virtual access GW1000M Series - Connection Tracking; Firewall Examples

To Next Page

To Previous Page

27: Configuring firewall

_______________________________________________________________________________________________________

_____________________________________________________________________________________________________

GW1000 Series User Manual

Issue: 1.9 Page 257 of 350

When connection attempts are dropped the client is not aware of the blocking and will

continue to re-transmit its packets until the connection eventually times out. Depending

on the way the client software is implemented, this could result in frozen or hanging

programs that need to wait until a timeout occurs before they're able to continue.

DROP

 less information is exposed

 less attack surface

 client software may not cope well with it (hangs until connection times out)

 may complicate network debugging (where was traffic dropped and why)

REJECT

 may expose information (like the IP at which traffic was actually blocked)

 client software can recover faster from rejected connection attempts

 network debugging easier (routing and firewall issues clearly distinguishable)

27.6 Connection tracking

By default, the firewall will disable connection tracking for a zone if no masquerading is

enabled. This is achieved by generating NOTRACK firewall rules matching all traffic

passing via interfaces referenced by the firewall zone. The purpose of NOTRACK is to

speed up routing and save memory by circumventing resource intensive connection

tracking in cases where it is not needed. You can check if connection tracking is disabled

by issuing iptables -t raw -S, it will list all rules, check for NOTRACK target.

NOTRACK will render certain iptables extensions unusable, for example the

MASQUERADE target or the state match will not work.

If connection tracking is required, for example by custom rules in /etc/firewall.user, the

conntrack option must be enabled in the corresponding zone to disable NOTRACK. It

should appear as option 'conntrack' '1' in the right zone in /etc/config/firewall.

27.7 Firewall examples

27.7.1 Opening ports

The default configuration accepts all LAN traffic, but blocks all incoming WAN traffic on

ports not currently used for connections or NAT. To open a port for a service, add a rule

section:

config rule

option src wan

option dest_port 22

option target ACCEPT

option proto tcp

This example enables machines on the internet to use SSH to access your router.

Other manuals for virtual access GW1000M Series