Szablon: Web networkfirewall
The Firewall page of {{{model}}} router is used to creates zones over your network interfaces to control network traffic flow.
General Settings
| Name | Value | Description |
|---|---|---|
| Enable SYN-flood protection | On/Off, default: On | |
| Drop invalid packets | On/Off, default: Off | |
| Input | reject, drop or accept, default: accept | |
| Output | reject, drop or accept, default: accept | |
| Forward | reject, drop or accept, default: accept |
Routing/NAT Offloading
It is an experimental feature. Not fully compatible with QoS/SQM.
| Name | Value | Description |
|---|---|---|
| Software flow offloading | On/Off, default: Off | Software based offloading for routing/NAT |
| Hardware flow offloading | On/Off, default: Off | Requires hardware NAT support. Implemented at least for mt7621 |
Zones
| Name | Description |
|---|---|
| Zone ⇒ Forwardings | |
| Input | |
| Output | |
| Forward | |
| Masquerading |
Use Edit button to edit the zone or Delete to remove it.
General Settings
This section defines common properties of "lan". The input and output options set the default policies for traffic entering and leaving this zone while the forward option describes the policy for forwarded traffic between different networks within the zone. Covered networks specifies which available networks are members of this zone.
| Name | Value | Description |
|---|---|---|
| Name | string | |
| Input | reject, drop or accept, default: accept | |
| Output | reject, drop or accept, default: accept | |
| Forward | reject, drop or accept, default: accept | |
| Masquerading | On/Off, default: Off | |
| MSS clamping | On/Off, default: Off | |
| Covered networks | dhcp, gsm or lan |
The options below control the forwarding policies between this zone (lan) and other zones. Destination zones cover forwarded traffic originating from lan. Source zones match forwarded traffic from other zones targeted at lan. The forwarding rule is unidirectional, e.g. a forward from lan to wan does not imply a permission to forward from wan to lan as well.
| Name | Value | Description |
|---|---|---|
| Allow forward to destination zones: | ||
| Allow forward from source zones: |
Advanced Settings
The options below control the forwarding policies between this zone (lan) and other zones. Destination zones cover forwarded traffic originating from lan. Source zones match forwarded traffic from other zones targeted at lan. The forwarding rule is unidirectional, e.g. a forward from lan to wan does not imply a permission to forward from wan to lan as well.
| Name | Value | Description |
|---|---|---|
| Covered devices | Use this option to classify zone traffic by raw, non-uci managed network devices. | |
| Covered subnets | Use this option to classify zone traffic by source or destination subnet instead of networks or devices. | |
| Restrict to address family | IPv4 and IPv6, IPv4 only or IPv6 only, default: IPv4 and IPv6 | |
| Restrict Masquerading to given source subnets | ||
| Restrict Masquerading to given destination subnets | ||
| Enable logging on this zone | On/Off, default: Off | |
| Limit log messages |
Conntrack Settings
| Name | Value | Description |
|---|---|---|
| Allow "invalid" traffic | On/Off, default: Off | Do not install extra rules to reject forwarded traffic with conntrack state invalid. This may be required for complex asymmetric route setups. |
| On/Off, default: On | Automatically assign conntrack helpers based on traffic protocol and port | |
| Conntrack helpers | Explicitly choses allowed connection tracking helpers for zone traffic |
Extra iptables arguments
Passing raw iptables arguments to source and destination traffic classification rules allows to match packets based on other criteria than interfaces or subnets. These options should be used with extreme care as invalid values could render the firewall ruleset broken, completely exposing all services.
| Name | Value | Description |
|---|---|---|
| Extra source arguments | Additional raw iptables arguments to classify zone source traffic, e.g. -p tcp --sport 443 to only match inbound HTTPS traffic. | |
| Extra destination arguments | Additional raw iptables arguments to classify zone destination traffic, e.g. -p tcp --dport 443 to only match outbound HTTPS traffic. |
Port Forwards
Port forwarding allows remote computers on the Internet to connect to a specific computer or service within the private LAN.
| Name | Description |
|---|---|
| Name | |
| Match | |
| Action | |
| Enable | Set to enable the port forwards. |
Use Edit or Delete buttons to manage the port forwarding.
General Settings
| Name | Value | Description |
|---|---|---|
| Name | string | |
| Protocol | Any, TCP, UDP, ICMP or/and custom | |
| Source zone | ||
| External port | Match incoming traffic directed at the given destination port or port range on this host | |
| Destination zone | ||
| Internal IP address | Redirect matched incoming traffic to the specified internal host | |
| Internal port | Redirect matched incoming traffic to the given port on the internal host |
Advanced Settings
| Name | Value | Description |
|---|---|---|
| Source MAC address | Only match incoming traffic from these MACs. | |
| Source IP address | Only match incoming traffic from this IP or range. | |
| Source port | number from 0 to 65535 | Only match incoming traffic originating from the given source port or port range on the client host |
| External IP address | Only match incoming traffic directed at the given IP address. | |
| Enable NAT Loopback | On/Off, default: Off | |
| Loopback source IP | Use internal IP address or Use external IP address, default: Use internal IP address | Specifies whether to use the external or the internal IP address for reflected traffic. |
| Match helper | Match traffic using the specified connection tracking helper. | |
| Match mark | string | Matches a specific firewall mark or a range of different marks. |
| Limit matching | Limits traffic matching to the specified rate. | |
| Extra arguments | Passes additional arguments to iptables. Use with care! |
Traffic Rules
NAT Rules
Custom Rules
[[Category:{{{model}}} User Manual]]