Quick links:
Product Overview
Installation
Settings and Administration
ADSL
SIP Support
Telephone ports
Network
Firewall
Wireless
VPN
Misc
Licenses
Troubleshooting
Differences
This shows you the differences between two versions of the page.
|
firewall:example_1 [2010/11/04 12:15] tibor |
firewall:example_1 [2010/11/04 12:46] (current) tibor |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | [[tutorial|Firewall rule tutorial]] example 1: | ||
| + | |||
| ====== Modifying a standard rule ====== | ====== Modifying a standard rule ====== | ||
| - | **A good understanding of how firewall rules work can be achieved by marking checkboxes on the Security Profile pages, and examining what new rules they add to the firewall rules:** | + | ^ :!: This description is addressed to advanced users only. ^ |
| + | | Incorrect editing of the firewall rules may cause security risks! | | ||
| + | |||
| + | **A good understanding of how firewall rules work can be achieved by marking checkboxes on the [[web GUI:Security Profile]] pages, and examining what new rules they add to the [[web GUI:firewall rules page|firewall rules]].** | ||
| Say you have a telnet server (192.168.0.10) that you want **only one** remote PC (11.50.17.69) on the Internet be able to access. Using the Security Profile page you can enable access of the Telnet server, but that allows all Internet PCs to access your server! Using the Security Profile page you cannot control firewall behaviour more precisely – but by editing the rules manually you can! | Say you have a telnet server (192.168.0.10) that you want **only one** remote PC (11.50.17.69) on the Internet be able to access. Using the Security Profile page you can enable access of the Telnet server, but that allows all Internet PCs to access your server! Using the Security Profile page you cannot control firewall behaviour more precisely – but by editing the rules manually you can! | ||
| - On the [[web GUI:security profile|Security Profile: High]] page, under "Allowed applications" mark the Telnet server checkbox, and enter 192.168.0.10 into the IP Address field. Click Apply. | - On the [[web GUI:security profile|Security Profile: High]] page, under "Allowed applications" mark the Telnet server checkbox, and enter 192.168.0.10 into the IP Address field. Click Apply. | ||
| - | - Now if you open the [[web GUI:firewall rules page]] and take a look at the **Incoming user** rules of your WAN interface (the interface that is "used as: outside", you will see that an extra rule has been added: | + | - Now if you open the [[web GUI:firewall rules page]] and take a look at the **Incoming user** rules of your WAN interface (the interface that is "used as: outside"), you will see that an extra rule has been added: |
| | ...\\ (dport == sip'5060') && (proto == udp) //accept//\\ proto == udp && dport == dhcpc'68' //accept//\\ **(dport == telnet'23') && proto == tcp //modify// static daddr 192.168.0.10** | | | ...\\ (dport == sip'5060') && (proto == udp) //accept//\\ proto == udp && dport == dhcpc'68' //accept//\\ **(dport == telnet'23') && proto == tcp //modify// static daddr 192.168.0.10** | | ||
| Line 16: | Line 21: | ||
| Now it is fairly simple to modify that rule by adding one more restriction. We would like a rule like this: | Now it is fairly simple to modify that rule by adding one more restriction. We would like a rule like this: | ||
| - | **(saddr == 11.50.17.69) &&** (dport == 23) && proto == tcp modify static daddr 192.168.0.10 | + | **(saddr == 11.50.17.69) &&** (dport == telnet'23') && proto == tcp modify static daddr 192.168.0.10 |
| The modified rule would mean: “if the incoming packet **is coming from 11.50.17.69 and** tries to access port 23, and is a TCP protocol packet, then forward it to PC 192.168.0.10". | The modified rule would mean: “if the incoming packet **is coming from 11.50.17.69 and** tries to access port 23, and is a TCP protocol packet, then forward it to PC 192.168.0.10". | ||
| Line 29: | Line 34: | ||
| - click Apply | - click Apply | ||
| - | | LINE | Incoming user | post | (saddr == 11.50.17.69) && (dport == 23) && proto == tcp modify static daddr 192.168.0.10 | | + | | LINE | Incoming user | post | (saddr == 11.50.17.69) && (dport == telnet'23') && proto == tcp modify static daddr 192.168.0.10 | |
| If you open the [[web GUI:firewall rules page]] again you can see that your manually entered rule has now been inserted into the firewall rules used, at the same position as the automatically generated rule was. | If you open the [[web GUI:firewall rules page]] again you can see that your manually entered rule has now been inserted into the firewall rules used, at the same position as the automatically generated rule was. | ||
