Firewall rules can be used to block or allow traffic through an interface based on port number, the source and/or destination IP address (range), the direction (ingress or egress) and the protocol. This can be used to allow custom on-box services, or block traffic based on policy.
To setup a firewall rule:
- Navigate to the System: Firewall page, and click on the Firewall Rules tab
Note Prior to firmware V3.4 this tab was labeled Port Rules and fewer firewall rules could be configured
- Click New Firewall Rule
- Fill in the following fields:
Name: Name the rule. This name should describe the policy the firewall rule is being used to implement (e.g. block ftp, Allow Tony)
Interface: Select the interface that the firewall rule will be applied to (i.e. Any, Dialout/Cellular, VPN, Network Interface, Dial-in etc)
Port Range: Specify the Port or range of Ports (e.g. 1000 – 1500) that the rule will apply to. This may be left blank for Any
Source MAC address Specify the source MAC address to be matched. This may be left blank for any. MAC addresses use the format XX:XX:XX:XX:XX:XX, where XX are hex digits
Source Address Range: Specify the source IP address (or address range) to match. IP address ranges use the format ip/netmask (where netmask is in bits 1-32). This may be left blank for Any
Destination Range: Specify the destination IP address/address range to match. IP address ranges use the format ip/netmask (where netmask is in bits 1-32). This may be left blank.
Protocol: Select if the firewall rule will apply to TCP or UDP or “TCP and UDP” or ICMP or ESP or GRE or Any
Direction: Select the traffic direction that the firewall rule will apply to (Ingress = incoming or Egress)
Action: Select the action (Accept or Block) that will be applied to the packets detected that match the Interface+ Port Range+ Source/destination Address Range+ Protocol+ Direction
For example, to block all SSH traffic from leaving Dialout Interface, the following settings can be used:
Interface: Dialout/Cellular
Port Range: 22
Protocol: TCP
Direction: Egress
Action: Block
The firewall rules are processed in a set order- from top to bottom. So rule placement is important. For example with the following rules, all traffic coming in over the Network Interface is blocked except when it comes from two nominated IP addresses (SysAdmin and Tony):
|
|
To allow all incoming traffic on all interfaces from the SysAdmin: |
To allow all incoming traffic from Tony: |
To block all incoming traffic from the Network Interface: |
|
Interface |
Any |
Any |
Network Interface |
|
Port Range |
Any |
Any |
Any |
|
Source MAC |
Any |
Any |
Any |
|
Source IP |
IP address of SysAdmin |
IP address of Tony |
Any |
|
Destination IP |
Any |
Any |
Any |
|
Protocol |
TCP |
TCP |
TCP |
|
Direction |
Ingress |
Ingress |
Ingress |
|
Action |
Accept |
Accept |
Block |
However if the Rule Order above was to be changed so the “Block Everyone Else” rule was second on the list then the traffic coming in over the Network Interface from Tony would be blocked.
Comments
0 comments
Article is closed for comments.