27: Configuring firewall
_______________________________________________________________________________________________________
_____________________________________________________________________________________________________
© Virtual Access 2017
GW1000 Series User Manual
Issue: 1.9 Page 260 of 350
27.7.7 Block access to the internet for specific IP on certain times
The following rule blocks all connection attempts to the internet from 192.168.1.27 on
weekdays between 21:00pm and 09:00am.
config rule
option src lan
option dest wan
option src_ip 192.168.1.27
option extra '-m time --weekdays Mon,Tue,Wed,Thu,Fri --
timestart 21:00 --timestop 09:00'
option target REJECT
27.7.8 Restricted forwarding rule
The example below creates a forward rule rejecting traffic from LAN to WAN on the ports
1000-1100.
config rule
option src lan
option dest wan
option dest_port 1000-1100
option proto tcpudp
option target REJECT
27.7.9 Denial of service protection rule
The example below shows a sample configuration of SSH DoS attack where if more than
two SSH connections are attempted within 120 seconds, every further connection will be
dropped. You can configure this for any port number.
config rule 'sshattack'
option src 'lan'
option dest_port '22'
option proto 'tcp'
option recent '2 120'
option target 'DROP'
27.7.10 IP spoofing prevention mechnism
Configure IP spoofing protection on a per interface basis in the /etc/config/network
configuration file. The example below shows the ipv4_rp_filter option enabled on the
Vlan12 interface in the network file. When reverse path filtering mechanism is enabled,
the router will check whether a receiving packet source address is routable.
To Next Page
Loading...
Need help?
General