Firewall Guide
Introduction
When connecting a network to the Internet or any non-trusted network a router with Firewall functionality can be used to protect against undesired access to your local network and devices. This is done by applying rules to different parts/hooks of the path which the packets flow. These hooks are pre routing, input, forward, and post routing and can be seen in Figure 2. Figure 1 shows an example of a basic network using a Firewall to protect its local devices.
.--.-.
( ( )__
(_, \ ) ,_) Internet/Intranet
'-'--`--'
| WAN (vlan4) ^
.---+----. |
| | Public
+-----+ GW/FW +-----+ ------
| .99| |.99 | Private
LAN (vlan1) | '----+---' | LAN (vlan2) |
192.168.1.0/24 | |.99 | 192.168.2.0/24 V
----+----+ | +----+----
|.1 | |.1
.-+--. | .-+--.
| H2 | | | H3 |
'----' | '----'
|
----+---- WEB (vlan3)
|.1 192.168.3.0/24
.-+--.
| H1 |
'----'
Figure 1: Showing an example network setup using a Firewall. In the case of this example the Firewall can be setup to allow all private subnets (vlan1, vlan2, vlan3) to communicate with each other and with the Gateway itself, while blocking external traffic from e.g. the internet.
Tip
A real configuration of the example in Figure 1 can be seen on the Firewall HowTo page.
Overview
The WeOS Firewall includes support for five related types of functionality. Note that for products of software level Extended, all of these are available. For products of software level Standard, input filtering is available.
-
Input Filtering: The input filtering support is primarily used to control accessibility to services on the device itself. Input rules are checked after the routing decision (see Figure 2) and applies to packets that are directed to the local device and processes running on the device itself. An input filtering rule is configured to either drop or accept a packet.
-
Forward Filtering: The forward filtering support is primarily used to control what traffic is allowed to be routed to connected devices. Forwarding rules are checked after the routing decision (see Figure 2) and applies to packets that are not directed to the local device. A forward filtering rule is configured to either drop or accept a packet.
-
NAT (Network Address Translation): NAPT (Network address Port Translation) is the most common NAT form. It allows a common (public) IP address to be shared by a set of hosts on a private network. NAT rules are checked during the postrouting as seen in Figure 2. This form of NAT is sometimes referred to as IP Masquerading or PAT (port address translation).
-
Port Forwarding: Port forwarding allows a service (such as a Web server) located on a private network to be made accessible from another public network. This is done by mapping a public IP address and public port-number to a private IP address and a corresponding private port-number. Traffic designated for the public IP and the specified public port will be redirected to the private IP and its specified port. Port forwarding rules are checked during the pre routing as shown in Figure 2.
prerouting ---Port Forwarding---
|
v
.-----------------.
| Routing decision|
'---+---------+---'
| |
v v
input forward
| |
<--' |
local device |
---. |
| |
v |
.----------------. |
|Routing decision| |
'----------------' |
| |
'---. .---'
|
v
postrouting ---NAT---
Figure 2: Representation of the different hooks where Firewall rules apply.
- ALG Helpers: The WeOS firewall utilises connection tracking; a filter rule allowing traffic to pass through the firewall in one direction, will implicitly allow traffic of established connections (and traffic of related connections) to also pass in the reverse direction. Connection tracking can be configured to handle more complex protocols by enabling ALG helpers a.k.a. Application Level Gateway helpers. Some network protocols are more complex and therefore more difficult than others to be handle by the connection tracking function in a firewall or NAT device. An example is FTP, which utilises a control connection to exchange information on TCP port numbers for data connections for the actual file transfers – to enable a PC to download files through a firewall from an FTP server on the Internet, the firewall must inspect the FTP control connection to learn which connections to let through. To make the firewall handle such protocols correctly, protocol specific ALG helpers can be enabled. ALG helpers have some impact on the unit’s routing performance, thus are by default disabled.
Order of Firewall Rules
Configured Firewall rules have an order. Packets are evaluated against the filter rules and the first matching rule in the order will decide how to treat the packet (accept or drop).
Configuration
The Firewall configuration is a sub-context to the IP configuration context in the CLI:
example:/#> configure example:/config/#> ip example:/config/ip/#> firewall example:/config/ip/firewall#>
By default the firewall is disabled. The command enable can be used to enable the firewall.
NOTE: It’s vitally important to configure the firewall correctly before enabling it. Failing to do so can get you permanently locked out. For example, if you are managing the firewall through ssh, http or https, you will not be able to reach the device if you enable the firewall without first explicitly allowing the management traffic in question.
To prevent lockout you have to specify an input rule for your management interface. The following example enables http on vlan1:
example:/config/ip/firewall#> input accept in vlan1 dport http proto tcp
In Figure 1, this rule would enable devices on the LAN to access the web of the Gateway on http. More examples can be seen in the Firewall HowTo page.
NOTE: Offloaded traffic is not subject to firewall processing.
Syntax
[no] input accept|drop [pos POSITION] [in IFACE] [saddr ADDR[/LEN]] [sport PORT|RANGE] [daddr ADDR[/LEN]] [dport PORT|RANGE] [proto PROTO] [bind-counter COUNTER] [counter] [comment COMMENT] [log]
[no] forward accept|drop [pos POSITION] [in IFACE] [out IFACE] [saddr ADDR[/LEN]] [sport PORT|RANGE] [daddr ADDR[/LEN]] [dport PORT|RANGE] [proto PROTO] [bind-counter COUNTER] [counter] [comment COMMENT] [log]
[no] nat [pos POSITION] out IFACE [saddr ADDR[/LEN]] [comment COMMENT] [log]
[no] port-forward [pos POSITION] [in IFACE] [daddr ADDR[/LEN]] dport PORT|RANGE [to-dport PORT] to-daddr ADDR proto PROTO [comment COMMENT] [log]
policy forward|input drop|accept
move input|forward|nat|port-forward id ID pos NEW-ID
counter NAME [reset]
[no] log [limit none | ENTRIES/second|minute|hour|day ]
[no] log input|forward|nat|port-forward NUM
[no] alg ftp|tftp
show
Status overview
In order to see the current rules for the Firewall the following command can be used:
example:/config/ip/firewall/#> show Firewall is enabled. Logging is Enabled, limited to 99 entries/hour ____________________________________________________________________ Input Rules ID Rule 001 input accept in vlan1 saddr 192.168.1.1/32 daddr 192.168.1.99/32 N/A drop ____________________________________________________________________ Forward Rules ID Rule 001 forward accept in vlan1 out vlan2 daddr 10.0.0.1/32 N/A drop ____________________________________________________________________ NAT Rules (NAPT/masquerading) ID Rule 001 nat out vlan1 saddr 192.168.1.1/32 ____________________________________________________________________ Port-Forward Rules ID Rule 001 port-forward dport 80-90 to-daddr 192.168.1.1 proto udp ____________________________________________________________________ Application Level Gateway Alg Helper FTP ENABLED TFTP ENABLED
Advanced: The command “show ip firewall raw” can be used in admin-exec mode to show the complete Linux nftables (nft) ruleset, which contains the rules added in the WeOS firewall.
Counters
There are two types of counters available. Temporary inline counters and named counters.
Temporary inline counters
Temporary inline couters are mainly intended for temporary debug, see section on named counters for more info about runtime persistent counters. The inline counters are only visible in the raw firewall output and are reset every time the firewall configuration changes.
example:/config/ip/firewall/#> input accept dport 22 proto tcp counter example:/#> show ip firewall raw ... tcp dport ssh counter packets 10 bytes 443 accept comment "cli-input-009" ...
Named counters
A named counter can be created and bound to one or more firewall rules. A named counter can be bound to input or forward rules. A named counter is persistent during runtime.
Example of a counter that counts all inbound web interface traffic:
example:/config/ip/firewall/#> counter web example:/config/ip/firewall/#> input accept dport 80 proto tcp bind-counter web example:/config/ip/firewall/#> input accept dport 443 proto tcp bind-counter web example:/#> show ip firewall counter web Users 001 input accept dport 80 proto tcp bind-counter web 002 input accept dport 443 proto tcp bind-counter web Value packets 26 bytes 1560