Advanced topics Understanding system firewall rules
Digi TransPort WR Routers User Guide
511
High priority user chains are named:
user_prio_<table>_<builtinchain>
For example:
user_prior_filter_input
Corresponds to high priority user rules for the built-in filter table, INPUT chain.
Each table in the firewall provides rule chains that can be used for critical, high priority rules. The rules
in user priority chains take higher precedence than all built-in firewall rules or rules configured via
normal system configuration and services.
Before you manually create firewall rules using custom user priority chains, Digi recommends you
allow the system to automatically generate firewall rules using standard built-in chains and/or the ip-
filter, port-forward and other CLI commands for firewall configuration.
Testing new firewall rules
When you create or modify firewall rules using the firewall or firewall6 commands, save the new rules
using the save config command and then reboot the TransPortdevice to test the new rules.
The FIREWALL section of the configuration file config.da0 is saved based on iptables save support,
and the FIREWALL section is executed after the system firewall rules.
Using the autorun command to force firewall rule precedence
If you have difficulty with the saved rule set or the order in which rules are executed, you can use the
autorun command to work around these issues. Use an autorun command to apply a firewall rule
after system startup and after all firewall rules have been applied.
For example, the following autorun command applies a DROP to all ICMP requests for the LAN after
system startup and after all the firewall rules have been applied. Note the example rule is marked
with the donotsave comment to prevent it from being saved to the FIREWALL section of the
config.da0 file.
autorun 1 command firewall -I INPUT 1 -i lan+ -p icmp -j DROP -m comment --comment (donotsave)
The result is that the autorun firewall rule is inserted before all of the user and system rules in the
INPUT chain.
Demonstration
For example, enter the following command to configure the WAN to allow HTTPS connections:
wan 1 allow-https-access on
A user rule to drop HTTPS traffic on any Ethernet interface might look like this:
firewall -A INPUT -i eth+ -p tcp -m tcp --dport 443 -m comment --comment BLOCK-HTTPS-EXAMPLE -j DROP
And the result may not be as expected. HTTPS traffic to eth1 (on a device where eth1 is part of wan 1)
will not be dropped. The reason can be demonstrated in the following snippet of lines from the show
firewall command.
Input packets are processed by the INPUT chain in the filter table. When rule 4 is encountered, the
system chain tlr_wan_input is processed, accepting packets destined for HTTPS (port 443). The
appended rule 12 to drop HTTPS packages is never processed because the packet was already
accepted due to the system rule created by wan 1 allow-https-access on.
To Next Page
Loading...
