31,703
edits
No edit summary |
|||
Line 68: | Line 68: | ||
[[File:Networking_rutos_manual_firewall_general_settings_zones_edit_button.png|border|class=tlt-border]] | [[File:Networking_rutos_manual_firewall_general_settings_zones_edit_button.png|border|class=tlt-border]] | ||
====Zones: | ====Zones: General Settings==== | ||
---- | ---- | ||
[[File:Networking_rutos_manual_firewall_general_settings_zones_general_settings.png|border|class=tlt-border]] | [[File:Networking_rutos_manual_firewall_general_settings_zones_general_settings.png|border|class=tlt-border]] | ||
Line 115: | Line 115: | ||
</table> | </table> | ||
====Zones: | ====Zones: Advanced Settings==== | ||
---- | ---- | ||
[[File:Networking_rutos_manual_firewall_general_settings_zones_advanced_settings.png|border|class=tlt-border]] | [[File:Networking_rutos_manual_firewall_general_settings_zones_advanced_settings.png|border|class=tlt-border]] | ||
Line 157: | Line 157: | ||
</table> | </table> | ||
====Zones: | ====Zones: Inter-zone Forwarding==== | ||
---- | ---- | ||
The <b>Inter-zone forwarding</b> options control the forwarding policies between the currently edited zone and other zones. | The <b>Inter-zone forwarding</b> options control the forwarding policies between the currently edited zone and other zones. | ||
Line 181: | Line 181: | ||
</table> | </table> | ||
==Port | ==Port Forwards== | ||
<b>Port forwarding</b> is a way of redirecting an incoming connection to another IP address, port or the combination of both: | <b>Port forwarding</b> is a way of redirecting an incoming connection to another IP address, port or the combination of both: | ||
Line 191: | Line 191: | ||
[[File:Networking_rutos_manual_firewall_port_forwards_port_forwards.png|border|class=tlt-border]] | [[File:Networking_rutos_manual_firewall_port_forwards_port_forwards.png|border|class=tlt-border]] | ||
===New | ===Add New Port Forward=== | ||
---- | ---- | ||
The <b>New | The <b>Add New Port Forward</b> section is used to quickly add additional port forwarding rules. The figure below is an example of the Add New Port Forward section and the table below provides information on the fields contained in that section: | ||
[[File:Networking_rutos_manual_firewall_port_forwards_add_new_port_forward.png|border|class=tlt-border]] | [[File:Networking_rutos_manual_firewall_port_forwards_add_new_port_forward.png|border|class=tlt-border]] | ||
Line 240: | Line 240: | ||
</table> | </table> | ||
===Port | ===Port Forwards Configuration=== | ||
---- | ---- | ||
While the New port forward section provides the possibility to add port forwarding rules fast, it does not contain all possible configuration options to customize a rule. In order to create a more complicated rule, add one using the New port forward section and click the button that looks like a pencil [[File:Networking_rutx_trb14x_manual_edit_button_v1.png|20px]] next to it: | While the New port forward section provides the possibility to add port forwarding rules fast, it does not contain all possible configuration options to customize a rule. In order to create a more complicated rule, add one using the New port forward section and click the button that looks like a pencil [[File:Networking_rutx_trb14x_manual_edit_button_v1.png|20px]] next to it: | ||
Line 328: | Line 328: | ||
</table> | </table> | ||
==Traffic | ==Traffic Rules== | ||
The <b>Traffic rules</b> tab is used to set firewall rules that filter traffic moving through the device. The figure below is an example of the Traffic rules table: | The <b>Traffic rules</b> tab is used to set firewall rules that filter traffic moving through the device. The figure below is an example of the Traffic rules table: | ||
Line 334: | Line 334: | ||
[[File:Networking_rutos_manual_firewall_traffic_rules.png|border|class=tlt-border]] | [[File:Networking_rutos_manual_firewall_traffic_rules.png|border|class=tlt-border]] | ||
===Traffic | ===Traffic Rule Configuration=== | ||
---- | ---- | ||
In order to begin editing a traffic rule, click the button that looks like a pencil [[File:Networking_rutx_trb14x_manual_edit_button_v1.png|20px]] next to it: | In order to begin editing a traffic rule, click the button that looks like a pencil [[File:Networking_rutx_trb14x_manual_edit_button_v1.png|20px]] next to it: | ||
Line 488: | Line 488: | ||
</table> | </table> | ||
===New | ===Add New Forward Rule=== | ||
---- | ---- | ||
The <b>New | The <b>Add New Forward Rule</b> section is used to create firewall rules that control traffic on the FORWARD chain. The figure below is an example of the Add New Forward Rule section and the table below provides information on the fields contained in that section: | ||
[[File:Networking_rutos_manual_firewall_traffic_rules_add_new_forward_rule.png|border|class=tlt-border]] | [[File:Networking_rutos_manual_firewall_traffic_rules_add_new_forward_rule.png|border|class=tlt-border]] | ||
Line 575: | Line 575: | ||
<td>- (interactive button)</td> | <td>- (interactive button)</td> | ||
<td>Creates the rule in accordance with the given parameter and redirects you to the rule's configuration page.</td> | <td>Creates the rule in accordance with the given parameter and redirects you to the rule's configuration page.</td> | ||
</tr> | |||
</table> | |||
===Source NAT Configuration=== | |||
---- | |||
In order to begin editing a traffic rule, click the button that looks like a pencil [[File:Networking_rutx_trb14x_manual_edit_button_v1.png|20px]] next to it: | |||
{{#ifeq: {{{series}}} | TRB1 | |||
| [[File:Networking_trb1_manual_firewall_nat_rules_source_nat_edit_button.png|border|class=tlt-border]] | |||
| [[File:Networking_rutos_manual_firewall_nat_rules_source_nat_edit_button.png|border|class=tlt-border]] | |||
}} | |||
You will be redirected to that rule's configuration page: | |||
[[File:Networking_rutos_manual_firewall_nat_rules_configuration_mobile_{{{mobile}}}_dualsim_{{{dualsim}}}_wired_{{{wired}}}.png|border|class=tlt-border]] | |||
<table class="nd-mantable"> | |||
<tr> | |||
<th>Field</th> | |||
<th>Value</th> | |||
<th>Description</th> | |||
</tr> | |||
<tr> | |||
<td>Enable</td> | |||
<td>off | on; default <b>on</b></td> | |||
<td>Turns the rule on or off.</td> | |||
</tr> | |||
<tr> | |||
<td>Name</td> | |||
<td>string; default <b>none</b></td> | |||
<td>Name of the rule. This is used for easier management purposes.</td> | |||
</tr> | |||
<tr> | |||
<td>Protocol</td> | |||
<td>All protocols | TCP+UDP | TCP | UDP | ICMP | -- custom --; default: <b>All protocols</b></td> | |||
<td>Specifies to which protocols the rule should apply.</td> | |||
</tr> | |||
<tr> | |||
<td>Source zone</td> | |||
<td>firewall zone; default: <b>lan</b></td> | |||
<td>Matches traffic originated from the specified zone.</td> | |||
</tr> | |||
<tr> | |||
<td>Source IP address</td> | |||
<td>ip | ip/netmask; default: <b>Any</b></td> | |||
<td>Mathes traffic originated from specified IP address or network segment.</td> | |||
</tr> | |||
<tr> | |||
<td>Source port</td> | |||
<td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td> | |||
<td>Mathes traffic originated from specified port number.<td> | |||
</tr> | |||
<tr> | |||
<td>Destination zone</td> | |||
<td>firewall zone; default: <b>wan</b></td> | |||
<td>Matches traffic destined for the specified zone.</td> | |||
</tr> | |||
<tr> | |||
<td>Destination IP address</td> | |||
<td>ip | ip/netmask; default: <b>any</b></td> | |||
<td>Matches traffic destined for the specified IP address or network segment.</td> | |||
</tr> | |||
<tr> | |||
<td>Destination port</td> | |||
<td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td> | |||
<td>Matches traffic destined for the specified port number.</td> | |||
</tr> | |||
<tr> | |||
<td>SNAT address</td> | |||
<td>ip; default: <b>none</b></td> | |||
<td>Changes matched traffic packet source IP address to the value specified in this field.</td> | |||
</tr> | |||
<tr> | |||
<td>SNAT port</td> | |||
<td>integer [0..65535] | range of integers [0..65534] - [1..65535]; default: <b>none</b></td> | |||
<td>Changes matched traffic packet source port number to the value specified in this field.</td> | |||
</tr> | |||
<tr> | |||
<td>Extra arguments</td> | |||
<td>string; default: <b>none</b></td> | |||
<td>Adds extra .iptables options to the rule.</td> | |||
</tr> | |||
<tr> | |||
<td>Week days</td> | |||
<td>days of the week [Sunday..Saturday]; default: <b>none</b></td> | |||
<td>Specifies on which days of the week the rule is valid.</td> | |||
</tr> | |||
<tr> | |||
<td>Month days</td> | |||
<td>days of the month [1..31]; default: <b>none</b></td> | |||
<td>Specifies on which days of the month the rule is valid.</td> | |||
</tr> | |||
<tr> | |||
<td>Start Time (hh:mm:ss)</td> | |||
<td>time [0..23:0..59:0..59]; default: <b>none</b></td> | |||
<td>Indicates the beginning of the time period during which the rule is valid.</td> | |||
</tr> | |||
<tr> | |||
<td>Stop Time (hh:mm:ss)</td> | |||
<td>time [0..23:0..59:0..59]; default: <b>none</b></td> | |||
<td>Indicates the end of the time period during which the rule is valid.</td> | |||
</tr> | |||
<tr> | |||
<td>Start Date (yyyy-mm-dd)</td> | |||
<td>date [0000..9999:1..12:1..31]; default: <b>none</b></td> | |||
<td>Indicates the first day of the date of the period during which the rule is valid.</td> | |||
</tr> | |||
<tr> | |||
<td>Stop Date (yyyy-mm-dd)</td> | |||
<td>date [0000..9999:1..12:1..31]; default: <b>none</b></td> | |||
<td>Indicates the last day of the date of the period during which the rule is valid.</td> | |||
</tr> | |||
<tr> | |||
<td>Time in UTC</td> | |||
<td>yes | no; default: <b>no</b></td> | |||
<td>Specifies whether the device should use UTC time. If this is disabled, the time zone specified in the Services → [[{{{name}}} NTP|NTP]] page will be used.</td> | |||
</tr> | </tr> | ||
</table> | </table> | ||
Line 584: | Line 700: | ||
The figure below is an example of the Custom rules tab: | The figure below is an example of the Custom rules tab: | ||
[[File: | [[File:Networking_rutos_manual_firewall_custom_rules.png|border|class=tlt-border]] | ||
The rules added here are saved in the <b>/etc/firewall.user</b> file. Feel free to edit that file instead for the same effect in case you don't have access to the device's WebUI. | The rules added here are saved in the <b>/etc/firewall.user</b> file. Feel free to edit that file instead for the same effect in case you don't have access to the device's WebUI. | ||
Line 591: | Line 707: | ||
The <b>Reset</b> button resets the custom rules field to its default state. | The <b>Reset</b> button resets the custom rules field to its default state. | ||
{{#ifeq: {{{series}}} | RUTX| | {{#ifeq: {{{series}}} | RUTX | | ||
== | ==Helpers== | ||
The <b> | The <b>Helpers</b> section provides you with the possibility to add firewall exceptions for some VoIP protocols, namely SIP and H.323. In other words, these functions provide a pass-through for VoIP communications between the device's LAN and WAN. | ||
<b>Technical explanation:</b> | <b>Technical explanation:</b> | ||
Line 618: | Line 734: | ||
<td>Turns SIP filtering on or off.</td> | <td>Turns SIP filtering on or off.</td> | ||
</tr> | </tr> | ||
</table> | </table>|}} | ||
==Attack Prevention== | ==Attack Prevention== | ||
===SYN Flood Protection=== | ===SYN Flood Protection=== | ||
---- | ---- | ||
<b>SYN Flood Protection</b> allows you to protect yourself from attacks that exploit part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive. Essentially, with SYN flood DDOS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network over-saturation. | |||
[[File:Networking_rutos_manual_firewall_attack_prevention_syn.PNG|border|class=tlt-border]] | [[File:Networking_rutos_manual_firewall_attack_prevention_syn.PNG|border|class=tlt-border]] |