27: Configuring firewall
_______________________________________________________________________________________________________
_____________________________________________________________________________________________________
© Virtual Access 2017
GW1000 Series User Manual
Issue: 1.9 Page 257 of 350
When connection attempts are dropped the client is not aware of the blocking and will
continue to re-transmit its packets until the connection eventually times out. Depending
on the way the client software is implemented, this could result in frozen or hanging
programs that need to wait until a timeout occurs before they're able to continue.
DROP
ï‚· less information is exposed
ï‚· less attack surface
ï‚· client software may not cope well with it (hangs until connection times out)
ï‚· may complicate network debugging (where was traffic dropped and why)
REJECT
ï‚· may expose information (like the IP at which traffic was actually blocked)
ï‚· client software can recover faster from rejected connection attempts
ï‚· network debugging easier (routing and firewall issues clearly distinguishable)
27.6 Connection tracking
By default, the firewall will disable connection tracking for a zone if no masquerading is
enabled. This is achieved by generating NOTRACK firewall rules matching all traffic
passing via interfaces referenced by the firewall zone. The purpose of NOTRACK is to
speed up routing and save memory by circumventing resource intensive connection
tracking in cases where it is not needed. You can check if connection tracking is disabled
by issuing iptables -t raw -S, it will list all rules, check for NOTRACK target.
NOTRACK will render certain iptables extensions unusable, for example the
MASQUERADE target or the state match will not work.
If connection tracking is required, for example by custom rules in /etc/firewall.user, the
conntrack option must be enabled in the corresponding zone to disable NOTRACK. It
should appear as option 'conntrack' '1' in the right zone in /etc/config/firewall.
27.7 Firewall examples
27.7.1 Opening ports
The default configuration accepts all LAN traffic, but blocks all incoming WAN traffic on
ports not currently used for connections or NAT. To open a port for a service, add a rule
section:
config rule
option src wan
option dest_port 22
option target ACCEPT
option proto tcp
This example enables machines on the internet to use SSH to access your router.
To Next Page
Loading...
Need help?
General
