VMG1312-B10A: Firewall: Difference between revisions

From AAISP Support Site
m (→‎top: clean up, typos fixed: etc → etc.)
m (Explain about firewall rules not being invoked correctly)
 
(3 intermediate revisions by 2 users not shown)
Line 6: Line 6:
You don't need to create any special 'protocol' lists, you can simply enter in the Target IP/Port etc. in to the rule.
You don't need to create any special 'protocol' lists, you can simply enter in the Target IP/Port etc. in to the rule.


From the CLI the 'iptables' command is available, which is familiar to Linux users.
From the CLI the ''iptables'' command is available, which is familiar to Linux users. If logged in as ''supervisor'' the ''sh'' command is available to get a root shell prompt, where the ''ip6tables'' command can be found.


Having added a rule via the Web interface, it is worth checking with ''iptables'' or ''ip6tables'' that it has been successful - rules don't always get set correctly and/or may not survive a power cycle.
For example, adding a firewall rule on the Web interface to allow IPv4 UDP traffic from anywhere to port 1194 on my Raspberry Pi (inbound openvpn traffic) with a name of ''OpenVPN'', it added an iptables rule:


Chain OpenVPN (0 references)
[[Category:ZyXEL VMG1312|Firewall]]
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194

but failed to add a rule in the ACL_FORWARD table to actually invoke that new chain. I had to add
it manually:

Chain ACL_FORWARD (1 references)
pkts bytes target prot opt in out source destination
0 0 VoIP4A udp -- * * 81.187.30.110/31 0.0.0.0/0 udp
3010 1045K VoIP4B udp -- * * 81.187.30.112/29 0.0.0.0/0 udp
0 0 VoIP4C udp -- * * 90.155.3.0/24 0.0.0.0/0 udp
0 0 VoIP4D udp -- * * 90.155.103.0/24 0.0.0.0/0 udp
0 0 OpenVPN udp -- * * 0.0.0.0/0 81.187.xx.xx udp

The 4 VoIP rules have always needed to be added manually after a power cycle, I guess the OpenVPN rule will have to be too.

IPv6 rules seem to be added properly and survive power cycles.

[[Category:ZyXEL VMG1312-B10A|Firewall]]

Latest revision as of 10:45, 2 August 2019

The default firewall state for IPv4 and IPv6 would be enabled. This can be disabled via the AAISP control pages. Rules can be added as required.

The firewall is configured via the router's Web interface:

Security -> Firewall -> Access Control

You don't need to create any special 'protocol' lists, you can simply enter in the Target IP/Port etc. in to the rule.

From the CLI the iptables command is available, which is familiar to Linux users. If logged in as supervisor the sh command is available to get a root shell prompt, where the ip6tables command can be found.

Having added a rule via the Web interface, it is worth checking with iptables or ip6tables that it has been successful - rules don't always get set correctly and/or may not survive a power cycle. For example, adding a firewall rule on the Web interface to allow IPv4 UDP traffic from anywhere to port 1194 on my Raspberry Pi (inbound openvpn traffic) with a name of OpenVPN, it added an iptables rule:

Chain OpenVPN (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194

but failed to add a rule in the ACL_FORWARD table to actually invoke that new chain. I had to add it manually:

Chain ACL_FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 VoIP4A     udp  --  *      *       81.187.30.110/31     0.0.0.0/0           udp 
 3010 1045K VoIP4B     udp  --  *      *       81.187.30.112/29     0.0.0.0/0           udp 
    0     0 VoIP4C     udp  --  *      *       90.155.3.0/24        0.0.0.0/0           udp 
    0     0 VoIP4D     udp  --  *      *       90.155.103.0/24      0.0.0.0/0           udp 
    0     0 OpenVPN    udp  --  *      *       0.0.0.0/0            81.187.xx.xx        udp

The 4 VoIP rules have always needed to be added manually after a power cycle, I guess the OpenVPN rule will have to be too.

IPv6 rules seem to be added properly and survive power cycles.