RUTX11 devices use a standard Linux iptables package as its firewall, which uses routing chains and policies to facilitate control over inbound and outbound traffic. This chapter is an overview of the Firewall section for RUTX11 devices.
If you’re having trouble finding this page or some of the parameters described here on your device’s WebUI, you should turn on “Advanced WebUI” mode. You can do that by clicking the “Basic” button under “Mode”, which is located at the top-right corner of the WebUI.
The General Settings section is used to configure the main policies of the device’s firewall. The figure below is an example of the General Settings section and the table below provides information on the fields contained in that section:
* When a packet goes through a firewall chain it is matched against all the rules of that specific chain. If no rule matches said packet, an according Action (Drop, Reject or Accept) is performed:
The Zones section is used to manage default traffic forwarding policies between different device zones. The figure below is an example of the Zones section and the table below provides information on the fields contained in that section:
You can change a zone’s settings from this page by interacting with entries in the zones table. For a more in-depth configuration click the button that looks like a pencil next to a zone:
The Inter-zone forwarding options control the forwarding policies between the currently edited zone and other zones.
Port forwarding is a way of redirecting an incoming connection to another IP address, port or the combination of both:
The Port forwards table displays configured port forwarding rules currently configured on the device.
The New port forward section is used to quickly add additional port forwarding rules. The figure below is an example of the New port forward section and the table below provides information on the fields contained in that section:
While the New port forward section provides the possibility to add port forwarding rules fast, it does not contain all possible configuration options to customize a rule. In order to create a more complicated rule, add one using the New port forward section and click the button that looks like a pencil next to it:
You will be redirected to that rule’s configuration page:
The Traffic rules tab is used to set firewall rules that filter traffic moving through the device. The figure below is an example of the Traffic rules table:
In order to begin editing a traffic rule, click the button that looks like a pencil next to it:
You will be redirected to that rule’s configuration page:
The Open ports on device section provides a quick way to set simple rules that allow traffic on specified ports of the device. The figure below is an example of the Open ports on device section and the table below provides information on the fields contained in that section:
The New forward rule section is used to create firewall rules that control traffic on the FORWARD chain. The figure below is an example of the New forward rule section and the table below provides information on the fields contained in that section:
Source NAT is a specific form of masquerading which allows fine grained control over the source IP used for outgoing traffic. For example, to map multiple WAN addresses to internal subnets.
The New Source NAT section is used to add custom source NAT rules. The figure below is an example of the New source NAT section and the table below provides information on the fields contained in that section:
The Custom rules tab provides you with the possibility to execute iptables commands which are not otherwise covered by the device’s firewall framework. The commands are executed after each firewall restart, right after the default rule set has been loaded.
The figure below is an example of the Custom rules tab:
The rules added here are saved in the /etc/firewall.user file. Feel free to edit that file instead for the same effect in case you don’t have access to the device’s WebUI.
The Save button restarts the firewall service. Thus, adding the custom rules specified in this section to the device’s list of firewall rules.
The Reset button resets the custom rules field to its default state.
The NAT Helpers section provides you with the possibility to add firewall exceptions for some VoIP protocols, namely SIP and H.323. In other words, these functions provide a pass-through for VoIP communications between the device’s LAN and WAN.
FTP, SIP and H.323 protocols are harder to filter by firewalls since they violate layering by introducing OSI layer 3/4 parameters in the OSI layer 7. NAT helpers are modules that are able to assist the firewall in tracking these protocols. These helpers create the so-called expectations that can be used to open necessary ports for RELATED connections. For example, FTP, GRE and PPTP helpers are enabled by default.
SYN Flood Protection allows you to protect yourself from attacks that exploit part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive. Essentially, with SYN flood DDOS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network over-saturation.
Some attackers use ICMP echo request packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. You can set up some custom restrictions to help protect your router from ICMP bursts.
Prevent SSH (allows a user to run commands on a machine’s command prompt without them being physically present near the machine) attacks by limiting connections in a defined period.
An HTTP attack sends a complete, legitimate HTTP header, which includes a ‘Content-Length’ field to specify the size of the message body to follow. However, the attacker then proceeds to send the actual message body at an extremely slow rate (e.g. 1 byte/100 seconds.) Due to the entire message being correct and complete, the target server will attempt to obey the ‘Content-Length’ field in the header, and wait for the entire body of the message to be transmitted, hence slowing it down.
This section allows you to enable protection against HTTPS attacks, also known as man-in-the-middle attacks (MITM).
In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the perpetrator secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.
Port scan attacks scan which of the targeted host’s ports are open. Network ports are the entry points to a machine that is connected to the Internet. A service that listens on a port is able to receive data from a client application, process it and send a response back. Malicious clients can sometimes exploit vulnerabilities in the server code so they gain access to sensitive data or execute malicious code on the machine remotely. Port scanning is usually done in the initial phase of a penetration test in order to discover all network entry points into the target system. The Port Scan section provides you with the possibility to enable protection against port scanning software. The Defending Type section provides the possibility for the user to enable protections from certain types of online attacks. These include SYN-FIN, SYN-RST, X-Mas, FIN scan and NULLflags attacks.
Your email address will not be published. Required fields are marked *
Save my name, email, and website in this browser for the next time I comment.