Firewallrule

From Wiki of WFilter NG Firewall
(Difference between revisions)
Jump to: navigation, search
(Created page with "{DISPLAYTITLE:Rules}} == Add Firewall Rule == <p>'''Interface''':对应“网络设置”-“接口设置”中的内网外网。</p> <p>'''Source IP''':数据包是从哪...")
 
 
(16 intermediate revisions by one user not shown)
Line 1: Line 1:
{DISPLAYTITLE:Rules}}
+
{{DISPLAYTITLE:Firewall Rules}}
== Add Firewall Rule ==
+
 
<p>'''Interface''':对应“网络设置”-“接口设置”中的内网外网。</p>
+
"Firewall Rules" block or allow traffic based on IP and ports. If you need "URL filter", "application control" and so on, you need to check modules in [[Access_Policy|"Access Policy"]].
<p>'''Source IP''':数据包是从哪个IP发出来的,起源IP。支持“所有IP”、“指定IP”和“指定IP段”3种IP格式。当选择“指定IP”时,可以输入单个IP地址,或者IP段(比如192.168.1.0/24)。选择“指定IP段”时,需要输入IP范围。</p>
+
 
<p>'''Remote IP''':数据包要到达的IP,发往哪里。支持“所有IP”、“指定IP”和“指定IP段”3种IP格式。当选择“指定IP”时,可以输入单个IP地址,或者IP段(比如192.168.1.0/24)。选择“指定IP段”时,需要输入IP范围。</p>
+
== New Rule ==
<p>'''Remote Port''':数据包要到达的端口。“端口”支持一个端口或者一个端口范围,例:8000或者8000:9000(范围)。</p>
+
[[File: Firewall_set_en.png|650px]]
<p>'''Proto''':TCP或者UDP或者两者皆有。</p>
+
 
<p>'''Action''':“阻止”:客户机会立即收到被拒绝的数据包(RST)。“丢弃”:直接丢弃数据包,客户机需要等待连接超时。“通过”:放行该数据包。</p>
+
New a firewall rule, descriptions:
<p>'''Applytime''':设置该条防火墙规则的生效时间,可以指定时间段,也可以任何时间都生效。</p>
+
 
<p>'''From-to''':“生效时间”设为指定时间后后可以设置,配置规则生效的开始时间和结束时间。</p>
+
* '''Interface''': "LAN" or "WAN". WAN interface is invalid in bridge mode.
<p>'''Effective on''':设置在一周内,规则生效的时间。</p>
+
* '''Type''': packet direction.
[[文件: Firewall_set_en.jpg]]
+
** "Inbound", packet targets to the NGF device.
 +
** "Forward", packet being forwarded.
 +
* '''Source''': packet source. You can define IP as "Any", "Single", "Range" and "Customize".
 +
** For "Single", a single ip or subnet is allowed(for example: 192.168.1.10 or 192.168.1.0/24).
 +
** For "Range", you need to input an ip range.
 +
* '''Target''': packet target, can be "Any", "Single", "Range" and "Customize".
 +
* '''Source Port''': packet source port, can be a single port or a port range,
 +
* '''Target Port''': packet target port, can be a single port or a port range, Syntax:
 +
** One port: 8000
 +
** A port range: 8000:9000
 +
** Multiple ports: 80 8000
 +
** Port and ranges: 80 8000:9000
 +
** Empty matches all ports
 +
* '''Protocol'''
 +
** All: means all protocols, including TCP, UDP, ICMP and other IP protocols.
 +
** TCP+UDP: both TCP and UDP.
 +
* '''Action''':
 +
** "Reject": the rejected clients will get a RST packet immediately.
 +
** "Drop": packets will be dropped, the clients will wait for connection timeout.
 +
** "Allow": allow packet
 +
* You may use '''time''', '''from-to''' and '''effective on''' to define a time period for this rule to be applied.
 +
 
 +
== Customize IP ==
 +
 
 +
Upon "Customize", you can block ip, subnets, countries and regions, domains and domain categories. For domains, WFilter will add dns replied ip addresses into the deny/allow list.
 +
 
 +
[[File: ros_firewall_dstip01.png|650px]]
 +
 
 +
[[File: ros_firewall_dstip02.png|650px]]
 +
 
 +
[[File: ros_firewall_dstip03.png|650px]]
 +
 
 +
[[File: ros_firewall_dstip04.png|650px]]
 +
 
 +
IP, subnet or domain per line, for example:
 +
 
 +
192.168.1.1
 +
 
 +
192.168.1.0/24
 +
 
 +
*.imfirewall.com
 +
 
 +
[[File: ros_firewall_dstip05.png|650px]]
 +
 
 +
== Processing Order for Rules ==
 +
 
 +
Rules are always processed from the top of a list down, first match wins. Understanding this order is especially important.
 +
You may drag the re-order icon to re-order rules.
 +
 
 +
[[File: ros_firewall_01.png|650px]]
 +
 
 
== Advanced Settings ==
 
== Advanced Settings ==
<p>'''Drop Invalid Packets''':对于无效的数据包进行丢弃。</p>
+
 
<p>'''Enable SYN Flood Protection''':SYN Flood是一种广为人知的DoS(拒绝服务攻击)与DDoS(分布式拒绝服务攻击)的方式之一,这是一种利用TCP协议缺陷,发送大量伪造的TCP连接请求,从而使得被攻击方资源耗尽(CPU满负荷或内存不足)的攻击方式。开启后可以防止受到SYN-flood攻击。</p>
+
In "Advanced Settings", you can setup default policies for ZONEs. Two Zones(LAN and WAN) are supported in default.
<p>'''Allow Ping on WAN Interfaces''':允许从WAN口ping通路由器。</p>
+
 
[[文件: Firewall_advanced_en.jpg]]
+
[[File: Firewall_advanced_en.png|600px]]
 +
 
 +
[[File: Firewall_advanced_en02.png|600px]]
 +
 
 +
[[Category:Firewall]]

Latest revision as of 17:01, 20 January 2022


"Firewall Rules" block or allow traffic based on IP and ports. If you need "URL filter", "application control" and so on, you need to check modules in "Access Policy".

Contents

[edit] 1 New Rule

Firewall set en.png

New a firewall rule, descriptions:

  • Interface: "LAN" or "WAN". WAN interface is invalid in bridge mode.
  • Type: packet direction.
    • "Inbound", packet targets to the NGF device.
    • "Forward", packet being forwarded.
  • Source: packet source. You can define IP as "Any", "Single", "Range" and "Customize".
    • For "Single", a single ip or subnet is allowed(for example: 192.168.1.10 or 192.168.1.0/24).
    • For "Range", you need to input an ip range.
  • Target: packet target, can be "Any", "Single", "Range" and "Customize".
  • Source Port: packet source port, can be a single port or a port range,
  • Target Port: packet target port, can be a single port or a port range, Syntax:
    • One port: 8000
    • A port range: 8000:9000
    • Multiple ports: 80 8000
    • Port and ranges: 80 8000:9000
    • Empty matches all ports
  • Protocol
    • All: means all protocols, including TCP, UDP, ICMP and other IP protocols.
    • TCP+UDP: both TCP and UDP.
  • Action:
    • "Reject": the rejected clients will get a RST packet immediately.
    • "Drop": packets will be dropped, the clients will wait for connection timeout.
    • "Allow": allow packet
  • You may use time, from-to and effective on to define a time period for this rule to be applied.

[edit] 2 Customize IP

Upon "Customize", you can block ip, subnets, countries and regions, domains and domain categories. For domains, WFilter will add dns replied ip addresses into the deny/allow list.

Ros firewall dstip01.png

Ros firewall dstip02.png

Ros firewall dstip03.png

Ros firewall dstip04.png

IP, subnet or domain per line, for example:

192.168.1.1

192.168.1.0/24

  • .imfirewall.com

Ros firewall dstip05.png

[edit] 3 Processing Order for Rules

Rules are always processed from the top of a list down, first match wins. Understanding this order is especially important. You may drag the re-order icon to re-order rules.

Ros firewall 01.png

[edit] 4 Advanced Settings

In "Advanced Settings", you can setup default policies for ZONEs. Two Zones(LAN and WAN) are supported in default.

Firewall advanced en.png

Firewall advanced en02.png

Personal tools
Namespaces

Variants
Actions
Navigation
Tools