td>The port number to which hosts will be connecting.<td>
</tr>
<tr>
<td>Internal zone</td>
<td>firewall zone name; default: '''lan'''</td>
<td>The zone to which the incoming connection will be redirected.</td>
</tr>
<tr>
<td>Internal IP address</td>
<td>ip; default: <b>none</b></td>
<td>The IP address to which the incoming connection will be redirected.</td>
</tr>
<tr>
<td>Internal port</td>
<td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td>
<td>The port number to which the incoming connection will be redirected.</td>
</tr>
</table>
===Port forwards configuration===
----
While the New port forward section provides the possibility to add port forwarding rules fast, it does not contain all possible configuration options to customize a rule. In order to create a more complicated rule, add one using the New port forward section and click the button that looks like a pencil [[File:Networking_rutx_trb14x_manual_edit_button_v1.png|20px]] next to it:
[[File:Networking_rutx_manual_firewall_port_forwards_edit_v1.png]]
You will be redirected to that rule's configuration page:
[[File:Networking_rutx_manual_firewall_port_forwards_configuration_v1.png]]
<table class="nd-mantable">
<tr>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
<tr>
<td>Enable</td>
<td>off | on ; default: <b>on</b></td>
<td>Turns the rule on or off</td>
</tr>
<tr>
<td>Name</td>
<td>string; default: <b>none</b></td>
<td>Name of the rule. This is used for easier management purposes.</td>
</tr>
<tr>
<td>Protocol</td>
<td>TCP+UDP | TCP | UDP | Other; default: <b>TCP+UDP</b></td>
<td>Specifies to which protocols the rule should apply.</td>
</tr>
<tr>
<td>Source zone</td>
<td>firewall zone name; default: '''wan'''</td>
<td>The zone to which the third party will be connecting. (Same thing as "External zone" in the New port forward section.)</td>
</tr>
<tr>
<td>Source MAC address</td>
<td>mac; default: <b>none</b></td>
<td>MAC address(es) of connecting hosts.<br>The rule will apply only to hosts that match MAC addresses specified in this field. Leave empty to make the rule skip MAC address matching.</td>
</tr>
<tr>
<td>Source IP address</td>
<td>ip | ip/netmask; default: <b>any</b></td>
<td>IP address or network segment used by connecting hosts.<br>The rule will apply only to hosts that connect from IP addresses specified in this field.<br>To specify a network segment instead of one IP address, add a forward slash followed by the netmask length after the network indication (for example, <i>10.0.0.0/8</i>).</td>
</tr>
<tr>
<td>Source port</td>
<td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td>
<td>Port number(s) used by the connecting host.<br>The rule will match the source port used by the connecting host with the port number(s) specified in this field. Leave empty to make the rule skip source port matching.<td>
</tr>
<tr>
<td>External IP address</td>
<td>ip | ip/netmask; default: <b>any</b></td>
<td>IP address or network segment to which hosts will be connecting.<br>The rule will apply only to hosts that connect to IP addresses specified in this field.<br>To specify a subnet instead of one IP, add a forward slash followed by the netmask length after the network indication (for example, <i>10.0.0.0/8</i>).</td>
</tr>
<tr>
<td>External port</td>
<td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td>
<td>Port number(s) to which hosts will be connecting.<br>The rule will apply only to hosts that connect to the port number(s) specified in this field. Leave empty to make the rule skip external port matching.<td>
</tr>
<tr>
<td>Internal zone</td>
<td>firewall zone name; default: '''lan'''</td>
<td>The zone to which the incoming connection will be redirected.</td>
</tr>
<tr>
<td>Internal IP address</td>
<td>ip; default: <b>none</b></td>
<td>The IP address to which the incoming connection will be redirected.</td>
</tr>
<tr>
<td>Internal port</td>
<td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td>
<td>The port number to which the incoming connection will be redirected.</td>
</tr>
<tr>
<td>Enable NAT loopback</td>
<td>off | on ; default: <b>on</b></td>
<td>NAT loopback a.k.a. NAT reflection a.k.a. NAT hairpinning is a method of accessing an internal server using a public IP. NAT loopback enables your local network (i.e., behind your NAT device) to connect to a forward-facing IP address of a machine that it also on your local network.</td>
</tr>
<tr>
<td>Extra arguments</td>
<td>string; default: <b>none</b></td>
<td>Adds extra iptables options to the rule.</td>
</tr>
</table>
==Traffic rules==
The <b>Traffic rules</b> tab is used to set firewall rules that filter traffic moving through the device. The figure below is an example of the Traffic rules table:
[[File:Networking_rutx_manual_firewall_traffic_rules_v1.png]]
===Traffic rules configuration===
----
In order to begin editing a traffic rule, click the button that looks like a pencil [[File:Networking_rutx_trb14x_manual_edit_button_v1.png|20px]] next to it:
[[File:Networking_rutx_manual_firewall_traffic_rules_edit_v1.png]]
You will be redirected to that rule's configuration page:
[[File:Networking_rutx09_rutx11_manual_firewall_traffic_rules_configuration_v1.png]]
<table class="nd-mantable">
<tr>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
<tr>
<td>Enable</td>
<td>off | on; Default <b>on</b></td>
<td>Turns the rule on or off.</td>
</tr>
<tr>
<td>Name</td>
<td>string; Default <b>none</b></td>
<td>Name of the rule. This is used for easier management purposes.</td>
</tr>
<tr>
<td>Restrict to address family</td>
<td>IPv4 and IPv6 | IPv4 only | IPv6 only; Default: <b>IPv4 and IPv6</b></td>
<td>IP address family to which the rule will apply to.</td>
</tr>
<tr>
<td>Protocol</td>
<td>TCP+UDP | TCP | UDP | ICMP | -- custom --; Default: <b>TCP+UDP</b></td>
<td>Specifies to which protocols the rule should apply.</td>
</tr>
<tr>
<td>Source zone</td>
<td>firewall zone name; default: '''wan'''</td>
<td>The zone to which the third party will be connecting.</td>
</tr>
<tr>
<td>Source MAC address</td>
<td>mac; default: <b>none</b></td>
<td>MAC address(es) of connecting hosts.<br>The rule will apply only to hosts that match MAC addresses specified in this field. Leave empty to make the rule skip MAC address matching.</td>
</tr>
<tr>
<td>Source address</td>
<td>ip | ip/netmask; default: <b>any</b></td>
<td>IP address or network segment used by connecting hosts.<br>The rule will apply only to hosts that connect from IP addresses specified in this field.<br>To specify a network segment instead of one IP address, add a forward slash followed by the netmask length after the network indication (for example, <i>10.0.0.0/8</i>).</td>
</tr>
<tr>
<td>Source port</td>
<td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td>
<td>Port number(s) used by the connecting host.<br>The rule will match the source port used by the connecting host with the port number(s) specified in this field. Leave empty to make the rule skip source port matching.<td>
</tr>
<tr>
<td>Destination zone</td>
<td>firewall zone; Default: <b>Device (input)</b></td>
<td>Target zone of the incoming connection.</td>
</tr>
<tr>
<td>Destination address</td>
<td>ip | ip/netmask; Default: <b>any</b></td>
<td>Tagert IP address or network segment of the incoming connection.</td>
</tr>
<tr>
<td>Destination port</td>
<td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: <b>none</b></td>
<td>Tagert port or range of ports of the incoming connection.</td>
</tr>
<tr>
<td>Action</td>
<td>DROP | ACCEPT | REJECT; Default: <b>ACCEPT</b></td>
<td>Action that is to be taken when a packet meets the MATCH conditions.
<ul>
<li><b>ACCEPT</b> – packet gets to continue to the next chain.</li>
<li><b>DROP</b> – packet is stopped and deleted.</li>
<li><b>REJECT</b> – packet is stopped, deleted and, differently from Drop, an ICMP packet containing a message of rejection is sent to the source from which the dropped packet came.</li>
</ul>
</td>
</tr>
<tr>
<td>Extra arguments</td>
<td>string; Default: <b>none</b></td>
<td>Adds extra .iptables options to the rule.</td>
</tr>
<tr>
<td>Week days</td>
<td>days of the week [Sunday..Saturday]; Default: <b>none</b></td>
<td>Specifies on which days of the week the rule is valid.</td>
</tr>
<tr>
<td>Month days</td>
<td>days of the month [1..31]; Default: <b>none</b></td>
<td>Specifies on which days of the month the rule is valid.</td>
</tr>
<tr>
<td>Start Time (hh:mm:ss)</td>
<td>time [0..23:0..59:0..59]; Default: <b>none</b></td>
<td>Indicates the beginning of the time period during which the rule is valid.</td>
</tr>
<tr>
<td>Stop Time (hh:mm:ss)</td>
<td>time [0..23:0..59:0..59]; Default: <b>none</b></td>
<td>Indicates the end of the time period during which the rule is valid.</td>
</tr>
<tr>
<td>Start Date (yyyy-mm-dd)</td>
<td>date [0000..9999:1..12:1..31]; Default: <b>none</b></td>
<td>Indicates the first day of the date of the period during which the rule is valid.</td>
</tr>
<tr>
<td>Stop Date (yyyy-mm-dd)</td>
<td>date [0000..9999:1..12:1..31]; Default: <b>none</b></td>
<td>Indicates the last day of the date of the period during which the rule is valid.</td>
</tr>
<tr>
<td>Time in UTC</td>
<td>yes | no; Default: <b>no</b></td>
<td>Specifies whether the device should use UTC time. If this is disabled, the time zone specified in the <b>[[{{{name}}}<nowiki> NTP|NTP]]</nowiki></b> section will be used.</td>
</tr>
</table>
===Open ports on device===
----
The <b>Open ports on device</b> section provides a quick way to set simple rules that allow traffic on specified ports of the device. The figure below is an example of the Open ports on device section and the table below provides information on the fields contained in that section:
[[File:{{{file_open_ports_on_device}}}]]
<table class="nd-mantable">
<tr>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
<tr>
<td>Name</td>
<td>string; Default: <b>none</b></td>
<td>The name of the rule. This is used for easier management purposes.<br>The name field is filled automatically when port numbers are specified, unless the name was specified beforehand by the user.</td>
</tr>
<tr>
<td>Protocol</td>
<td>TCP+UDP | TCP | UDP | Other; Default: <b>TCP+UDP</b></td>
<td>Specifies to which protocols the rule should apply.</td>
</tr>
<tr>
<td>External port</td>
<td>integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: <b>none</b></td>
<td>Specifies which port(s) should be opened.</td>
</tr>
</table>
===New forward rule===
----
The <b>New forward rule</b> section is used to create firewall rules that control traffic on the FORWARD chain. The figure below is an example of the New forward rule section and the table below provides information on the fields contained in that section:
[[File:Networking_rutx_manual_firewall_traffic_rules_new_forward_rule_v1.png]]
<table class="nd-mantable">
<tr>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
<tr>
<td>Name</td>
<td>string; Default: <b>none</b></td>
<td>The name of the rule. This is used for easier management purposes.</td>
</tr>
<tr>
<td>Source zone</td>
<td>firewall zone; Default: <b>WAN</b></td>
<td>The zone from which traffic has originated.</td>
</tr>
<tr>
<td>Destination zone</td>
<td>firewall zone; Default: <b>LAN</b></td>
<td>The zone to which traffic will be forwarded to.</td>
</tr>
<tr>
<td>Add</td>
<td>- (interactive button)</td>
<td>Creates the rule and redirects you to the rule's configuration page</td>
</tr>
</table>
===Source NAT===
----
<b>Source NAT</b> is a specific form of masquerading which allows fine grained control over the source IP used for outgoing traffic. For example, to map multiple WAN addresses to internal subnets.
====New source NAT====
----
The <b>New Source NAT</b> section is used to add custom source NAT rules. The figure below is an example of the New source NAT section and the table below provides information on the fields contained in that section:
[[File:Networking_rutx_manual_firewall_traffic_rules_source_nat_new_source_nat_v1.png| border | class=tlt-border| 1102x1102px]]
<table class="nd-mantable">
<tr>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
<tr>
<td>Name</td>
<td>string; Default: <b>none</b></td>
<td>The name of the rule. This is used for easier management purposes.</td>
</tr>
<tr>
<td>Source zone</td>
<td>firewall zone; Default: <b>LAN</b></td>
<td>The zone from which traffic has originated.</td>
</tr>
<tr>
<td>Destination zone</td>
<td>firewall zone; Default: <b>WAN</b></td>
<td>The zone to which traffic will be forwarded to.</td>
</tr>
<tr>
<td>To source IP</td>
<td>ip | do not rewrite; Default: <b>Do not rewrite</b></td>
<td>Changes the source IP in the packet header to the value specified in this field.</td>
</tr>
<tr>
<td>To source port</td>
<td>integer [0..65335] | do not rewrite; Default: <b>Do not rewrite</b></td>
<td>Changes the source port in the packet header to the value specified in this field.</td>
</tr>
<tr>
<td>Add</td>
<td>- (interactive button)</td>
<td>Creates the rule and redirects you to the rule's configuration page.</td>
</tr>
</table>
==Custom rules==
The <b>Custom rules</b> tab provides you with the possibility to execute <b>iptables</b> commands which are not otherwise covered by the device's firewall framework. The commands are executed after each firewall restart, right after the default rule set has been loaded.
The figure below is an example of the Custom rules tab:
[[File:Networking_rutx_manual_firewall_custom_rules_v1.png]]
The rules added here are saved in the <b>/etc/firewall.user</b> file. Feel free to edit that file instead for the same effect in case you don't have access to the device's WebUI.
The <b>Save</b> button restarts the firewall service. Thus, adding the custom rules specified in this section to the device's list of firewall rules.
The <b>Reset</b> button resets the custom rules field to its default state.
==NAT helpers==
The <b>NAT Helpers</b> section provides you with the possibility to add firewall exceptions for some VoIP protocols, namely SIP and H.323. In other words, these functions provide a pass-through for VoIP communications between the device's LAN and WAN.
<b>Technical explanation:</b>
FTP, SIP and H.323 protocols are harder to filter by firewalls since they violate layering by introducing OSI layer 3/4 parameters in the OSI layer 7. NAT helpers are modules that are able to assist the firewall in tracking these protocols. These helpers create the so-called expectations that can be used to open necessary ports for RELATED connections. For example, FTP, GRE and PPTP helpers are enabled by default.
[[File:Networking_rutx_manual_firewall_nat_helpers_v1.png]]
<table class="nd-mantable">
<tr>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
<tr>
<td>H323</td>
<td>off | on; Default: <b>off</b></td>
<td>Turns H323 filtering on or off.</td>
</tr>
<tr>
<td>SIP</td>
<td>off | on; Default: <b>off</b></td>
<td>Turns SIP filtering on or off.</td>
</tr>
</table>
overview
[[Category:{{{name}}} Network section]]
