Firewall Rules

From Wiki of WFilter NG Firewall
Revision as of 23:35, 20 June 2017 by WFilter (Talk | contribs)

Jump to: navigation, search


"Firewall Rules" block or allow traffic based on IP and ports. If you need "URL filter", "application control" and so on, you need to check modules in "Access Policy".

1 New Rule

Firewall set en.png

New a firewall rule, descriptions:

  • Interface: "LAN" or "WAN". WAN interface is invalid in bridge mode.
  • Type: packet direction.
    • "Inbound", packet targets to the NGF device.
    • "Forward", packet being forwarded.
  • Source IP: packet source ip address. You can define IP as "Any", "Single" and "Range".
    • For "Single", a single ip or subnet is allowed(for example: 192.168.1.10 or 192.168.1.0/24).
    • For "Range", you need to input an ip range.
  • Target IP: packet target ip address, same syntax as the "Source IP".
  • Target Port: packet target port, can be a single port or a port range, Syntax:
    • One port: 8000
    • A port range: 8000:9000
    • Multiple ports: 80 8000
    • Port and ranges: 80 8000:9000
  • Action:
    • "Reject": the rejected clients will get a RST packet immediately.
    • "Drop": packets will be dropped, the clients will wait for connection timeout.
    • "Allow": allow packet
  • You may use time, from-to and effective on to define a time period for this rule to be applied.

2 Processing Order for Rules

Rules are always processed from the top of a list down, first match wins. Understanding this order is especially important. You may drag the re-order icon to re-order rules.

Ros firewall 01.png

3 Advanced Settings

Some advanced options, recommended to enable.

  • Drop Invalid Packets.
  • SYN Flood Protection: Kind of DDos attack.
  • Allow Ping on WAN Interfaces: Allow ICMP ping to the WAN interface from external network.

Firewall advanced en.jpg

Retrieved from "http://wiki.wfilterngf.com/index.php?title=Firewallrule&oldid=627"
Personal tools
Namespaces

Variants
Actions
Navigation
Tools