Firewall settings
Use this information to set configuration of firewall.
Set default firewall
The default section declares global firewall settings which do not belong to specific zones.
Syntax
|
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
input | string | no | REJECT | Set policy for the INPUT chain of the filter table. |
output | string | no | REJECT | Set policy for the OUTPUT chain of the filter table. |
forward | string | no | REJECT | Set policy for the FORWARD chain of the filter table. |
syn_flood | boolean | no | 0 | Enable SYN flood protection (obsoleted by synflood_protect setting). |
drop_invalid | boolean | no | 0 | Drop invalid packets (e.g. not matching any active connection). |
Commands example:
|
Add a new Zone
This section defines common properties of test
. The input and output options set the default policies for traffic entering and leaving this zone while the forward option describes the policy for forwarded traffic between different networks within the zone. Covered networks specify which available networks are members of this zone.
Syntax
|
Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
name | zone name | yes | none | Unique zone name. 11 characters is the maximum working firewall zone name length. |
input | string | no | REJECT | Set policy for the INPUT chain of the filter table. |
output | string | no | REJECT | Set policy for the OUTPUT chain of the filter table. |
forward | string | no | REJECT | Set policy for the FORWARD chain of the filter table. |
masq | boolean | no | 0 | Specifies whether outgoing zone traffic should be masqueraded - this is typically enabled on the wan zone. |
mtu_fix | boolean | no | 0 | Enable MSS clamping for outgoing zone traffic. |
network | list | no | none | List of interfaces attached to this zone. If omitted and neither extra* options, subnets or devices are given, the value of name is used by default. Alias interfaces defined in the network config cannot be used as valid 'standalone' networks. Use list syntax as explained in uci. |
family | string | no | 0 | Protocol family (ipv4, ipv6 or any) to generate iptables rules for. |
masq_src | list of subnets | no | 0.0.0.0/0 | Limit masquerading to the given source subnets. Negation is possible by prefixing the subnet with !; multiple subnets are allowed. |
masq_dest | list of subnets | no | 0.0.0.0/0 | Limit masquerading to the given destination subnets. Negation is possible by prefixing the subnet with !; multiple subnets are allowed. |
conntrack | boolean | no | 1 if masquerading is used, 0 otherwise | Force connection tracking for this zone (see Note on connection tracking). |
log | boolean | no | 0 | Create log rules for rejected and dropped traffic in this zone. |
log_limit | string | no | 10/minute | Limits the amount of log messages per interval. |
Commands example:
|
Add a new forwarding
The forwarding sections control the traffic flow between zones and may enable MSS clamping for specific directions. Only one direction is covered by a forwarding rule. To allow bidirectional traffic flows between two zones, two forwardings are required, with src and dest reversed in each.
Syntax
|
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
src | zone name | yes | none | Specifies the traffic source zone. Must refer to one of the defined zone names. |
dest | zone name | yes | none | Specifies the traffic destination zone. Must refer to one of the defined zone names. |
Commands example:
|
Add a new port forwards
Port forwardings (DNAT) are defined by redirect sections. All incoming traffic on the specified source zone which matches the given rules will be directed to the specified internal host. Redirects are also commonly known as "port forwarding", and "virtual servers". Port ranges are specified as start:stop, for instance 6666:6670. This is similar to the iptables syntax.
Syntax
|
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
enabled | string | no | 1 or yes | Enable the redirect rule or not. |
name | string | no | none | Unique redirect name. |
proto | protocol name or number | yes | tcp udp | Match incoming traffic using the given protocol. |
src | zone name | no | yes for DNAT target | Specifies the traffic source zone. Must refer to one of the defined zone names. For typical port forwards this usually is wan. |
src_mac | mac address | no | none | Match incoming traffic from the specified mac address. |
src_ip | ip address | no | none | Match incoming traffic from the specified source ip address. |
src_port | port or range | no | none | Match incoming traffic originating from the given source port or port range (ex: '5000-5100') on the client host. |
src_dip | ip address | yes for SNAT target | none | For DNAT, match incoming traffic directed at the given destination ip address. For SNAT rewrite the source address to the given address. |
src_dport | port or range | no | none | For DNAT, match incoming traffic directed at the given destination port or port range (ex: '5000-5100') on this host. For SNAT rewrite the source ports to the given value. |
dest | zone name | yes for SNAT target | none | Specifies the traffic destination zone. Must refer to one of the defined zone names. For DNAT target on Attitude Adjustment, NAT reflection works only if this is equal to lan. |
dest_ip | ip address | yes for DNAT target | none | For DNAT, redirect matched incoming traffic to the specified internal host. For SNAT, match traffic directed at the given address. For DNAT if the dest_ip value matches the local ip addresses of the router, as shown in the ifconfig, then the rule is translated in a DNAT + input 'accept' rule. Otherwise it is a DNAT + forward rule. |
dest_port | port or range | no | none | For DNAT, redirect matched incoming traffic to the given port on the internal host. For SNAT, match traffic directed at the given ports. Only a single port or range can be specified (ex: '5000-5100'), not disparate ports as with Rules (below). |
reflection | boolean | no | 1 | Activate NAT reflection for this redirect - applicable to DNAT targets. |
Commands example:
|
Add a new traffic rule
Port forwardings (DNAT) are defined by redirect sections. All incoming traffic on the specified source zone which matches the given rules will be directed to the specified internal host. Redirects are also commonly known as port forwarding
, and virtual servers
. Port ranges are specified as start:stop, for instance 6666:6670. This is similar to the iptables syntax.
Syntax
|
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
enabled | boolean | no | yes | Enable or disable rule. |
name | string | no | none | Unique rule name. |
family | string | no | any | Protocol family (ipv4, ipv6 or any) to generate iptables rules for. |
proto | protocol name or number | no | tcp udp | Match incoming traffic using the given protocol. Can be one of tcp, udp, tcpudp, udplite, icmp, esp, ah, sctp, or all or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. The number 0 is equivalent to all. |
src | zone name | yes ( optional since Firewall v2, version 58 and above) | none | Specifies the traffic source zone. Must refer to one of the defined zone names. |
src_mac | mac address | no | none | Match incoming traffic from the specified mac address. |
src_ip | ip address | no | none | Match incoming traffic from the specified source ip address. |
src_port | port or range | no | none | Match incoming traffic from the specified source port or port range (ex: '5000:5100', port range does not apply to all protocols), if relevant proto is specified. Multiple ports can be specified like '80 443 465' 1. |
dest | zone name | no | none | Specifies the traffic destination zone. Must refer to one of the defined zone names, or * for any zone. If specified, the rule applies to forwarded traffic; otherwise, it is treated as input rule. |
dest_ip | ip address | no | none | Match incoming traffic directed to the specified destination ip address. With no dest zone, this is treated as an input rule! |
dest_port | port or range | no | none | Match incoming traffic directed at the given destination port or port range (ex: '5000:5100', port range does not apply to all protocols), if relevant proto is specified. Multiple ports can be specified like '80 443 465' 1. |
target | string | yes | DROP | Activate NAT reflection for this redirect - applicable to DNAT targets. |
weekdays | list of weekdays | no | (always) | If specified, only match traffic during the given week days, e.g. sun mon thu fri to only match on sundays, mondays, thursdays and fridays. The list can be inverted by prefixing it with an exclamation mark, e.g. ! sat sun to always match but on saturdays and sundays. |
monthdays | list of dates | no | (always) | If specified, only match traffic during the given days of the month, e.g. 2 5 30 to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. ! 31 to always match but on the 31st of the month. |
start_time | time (hh:mm:ss) | no | (always) | If specified, only match traffic after the given time of day (inclusive). |
stop_time | time (hh:mm:ss) | no | (always) | If specified, only match traffic before the given time of day (inclusive). |
start_date | date (yyyy-mm-dd) | no | (always) | If specified, only match traffic after the given date (inclusive). |
stop_date | date (yyyy-mm-dd) | no | (always) | If specified, only match traffic before the given date (inclusive). |
utc_time | boolean | no | 0 | Treat all given time values as UTC time instead of local time. |
Commands example:
|
Add a new Source NAT
Source NAT changes an outgoing packet so that it looks as though the Embedded Switch system is the source of the packet.
Define source NAT for UDP and TCP traffic directed to port 123 originating from the host with the IP address 10.55.34.85. The source address is rewritten to 63.240.161.99:
|