RBMTX-Viper Network Firewall
The Firewall page of RBMTX-Viper router is used to creates zones over your network interfaces to control network traffic flow.
General Settings
| Name | Value | Description |
|---|---|---|
| Enable SYN-flood protection | On/Off, default: On | |
| Drop invalid packets | On/Off, default: Off | |
| Input | reject, drop or accept, default: accept | |
| Output | reject, drop or accept, default: accept | |
| Forward | reject, drop or accept, default: accept |
Routing/NAT Offloading
It is an experimental feature. Not fully compatible with QoS/SQM.
| Name | Value | Description |
|---|---|---|
| Software flow offloading | On/Off, default: Off | Software based offloading for routing/NAT |
| Hardware flow offloading | On/Off, default: Off | Requires hardware NAT support. Implemented at least for mt7621 |
Zones
| Name | Description |
|---|---|
| Zone ⇒ Forwardings | |
| Input | |
| Output | |
| Forward | |
| Masquerading |
Use Edit button to edit the zone or Delete to remove it.
General Settings
This section defines common properties of "lan". The input and output options set the default policies for traffic entering and leaving this zone while the forward option describes the policy for forwarded traffic between different networks within the zone. Covered networks specifies which available networks are members of this zone.
| Name | Value | Description |
|---|---|---|
| Name | string | |
| Input | reject, drop or accept, default: accept | |
| Output | reject, drop or accept, default: accept | |
| Forward | reject, drop or accept, default: accept | |
| Masquerading | On/Off, default: Off | |
| MSS clamping | On/Off, default: Off | |
| Covered networks | dhcp, gsm or lan |
The options below control the forwarding policies between this zone (lan) and other zones. Destination zones cover forwarded traffic originating from lan. Source zones match forwarded traffic from other zones targeted at lan. The forwarding rule is unidirectional, e.g. a forward from lan to wan does not imply a permission to forward from wan to lan as well.
| Name | Value | Description |
|---|---|---|
| Allow forward to destination zones: | ||
| Allow forward from source zones: |
Advanced Settings
The options below control the forwarding policies between this zone (lan) and other zones. Destination zones cover forwarded traffic originating from lan. Source zones match forwarded traffic from other zones targeted at lan. The forwarding rule is unidirectional, e.g. a forward from lan to wan does not imply a permission to forward from wan to lan as well.
| Name | Value | Description |
|---|---|---|
| Covered devices | Use this option to classify zone traffic by raw, non-uci managed network devices. | |
| Covered subnets | Use this option to classify zone traffic by source or destination subnet instead of networks or devices. | |
| Restrict to address family | IPv4 and IPv6, IPv4 only or IPv6 only, default: IPv4 and IPv6 | |
| Restrict Masquerading to given source subnets | ||
| Restrict Masquerading to given destination subnets | ||
| Enable logging on this zone | On/Off, default: Off | |
| Limit log messages |
Conntrack Settings
| Name | Value | Description |
|---|---|---|
| Allow "invalid" traffic | On/Off, default: Off | Do not install extra rules to reject forwarded traffic with conntrack state invalid. This may be required for complex asymmetric route setups. |
| On/Off, default: On | Automatically assign conntrack helpers based on traffic protocol and port | |
| Conntrack helpers | Explicitly choses allowed connection tracking helpers for zone traffic |
Extra iptables arguments
Passing raw iptables arguments to source and destination traffic classification rules allows to match packets based on other criteria than interfaces or subnets. These options should be used with extreme care as invalid values could render the firewall ruleset broken, completely exposing all services.
| Name | Value | Description |
|---|---|---|
| Extra source arguments | Additional raw iptables arguments to classify zone source traffic, e.g. -p tcp --sport 443 to only match inbound HTTPS traffic. | |
| Extra destination arguments | Additional raw iptables arguments to classify zone destination traffic, e.g. -p tcp --dport 443 to only match outbound HTTPS traffic. |
Port Forwards
Port forwarding allows remote computers on the Internet to connect to a specific computer or service within the private LAN.
| Name | Description |
|---|---|
| Name | |
| Match | |
| Action | |
| Enable | Set to enable the port forwards. |
Use Edit or Delete buttons to manage the port forwarding.
General Settings
| Name | Value | Description |
|---|---|---|
| Name | string | |
| Protocol | Any, TCP, UDP, ICMP or/and custom | |
| Source zone | ||
| External port | Match incoming traffic directed at the given destination port or port range on this host | |
| Destination zone | ||
| Internal IP address | Redirect matched incoming traffic to the specified internal host | |
| Internal port | Redirect matched incoming traffic to the given port on the internal host |
Advanced Settings
| Name | Value | Description |
|---|---|---|
| Source MAC address | Only match incoming traffic from these MACs. | |
| Source IP address | Only match incoming traffic from this IP or range. | |
| Source port | number from 0 to 65535 | Only match incoming traffic originating from the given source port or port range on the client host |
| External IP address | Only match incoming traffic directed at the given IP address. | |
| Enable NAT Loopback | On/Off, default: Off | |
| Loopback source IP | Use internal IP address or Use external IP address, default: Use internal IP address | Specifies whether to use the external or the internal IP address for reflected traffic. |
| Match helper | Match traffic using the specified connection tracking helper. | |
| Match mark | string | Matches a specific firewall mark or a range of different marks. |
| Limit matching | unlimited, 10/second, 60/minute, 3/hour or 500/day, default: unlimited | Limits traffic matching to the specified rate. |
| Extra arguments | Passes additional arguments to iptables. Use with care! |
Traffic Rules
Traffic rules define policies for packets traveling between different zones, for example to reject traffic between certain hosts or to open WAN ports on the router.
| Name | Description |
|---|---|
| Name | |
| Match | |
| Action | |
| Enable | Set to enable the rule |
Use Edit or Delete buttons to manage the rule
General Settings
| Name | Value | Description |
|---|---|---|
| Name | string | |
| Protocol | Any, TCP, UDP, ICMP, IGMP or/and IPSEC-ESP | |
| Source zone | ||
| Source address | ||
| Source port | number from 0 to 65535 | |
| Destination zone | ||
| Destination address | ||
| Destination port | number from 0 to 65535 | |
| Action | drop, accept, reject, don't track, assign conntrack helper, apply firewall mark, XOR firewall mark or DSCP classification | |
| Tracking helper | Assign the specified connection tracking helper to matched traffic. | |
| Set mark | Set the given mark value on established connections. Format is value[/mask]. If a mask is specified then only those bits set in the mask are modified. | |
| XOR mark | Apply a bitwise XOR of the given value and the existing mark value on established connections. Format is value[/mask]. If a mask is specified then those bits set in the mask are zeroed out. | |
| DSCP mark | Apply the given DSCP class or value to established connections. |
Advanced Settings
| Name | Value | Description |
|---|---|---|
| Match device | unspecified, Inbound device or Outbound device | |
| Restrict to address family | IPv4 and IPv6, IPv4 or IPv6 | |
| Source MAC address | ||
| Match helper | Match traffic using the specified connection tracking helper. | |
| Match mark | Matches a specific firewall mark or a range of different marks. | |
| Match DSCP | Matches traffic carrying the specified DSCP marking. | |
| Limit matching | unlimited, 10/second, 60/minute, 3/hour or 500/day, default: unlimited | Limits traffic matching to the specified rate. |
| Extra arguments | Passes additional arguments to iptables. Use with care! |
Time Restrictions
| Name | Value | Description |
|---|---|---|
| Week Days | ||
| Start Time (hh:mm:ss) | ||
| Stop Time (hh:mm:ss) | ||
| Start Date (yyyy-mm-dd) | ||
| Stop Date (yyyy-mm-dd) | ||
| Time in UTC | On/Off, default: Off |
NAT Rules
NAT rules allow fine grained control over the source IP to use for outbound or forwarded traffic. Use Add button to add new NAT rule.
| Name | Description |
|---|---|
| Name | |
| Match | |
| Action | |
| Enable |
Custom Rules
Custom rules allow you to execute arbitrary iptables commands which are not otherwise covered by the firewall framework. The commands are executed after each firewall restart, right after the default ruleset has been loaded.
