Changes

Jump to: navigation, search

VMG1312-B10A: Firewall

1,329 bytes added, 10:45, 2 August 2019
m
Explain about firewall rules not being invoked correctly
 
Having added a rule via the Web interface, it is worth checking with ''iptables'' or ''ip6tables'' that it has been successful - rules don't always get set correctly and/or may not survive a power cycle.
For example, adding a firewall rule on the Web interface to allow IPv4 UDP traffic from anywhere to port 1194 on my Raspberry Pi (inbound openvpn traffic) with a name of ''OpenVPN'', it added an iptables rule:
 
Chain OpenVPN (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
 
but failed to add a rule in the ACL_FORWARD table to actually invoke that new chain. I had to add
it manually:
 
Chain ACL_FORWARD (1 references)
pkts bytes target prot opt in out source destination
0 0 VoIP4A udp -- * * 81.187.30.110/31 0.0.0.0/0 udp
3010 1045K VoIP4B udp -- * * 81.187.30.112/29 0.0.0.0/0 udp
0 0 VoIP4C udp -- * * 90.155.3.0/24 0.0.0.0/0 udp
0 0 VoIP4D udp -- * * 90.155.103.0/24 0.0.0.0/0 udp
0 0 OpenVPN udp -- * * 0.0.0.0/0 81.187.xx.xx udp
 
The 4 VoIP rules have always needed to be added manually after a power cycle, I guess the OpenVPN rule will have to be too.
 
IPv6 rules seem to be added properly and survive power cycles.
 
[[Category:ZyXEL VMG1312-B10A|Firewall]]
345
edits

Navigation menu