Firewall Guide

Introduction

When connecting a network to the Internet or any non-trusted network a router with Firewall functionality can be used to protect against undesired access to your local network and devices. This is done by applying rules to different parts/hooks of the path which the packets flow. These hooks are pre routing, input, forward, and post routing and can be seen in Figure 2. Figure 1 shows an example of a basic network using a Firewall to protect its local devices.

                           .--.-.
                          ( (    )__
                         (_,  \ ) ,_)  Internet/Intranet
                           '-'--`--'
                              |  WAN (vlan4)                        ^
                          .---+----.                                |
                          |        |                              Public
                    +-----+ GW/FW  +-----+                        ------
                    |  .99|        |.99  |                        Private
LAN (vlan1)         |     '----+---'     |      LAN (vlan2)         |
192.168.1.0/24      |          |.99      |      192.168.2.0/24      V
           ----+----+          |         +----+----
               |.1             |              |.1
             .-+--.            |            .-+--.
             | H2 |            |            | H3 |
             '----'            |            '----'
                               |
                           ----+---- WEB (vlan3)
                               |.1   192.168.3.0/24
                             .-+--.
                             | H1 |
                             '----'

Figure 1: Showing an example network setup using a Firewall. In the case of this example the Firewall can be setup to allow all private subnets (vlan1, vlan2, vlan3) to communicate with each other and with the Gateway itself, while blocking external traffic from e.g. the internet.

Tip

A real configuration of the example in Figure 1 can be seen on the Firewall HowTo page.

Overview

The WeOS Firewall includes support for five related types of functionality. Note that for products of software level Extended, all of these are available. For products of software level Standard, input filtering is available.

Input Filtering: The input filtering support is primarily used to control accessibility to services on the device itself. Input rules are checked after the routing decision (see Figure 2) and applies to packets that are directed to the local device and processes running on the device itself. An input filtering rule is configured to either drop or accept a packet.
Forward Filtering: The forward filtering support is primarily used to control what traffic is allowed to be routed to connected devices. Forwarding rules are checked after the routing decision (see Figure 2) and applies to packets that are not directed to the local device. A forward filtering rule is configured to either drop or accept a packet.
NAT (Network Address Translation): NAPT (Network address Port Translation) is the most common NAT form. It allows a common (public) IP address to be shared by a set of hosts on a private network. NAT rules are checked during the postrouting as seen in Figure 2. This form of NAT is sometimes referred to as IP Masquerading or PAT (port address translation).
Port Forwarding: Port forwarding allows a service (such as a Web server) located on a private network to be made accessible from another public network. This is done by mapping a public IP address and public port-number to a private IP address and a corresponding private port-number. Traffic designated for the public IP and the specified public port will be redirected to the private IP and its specified port. Port forwarding rules are checked during the pre routing as shown in Figure 2.

                 prerouting ---Port Forwarding---
                     |
                     v
            .-----------------.
            | Routing decision|
            '---+---------+---'
                |         |
                v         v
              input    forward
                |         |
             <--'         |
local device              |
             ---.         |
                |         |
                v         |
     .----------------.   |
     |Routing decision|   |
     '----------------'   |
                |         |
                '---. .---'
                     |
                     v
                postrouting ---NAT---

Figure 2: Representation of the different hooks where Firewall rules apply.

ALG Helpers: The WeOS firewall utilises connection tracking; a filter rule allowing traffic to pass through the firewall in one direction, will implicitly allow traffic of established connections (and traffic of related connections) to also pass in the reverse direction. Connection tracking can be configured to handle more complex protocols by enabling ALG helpers a.k.a. Application Level Gateway helpers. Some network protocols are more complex and therefore more difficult than others to be handle by the connection tracking function in a firewall or NAT device. An example is FTP, which utilises a control connection to exchange information on TCP port numbers for data connections for the actual file transfers – to enable a PC to download files through a firewall from an FTP server on the Internet, the firewall must inspect the FTP control connection to learn which connections to let through. To make the firewall handle such protocols correctly, protocol specific ALG helpers can be enabled. ALG helpers have some impact on the unit’s routing performance, thus are by default disabled.

Order of Firewall Rules

Configured Firewall rules have an order. Packets are evaluated against the filter rules and the first matching rule in the order will decide how to treat the packet (accept or drop).

Configuration

The Firewall configuration is a sub-context to the IP configuration context in the CLI:

example:/#> configure
example:/config/#> ip
example:/config/ip/#> firewall
example:/config/ip/firewall#>

By default the firewall is disabled. The command enable can be used to enable the firewall.

NOTE: It’s vitally important to configure the firewall correctly before enabling it. Failing to do so can get you permanently locked out. For example, if you are managing the firewall through ssh, http or https, you will not be able to reach the device if you enable the firewall without first explicitly allowing the management traffic in question.

To prevent lockout you have to specify an input rule for your management interface. The following example enables http on vlan1:

example:/config/ip/firewall#> input accept in vlan1 dport http proto tcp

In Figure 1, this rule would enable devices on the LAN to access the web of the Gateway on http. More examples can be seen in the Firewall HowTo page.

NOTE: Offloaded traffic is not subject to firewall processing.

Syntax

[no] input accept|drop [pos POSITION] [in IFACE] [saddr ADDR[/LEN]] [sport PORT|RANGE] [daddr ADDR[/LEN]] [dport PORT|RANGE] [proto PROTO] [bind-counter COUNTER] [counter] [comment COMMENT] [log]

Manage input rules.

Create or delete an input rule. Input rules are checked after the routing decision and applies to packets that are directed to the local device and processes running on the device itself.

no: Delete specified rule.
accept|drop: Accept or drop traffic matching the specified rule.
pos POSITION: The position in the list of rules you want to apply your command to.
in IFACE: Inbound Interface: The interface where the packet comes in.
saddr: Source IP Address/Subnet: The source IP address of the packet.
sport: Source Port: The source port of the packet.
daddr: Destination IP Address/Subnet: The destination address of the packet.
dport: Destination Port: The destination port of the packet.
ADDR[/LEN]: IP address specified as either a single IP address, or a whole IP subnet.
PORT|RANGE: Port specified as either a single port, or a range of ports.
proto PROTO: Protocol: The protocol type of the IP payload. Typically TCP or UDP, but the filtering can also be made to match other protocols such as ICMP and ESP.
bind-counter COUNTER: Assigns the rule to COUNTER.
counter: Add a counter that only shows in the raw output. This counter is reset any time the firewall configuration is changed.
comment COMMENT: Add a comment to the rule.
log: Log traffic matching this rule.

[no] forward accept|drop [pos POSITION] [in IFACE] [out IFACE] [saddr ADDR[/LEN]] [sport PORT|RANGE] [daddr ADDR[/LEN]] [dport PORT|RANGE] [proto PROTO] [bind-counter COUNTER] [counter] [comment COMMENT] [log]

Manage forward rules.

Create or delete an forwarding rule. Forward rules are checked after the routing decision and applies to packets that are not directed to the local device.

no: Delete specified rule.
accept|drop: Accept or drop traffic matching the specified rule.
pos POSITION: The position in the list of rules you want to apply your command to.
in IFACE: Inbound Interface: The interface where the packet comes in.
out IFACE: Outbound Interface: The interface where the packet is sent out.
saddr: Source IP Address/Subnet: The source IP address of the packet.
sport: Source Port: The source port of the packet.
daddr: Destination IP Address/Subnet: The destination address of the packet.
dport: Destination Port: The destination port of the packet.
ADDR[/LEN]: IP address specified as either a single IP address, or a whole IP subnet.
PORT|RANGE: Port specified as either a single port, or a range of ports.
proto PROTO: Protocol: The protocol type of the IP payload. Typically TCP pr UDP, but the filtering can also be made to match other protocols soch as ICMP and ESP.
bind-counter COUNTER: Assigns the rule to COUNTER.
counter: Add a counter that only shows in the raw output. This counter is reset any time the firewall configuration is changed.
comment COMMENT: Add a comment to the rule.
log: Log traffic matching this rule.

[no] nat [pos POSITION] out IFACE [saddr ADDR[/LEN]] [comment COMMENT] [log]

Manage Network Address Translation rules.

Create or delete a NAT rule of NAPT type. NAPT is also known as IP masquerading, NAT overload and many-to-one NAT.

NAT can be used to hide private subnets behind a single public IP.

no: Delete specified rule.
pos POSITION: The position in the list of rules you want to apply your command to.
IFACE: The outbound interface used for NAPT. Outgoing packets handled by this rule will appear to originate from the IP number configured (the primary address) or acquired (DHCP) for this interface.
ADDR[/LEN]: Specify that packets must originate from a specific subnet for this rule to apply.
comment COMMENT: Add a comment to the rule.
log: Log traffic matching this rule.

[no] port-forward [pos POSITION] [in IFACE] [daddr ADDR[/LEN]] dport PORT|RANGE [to-dport PORT] to-daddr ADDR proto PROTO [comment COMMENT] [log]

Manage port forwarding rules.

Create or delete a Port Forwardng rule. Port Forwarding can be used to expose an internal device to the internet.

no: Delete specified rule.
pos POSITION: The position in the list of rules you want to apply your command to.
in IFACE: Inbound Interface: The interface where the packet comes in.
daddr: Destination IP Address/Subnet: The destination IP address of the packet.
dport: Destination Port: The destination port of the packet.
to-daddr: Forward Destination IP Address/Subnet: The destination address where the packets are to be forwarded.
to-dport: Forward Destination Port: The destination port where the packets are to be forwarded.
ADDR[/LEN]: IP address specified as either a single IP address, or a whole IP subnet.
PORT|RANGE: Port specified as either a single port, or a range of ports.
proto PROTO: Protocol: The protocol type of the IP payload.
comment COMMENT: Add a comment to the rule.
log: Log traffic matching this rule.

policy forward|input drop|accept

Set default filter policy.

forward|input: Specify which hook to apply the policy to.
drop|accept: Specify which policy to apply.

move input|forward|nat|port-forward id ID pos NEW-ID

Reorder rules.

Change the order of existing rules.

input|forward|nat|port-forward: Specify from which rule set to move.
ID: ID of the rule to move.
NEW-ID: New ID of the rule to move.

counter NAME [reset]

Show or modify counters.

NAME: Create a new named counter called NAME.
reset: Reset the counter NAME.

[no] log [limit none | ENTRIES/second|minute|hour|day ]

Handle logging for the firewall.

This command is used to globally enable or disable firewall logging and set limitation on the maximum rate of entries that will be stored. Note that you need to add the “log” flag on individual rules as well.

no: Globally disable logging.
none: No rate limitation for logging. Be warned that no limit may open up for denial-of-service attacks!
ENTRIES: Number of entries to be logged in the specified time unit. Should be in the range 1-10000.
second|minute|hour|day: Time unit for the rate limit. The lowest possible rate is 2/day.

[no] log input|forward|nat|port-forward NUM

Toggle logging flag on an existing firewall rule.

no: Disable logging for the specified rule.
input|forward|nat|port-forward: The type of the specified rule.
NUM: The specified rule number.

[no] alg ftp|tftp

Application Level Gateway (NAT) helpers.

ftp|tftp: Specify what helper should be enabled.

show

Show all rules.

Status overview

In order to see the current rules for the Firewall the following command can be used:

example:/config/ip/firewall/#> show
Firewall is enabled.
Logging is Enabled, limited to 99 entries/hour
____________________________________________________________________
Input Rules
ID  Rule                                                            
001 input accept in vlan1 saddr 192.168.1.1/32 daddr 192.168.1.99/32
N/A drop

____________________________________________________________________
Forward Rules
ID  Rule                                                            
001 forward accept in vlan1 out vlan2 daddr 10.0.0.1/32
N/A drop

____________________________________________________________________
NAT Rules (NAPT/masquerading)
ID  Rule                                                            
001 nat out vlan1 saddr 192.168.1.1/32

____________________________________________________________________
Port-Forward Rules
ID  Rule                                                            
001 port-forward dport 80-90 to-daddr 192.168.1.1 proto udp

____________________________________________________________________
Application Level Gateway
Alg Helper                                                          
FTP  ENABLED
TFTP ENABLED

Advanced: The command “show ip firewall raw” can be used in admin-exec mode to show the complete Linux nftables (nft) ruleset, which contains the rules added in the WeOS firewall.

Counters

There are two types of counters available. Temporary inline counters and named counters.

Temporary inline counters

Temporary inline couters are mainly intended for temporary debug, see section on named counters for more info about runtime persistent counters. The inline counters are only visible in the raw firewall output and are reset every time the firewall configuration changes.

example:/config/ip/firewall/#> input accept dport 22 proto tcp counter
example:/#> show ip firewall raw
...
tcp dport ssh counter packets 10 bytes 443 accept comment "cli-input-009"
...

Named counters

A named counter can be created and bound to one or more firewall rules. A named counter can be bound to input or forward rules. A named counter is persistent during runtime.

Example of a counter that counts all inbound web interface traffic:

example:/config/ip/firewall/#> counter web
example:/config/ip/firewall/#> input accept dport 80 proto tcp bind-counter web
example:/config/ip/firewall/#> input accept dport 443 proto tcp bind-counter web

example:/#> show ip firewall counter web
Users                                                               
001 input accept dport 80 proto tcp bind-counter web
002 input accept dport 443 proto tcp bind-counter web

Value                                                               
packets 26 bytes 1560