Select Page

RUTX11 Firewall

Summary #

RUTX11 devices use a standard Linux iptables package as its firewall, which uses routing chains and policies to facilitate control over inbound and outbound traffic. This chapter is an overview of the Firewall section for RUTX11 devices.

If you’re having trouble finding this page or some of the parameters described here on your device’s WebUI, you should turn on “Advanced WebUI” mode. You can do that by clicking the “Basic” button under “Mode”, which is located at the top-right corner of the WebUI.

Networking rutx manual webui basic advanced mode v1.gif

General settings #

The General Settings section is used to configure the main policies of the device’s firewall. The figure below is an example of the General Settings section and the table below provides information on the fields contained in that section:

Networking rutx manual firewall general settings general settings v1.png
FieldValueDescription
Enable SYN flood protectionoff | on; Default: onEnables protection from SYN flood type attacks. A SYN flood is a type of denial-of-service (DOS) attack where an attacker sends bursts of SYN requests in an attempt to make the target host machine consume enough resources and become unresponsive.
Drop invalid packetsoff | on; Default: offIf enabled, a “Drop” action will be performed on packets that are determined to be invalid.
InputReject | Drop | Accept; Default: AcceptDefault action* of the INPUT chain if a packet does not match any existing rule on that chain.
OutputReject | Drop | Accept; Default: AcceptDefault action* of the OUTPUT chain if a packet does not match any existing rule on that chain.
ForwardReject | Drop | Accept; Default: RejectDefault action* of the FORWARD chain if a packet does not match any existing rule on that chain.

* When a packet goes through a firewall chain it is matched against all the rules of that specific chain. If no rule matches said packet, an according Action (Drop, Reject or Accept) is performed:

  • Accept – packet gets to continue to the next chain.
  • Drop – packet is stopped and deleted.
  • Reject – packet is stopped, deleted and, differently from Drop, a message of rejection is sent to the source from which the packet came.

Zones #

The Zones section is used to manage default traffic forwarding policies between different device zones. The figure below is an example of the Zones section and the table below provides information on the fields contained in that section:

[[File::Networking_rutx_manual_firewall_general_settings_zones_v1.png]]

You can change a zone’s settings from this page by interacting with entries in the zones table. For a more in-depth configuration click the button that looks like a pencil  next to a zone:

Networking rutx manual firewall general settings zones edit v1.png

Zones: general settings #

Networking rutx manual firewall general settings zones general settings v1.png
FieldValueDescription
Namestring; default: newzoneA custom name for the zone. Used for easier management purposes.
InputReject | Drop | Accept; Default: AcceptDefault policy for traffic entering the zone.
OutputReject | Drop | Accept; Default: AcceptDefault policy for traffic originating from and leaving the zone.
ForwardReject | Drop | Accept; Default: RejectDefault policy for traffic forwarded between the networks belonging to the zone.
Masqueradingoff | on; default: offTurns Masquerading off or on. MASQUERADE is an iptables target that can be used instead of the SNAT (source NAT) target when the external IP of the network interface is not known at the moment of writing the rule (when the interface gets the external IP dynamically).
MSS clampingoff | on; default: offTurns MSS clamping off or on. MSS clamping is a workaround used to change the maximum segment size (MSS) of all TCP connections passing through links with an MTU lower than the Ethernet default of 1500.
Covered networksname of interface; default: noneNetwork or networks that belong to the zone.

Zones: advanced settings #

Networking rutx manual firewall general settings zones advanced settings v1.png
FieldValueDescription
Restrict to address familyIPv4 and IPv6 | IPv4 only | IPv6 only; default: IPv4 and IPv6IP address family to which to rule will apply.
Restrict Masquerading to given source subnetsnetwork/subnet; default: noneApplies Masquerading only to the specified source network/subnet.
Restrict Masquerading to given destinations subnetsnetwork/subnet; default: noneApplies Masquerading only to the specified destination network/subnet.
Force connection trackingoff | on; default: offAlways maintains connection state (NEW, ESTABLISHED, RELATED) information.
Enable logging on this zoneoff | on; default: offLogs packets that hit this rule.
Limit log messagesinteger/minute; default: noneLimit how many messages can be logged in the span of 1 minute. For example, to log 50 packets per minute use: 50/minute.

Zones: inter-zone forwarding #

The Inter-zone forwarding options control the forwarding policies between the currently edited zone and other zones. 

FieldValueDescription
Allow forward to destination zoneszone(s); default: noneAllows forward traffic to specified destination zones. Destination zones cover forwarded traffic originating from this source zone.
Allow forward from source zoneszone(s); default: noneAllows forward traffic to specified source zones. Source zones match forwarded traffic originating from other zones that is targeted at this zone.

Port forwards[edit | edit source] #

Port forwarding is a way of redirecting an incoming connection to another IP address, port or the combination of both:

Networking rutx manual firewall port forwards scheme v1.png

The Port forwards table displays configured port forwarding rules currently configured on the device.

Networking rutx manual firewall port forwards port forwards v1.png

New port forward #

The New port forward section is used to quickly add additional port forwarding rules. The figure below is an example of the New port forward section and the table below provides information on the fields contained in that section:

Networking rutx manual firewall port forwards new port forward v1.png
FieldValueDescription
Namestring; default: noneName of the rule. This is used for easier management purposes.
ProtocolTCP+UDP | TCP | UDP | Other; default: TCP+UDPSpecifies to which protocols the rule should apply.
External zonefirewall zone name; default: wanThe zone to which hosts will be connecting.
External portinteger [0..65535] | range of integers [0..65534] – [1..65535]; default: noneThe port number to which hosts will be connecting.
Internal zonefirewall zone name; default: lanThe zone to which the incoming connection will be redirected.
Internal IP addressip; default: noneThe IP address to which the incoming connection will be redirected.
Internal portinteger [0..65535] | range of integers [0..65534] – [1..65535]; default: noneThe port number to which the incoming connection will be redirected.

Port forwards configuration #

While the New port forward section provides the possibility to add port forwarding rules fast, it does not contain all possible configuration options to customize a rule. In order to create a more complicated rule, add one using the New port forward section and click the button that looks like a pencil  next to it:

Networking rutx manual firewall port forwards edit v1.png

You will be redirected to that rule’s configuration page: 

FieldValueDescription
Enableoff | on ; default: onTurns the rule on or off
Namestring; default: noneName of the rule. This is used for easier management purposes.
ProtocolTCP+UDP | TCP | UDP | Other; default: TCP+UDPSpecifies to which protocols the rule should apply.
Source zonefirewall zone name; default: wanThe zone to which the third party will be connecting. (Same thing as “External zone” in the New port forward section.)
Source MAC addressmac; default: noneMAC address(es) of connecting hosts.
The rule will apply only to hosts that match MAC addresses specified in this field. Leave empty to make the rule skip MAC address matching.
Source IP addressip | ip/netmask; default: anyIP address or network segment used by connecting hosts.
The rule will apply only to hosts that connect from IP addresses specified in this field.
To specify a network segment instead of one IP address, add a forward slash followed by the netmask length after the network indication (for example, 10.0.0.0/8).
Source portinteger [0..65535] | range of integers [0..65534] – [1..65535]; default: nonePort number(s) used by the connecting host.
The rule will match the source port used by the connecting host with the port number(s) specified in this field. Leave empty to make the rule skip source port matching.
External IP addressip | ip/netmask; default: anyIP address or network segment to which hosts will be connecting.
The rule will apply only to hosts that connect to IP addresses specified in this field.
To specify a subnet instead of one IP, add a forward slash followed by the netmask length after the network indication (for example, 10.0.0.0/8).
External portinteger [0..65535] | range of integers [0..65534] – [1..65535]; default: nonePort number(s) to which hosts will be connecting.
The rule will apply only to hosts that connect to the port number(s) specified in this field. Leave empty to make the rule skip external port matching.
Internal zonefirewall zone name; default: lanThe zone to which the incoming connection will be redirected.
Internal IP addressip; default: noneThe IP address to which the incoming connection will be redirected.
Internal portinteger [0..65535] | range of integers [0..65534] – [1..65535]; default: noneThe port number to which the incoming connection will be redirected.
Enable NAT loopbackoff | on ; default: onNAT loopback a.k.a. NAT reflection a.k.a. NAT hairpinning is a method of accessing an internal server using a public IP. NAT loopback enables your local network (i.e., behind your NAT device) to connect to a forward-facing IP address of a machine that it also on your local network.
Extra argumentsstring; default: noneAdds extra iptables options to the rule.

Traffic rules #

The Traffic rules tab is used to set firewall rules that filter traffic moving through the device. The figure below is an example of the Traffic rules table:

Networking rutx manual firewall traffic rules v1.png

Traffic rules configuration #

In order to begin editing a traffic rule, click the button that looks like a pencil  next to it:

Networking rutx manual firewall traffic rules edit v1.png

You will be redirected to that rule’s configuration page:

Networking rutx09 rutx11 manual firewall traffic rules configuration v1.png
FieldValueDescription
Enableoff | on; Default onTurns the rule on or off.
Namestring; Default noneName of the rule. This is used for easier management purposes.
Restrict to address familyIPv4 and IPv6 | IPv4 only | IPv6 only; Default: IPv4 and IPv6IP address family to which the rule will apply to.
ProtocolTCP+UDP | TCP | UDP | ICMP | — custom –; Default: TCP+UDPSpecifies to which protocols the rule should apply.
Source zonefirewall zone name; default: wanThe zone to which the third party will be connecting.
Source MAC addressmac; default: noneMAC address(es) of connecting hosts.
The rule will apply only to hosts that match MAC addresses specified in this field. Leave empty to make the rule skip MAC address matching.
Source addressip | ip/netmask; default: anyIP address or network segment used by connecting hosts.
The rule will apply only to hosts that connect from IP addresses specified in this field.
To specify a network segment instead of one IP address, add a forward slash followed by the netmask length after the network indication (for example, 10.0.0.0/8).
Source portinteger [0..65535] | range of integers [0..65534] – [1..65535]; default: nonePort number(s) used by the connecting host.
The rule will match the source port used by the connecting host with the port number(s) specified in this field. Leave empty to make the rule skip source port matching.
Destination zonefirewall zone; Default: Device (input)Target zone of the incoming connection.
Destination addressip | ip/netmask; Default: anyTagert IP address or network segment of the incoming connection.
Destination portinteger [0..65535] | range of integers [0..65534] – [1..65535]; Default: noneTagert port or range of ports of the incoming connection.
ActionDROP | ACCEPT | REJECT; Default: ACCEPTAction that is to be taken when a packet meets the MATCH conditions.ACCEPT – packet gets to continue to the next chain.DROP – packet is stopped and deleted.REJECT – packet is stopped, deleted and, differently from Drop, an ICMP packet containing a message of rejection is sent to the source from which the dropped packet came.
Extra argumentsstring; Default: noneAdds extra .iptables options to the rule.
Week daysdays of the week [Sunday..Saturday]; Default: noneSpecifies on which days of the week the rule is valid.
Month daysdays of the month [1..31]; Default: noneSpecifies on which days of the month the rule is valid.
Start Time (hh:mm:ss)time [0..23:0..59:0..59]; Default: noneIndicates the beginning of the time period during which the rule is valid.
Stop Time (hh:mm:ss)time [0..23:0..59:0..59]; Default: noneIndicates the end of the time period during which the rule is valid.
Start Date (yyyy-mm-dd)date [0000..9999:1..12:1..31]; Default: noneIndicates the first day of the date of the period during which the rule is valid.
Stop Date (yyyy-mm-dd)date [0000..9999:1..12:1..31]; Default: noneIndicates the last day of the date of the period during which the rule is valid.
Time in UTCyes | no; Default: noSpecifies whether the device should use UTC time. If this is disabled, the time zone specified in the [[RUTX11 NTP|NTP]] section will be used.

Open ports on device #

The Open ports on device section provides a quick way to set simple rules that allow traffic on specified ports of the device. The figure below is an example of the Open ports on device section and the table below provides information on the fields contained in that section:

[[File:{{{file_open_ports_on_device}}}]]

FieldValueDescription
Namestring; Default: noneThe name of the rule. This is used for easier management purposes.
The name field is filled automatically when port numbers are specified, unless the name was specified beforehand by the user.
ProtocolTCP+UDP | TCP | UDP | Other; Default: TCP+UDPSpecifies to which protocols the rule should apply.
External portinteger [0..65535] | range of integers [0..65534] – [1..65535]; Default: noneSpecifies which port(s) should be opened.

New forward rule #

The New forward rule section is used to create firewall rules that control traffic on the FORWARD chain. The figure below is an example of the New forward rule section and the table below provides information on the fields contained in that section:

Networking rutx manual firewall traffic rules new forward rule v1.png
FieldValueDescription
Namestring; Default: noneThe name of the rule. This is used for easier management purposes.
Source zonefirewall zone; Default: WANThe zone from which traffic has originated.
Destination zonefirewall zone; Default: LANThe zone to which traffic will be forwarded to.
Add– (interactive button)Creates the rule and redirects you to the rule’s configuration page

Source NAT #

Source NAT is a specific form of masquerading which allows fine grained control over the source IP used for outgoing traffic. For example, to map multiple WAN addresses to internal subnets.

New source NAT #

The New Source NAT section is used to add custom source NAT rules. The figure below is an example of the New source NAT section and the table below provides information on the fields contained in that section:

Networking rutx manual firewall traffic rules source nat new source nat v1.png
FieldValueDescription
Namestring; Default: noneThe name of the rule. This is used for easier management purposes.
Source zonefirewall zone; Default: LANThe zone from which traffic has originated.
Destination zonefirewall zone; Default: WANThe zone to which traffic will be forwarded to.
To source IPip | do not rewrite; Default: Do not rewriteChanges the source IP in the packet header to the value specified in this field.
To source portinteger [0..65335] | do not rewrite; Default: Do not rewriteChanges the source port in the packet header to the value specified in this field.
Add– (interactive button)Creates the rule and redirects you to the rule’s configuration page.

Custom rules #

The Custom rules tab provides you with the possibility to execute iptables commands which are not otherwise covered by the device’s firewall framework. The commands are executed after each firewall restart, right after the default rule set has been loaded.

The figure below is an example of the Custom rules tab:

Networking rutx manual firewall custom rules v1.png

The rules added here are saved in the /etc/firewall.user file. Feel free to edit that file instead for the same effect in case you don’t have access to the device’s WebUI.

The Save button restarts the firewall service. Thus, adding the custom rules specified in this section to the device’s list of firewall rules.

The Reset button resets the custom rules field to its default state.

NAT helpers #

The NAT Helpers section provides you with the possibility to add firewall exceptions for some VoIP protocols, namely SIP and H.323. In other words, these functions provide a pass-through for VoIP communications between the device’s LAN and WAN.

Technical explanation:

FTP, SIP and H.323 protocols are harder to filter by firewalls since they violate layering by introducing OSI layer 3/4 parameters in the OSI layer 7. NAT helpers are modules that are able to assist the firewall in tracking these protocols. These helpers create the so-called expectations that can be used to open necessary ports for RELATED connections. For example, FTP, GRE and PPTP helpers are enabled by default.

Networking rutx manual firewall nat helpers v1.png
FieldValueDescription
H323off | on; Default: offTurns H323 filtering on or off.
SIPoff | on; Default: offTurns SIP filtering on or off.

Attack Prevention #

SYN Flood Protection #

SYN Flood Protection allows you to protect yourself from attacks that exploit part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive. Essentially, with SYN flood DDOS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network over-saturation.

Networking rutos manual firewall attack prevention syn.PNG
Field NameValueDescription
Enable SYN flood protectionyes | no; Default: yesToggles the rule ON or OFF
SYN flood rateinteger; Default: 5Set rate limit (packets per second) for SYN packets above which the traffic is considered flooded
SYN flood burstinteger; Default: 10Set burst limit for SYN packets above which the traffic is considered flooded if it exceeds the allowed rate
TCP SYN cookiesyes | no; Default: noEnable the use of SYN cookies (particular choices of initial TCP sequence numbers by TCP servers)

Remote ICMP Requests #

Some attackers use ICMP echo request packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. You can set up some custom restrictions to help protect your router from ICMP bursts.

Networking rutos manual firewall attack prevention icmp.PNG
Field NameValueDescription
Enable ICMP requestsyes | no; Default: yesToggles the rule ON or OFF
Enable ICMP limityes | no; Default: noToggles ICMP echo-request limit in selected period ON or OFF
Limit periodSecond | Minute | Hour | Day; Default: SecondSelect ICMP echo-request period limit
Limitinteger; Default: 5Maximum ICMP echo-request number during the period
Limit burstinteger; Default: 10Indicate the maximum burst before the above limit kicks in

SSH Attack Prevention #

Prevent SSH (allows a user to run commands on a machine’s command prompt without them being physically present near the machine) attacks by limiting connections in a defined period.

Networking rutos manual firewall attack prevention ssh.PNG
Field NameValueDescription
Enable SSH limityes | no; Default: noToggles the rule ON or OFF
Limit periodSecond | Minute | Hour | Day; Default: SecondThe period in which SSH connections are to be limited
Limitinteger; Default: 5Maximum SSH connections during the set period
Limit burstinteger; Default: 10Indicate the maximum burst before the above limit kicks in

HTTP Attack Prevention #

An HTTP attack sends a complete, legitimate HTTP header, which includes a ‘Content-Length’ field to specify the size of the message body to follow. However, the attacker then proceeds to send the actual message body at an extremely slow rate (e.g. 1 byte/100 seconds.) Due to the entire message being correct and complete, the target server will attempt to obey the ‘Content-Length’ field in the header, and wait for the entire body of the message to be transmitted, hence slowing it down.

Networking rutos manual firewall attack prevention http.PNG
Field NameValueDescription
Enable HTTP limityes | no; Default: noToggles the rule ON or OFF
Limit periodSecond | Minute | Hour | Day; Default: SecondThe period in which HTTP connections are to be limited
Limitinteger; Default: 5Maximum HTTP connections during the set period
Limit burstinteger; Default: 10Indicate the maximum burst before the above limit kicks in

HTTPS Attack Prevention #

This section allows you to enable protection against HTTPS attacks, also known as man-in-the-middle attacks (MITM).

In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the perpetrator secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.

Networking rutos manual firewall attack prevention hhtps.PNG
Field NameValueDescription
Enable HTTPS limityes | no; Default: noToggles the rule ON or OFF
Limit periodSecond | Minute | Hour | Day; Default: SecondThe period in which HTTPS connections are to be limited
Limitinteger; Default: 5Maximum HTTPS connections during the set period
Limit burstinteger; Default: 10Indicate the maximum burst before the above limit kicks in

Port Scan Prevention #

Port scan attacks scan which of the targeted host’s ports are open. Network ports are the entry points to a machine that is connected to the Internet. A service that listens on a port is able to receive data from a client application, process it and send a response back. Malicious clients can sometimes exploit vulnerabilities in the server code so they gain access to sensitive data or execute malicious code on the machine remotely. Port scanning is usually done in the initial phase of a penetration test in order to discover all network entry points into the target system. The Port Scan section provides you with the possibility to enable protection against port scanning software. The Defending Type section provides the possibility for the user to enable protections from certain types of online attacks. These include SYN-FINSYN-RSTX-MasFIN scan and NULLflags attacks.

Networking rutos manual firewall attack prevention port scan def.PNG
Field NameValueDescription
Enableyes | no; Default: noToggles the function ON or OFF
Scan countinteger [5..65534]; Default: 5How many port scans before blocked
Intervalinteger [10..60]; Default: 10Time interval in seconds in which port scans are counted
SYN-FIN attackyes | no; Default: noToggles protection from SYN-FIN attacks ON or OFF
SYN-RST attackyes | no; Default: noToggles protection from SYN-RST attacks ON or OFF
X-Mas attackyes | no; Default: noToggles protection from X-Mas attacks ON or OFF
FIN scanyes | no; Default: noToggles protection from FIN scan attacks ON or OFF
NULLflags attackyes | no; Default: noToggles protection from NULLflags attacks ON or OFF

Submit a Comment

Your email address will not be published. Required fields are marked *