Page 71 / 145
Scroll up to view Page 66 - 70
71
7.6.4
Traffic Rules
The traffic rule page contains a more generalized rule definition. With it you can block or open ports, alter how
traffic is forwarded between LAN and WAN and many more things.
Field Name
Explanation
1.
Name
Name of the rule. Used for easier rules management purpose only
2.
Protocol
Protocol type of incoming or outgoing packet
3.
Source
Match incoming traffic from this IP or range only
4.
Destination
Redirect matched traffic to the given IP address and destination port
5.
Action
Action to be taken for the packet if it matches the rule
6.
Enable
Self-explanatory. Uncheck to make the rule inactive. The rule will not be deleted, but it also
will not be loaded into the firewall.
7.
Sort
When a packet arrives, it gets checked for a matching rule. If there are several rules that
match the rule, the first one is applied i.e. the order of the rule list impacts how your firewall
operates, therefore you are given the ability to sort your list as you wish.
You can configure firewall rule by clicking
edit
button.
Page 72 / 145
72
Field Name
Sample value
Explanation
1.
Name
“Allow
-DHCP-
Relay”
Used to make rule management easier
2.
Restrict to address
family
IPv4 and IPV6
Match traffic from selected address family only
3.
Protocol
TCP/UDP/Any/ICMP/Custom
Protocol of the packet that is being matched against traffic
rules.
4.
Match ICMP type
any
Match traffic with selected ICMP type only
5.
Source zone
any zone/LAN/VPN/WAN
Match incoming traffic from this zone only
6.
Source MAC
address
any
Match incoming traffic from these MACs only
7.
Source address
any
Match incoming traffic from this IP or range only
8.
Source port
any
Match incoming traffic originating from the given source
port or port range on the client host only
9.
Destination zone
Device/Any
zone/LAN/VPN/WAN
Match forwarded traffic to the given destination zone only
10.
Destination address
any
Match forwarded traffic to the given destination IP address
or IP range only
11.
Destination port
67
Match forwarded traffic to the given destination port or
port range only
12.
Action
Drop/Accept/Reject + chain
+ additional rules
Action to be taken on the packet if it matches the rule. You
can also define additional options like limiting packet
volume, and defining to which chain the rule belongs
Page 73 / 145
73
7.6.4.1
Open Ports On the Router
Field Name
Sample value
Explanation
1.
Name
Open_Port_rule
Used to make rule management easier
2.
Protocol
TCP/UDP/Any/ICMP/Custom
Protocol of the packet that is being matched against
traffic rules.
3.
External port
1-65535
Match incoming traffic directed at the given destination
port or port range on this host.
7.6.4.2
New Forward Rule
Field Name
Sample value
Explanation
1.
Name
Forward rule new
Used to make rule management easier
2.
Source
LAN/VPN/WAN
Match incoming traffic from selected address family only
3.
Protocol
TCP/UDP/Any/ICMP/Custom
Protocol of the packet that is being matched against
traffic rules.
7.6.4.3
Source NAT
Source NAT is a specific form of masquerading which allows fine grained control over the source IP used for
outgoing traffic, for example to map multiple WAN addresses to internal subnets.
Page 74 / 145
74
Field Name
Sample value
Explanation
1.
Name
SNAT
Used to make rule management easier
2.
Protocol
TCP/UDP/Any/ICMP/Custom
Protocol of the packet that is being matched against traffic
rules.
3.
Source
LAN/VPN/WAN
Match incoming traffic from selected address family only
4.
Destination
LAN/VPN/WAN
Forward incoming traffic to selected address family only
5.
SNAT
Rewrite to source IP 10.101.1.10
SNAT (Source Network Address Translation) rewrite packet\'s
source IP address and port
6.
Enable
Enable/Disable
Make a rule active/inactive
You can configure firewall source NAT rule, by clicking
edit
button.
Field Name
Sample value
Explanation
1.
Name
SNAT
Used to make rule management easier
2.
Protocol
TCP/UDP/Any/ICMP/Custom
Protocol of the packet that is being matched against
traffic rules.
3.
Source zone
LAN/VPN/WAN
Match incoming traffic from this zone only
4.
Source MAC address
any
Match incoming traffic from these MACs only
5.
Source address
any
Match incoming traffic from this IP or range only
6.
Source port
any
Match incoming traffic originating from the given source
port or port range on the client host only
7.
Destination zone
LAN/VPN/WAN
Match forwarded traffic to the given destination zone
only
8.
Destination IP address
Select from the list
Match forwarded traffic to the given destination IP
Page 75 / 145
75
address or IP range only
9.
Destination port
any
Match forwarded traffic to the given destination port or
port range only
10.
SNAT IP address
“10.101.1.10”
Rewrite matched traffic to the given IP address
11.
SNAT port
“22”
Rewrite matched traffic to the given source port. May be
left empty to only rewrite the IP address'
12.
Extra arguments
Passes additional arguments to iptables. Use with care!
7.6.5
Custom Rules
Here you have the ultimate freedom in defining your rules
–
you can enter them straight into the iptables
program. Just type them out into the text field ant it will get executed as a Linux shell script. If you are unsure of how to
use iptables, check out the internet for manuals, examples and explanations.
7.6.6
DDOS Prevention
7.6.6.1
SYN Flood Protection
SYN Flood Protection allows you to protect from attack that exploits part of the normal TCP three-way handshake
to consume resources on the targeted server and render it unresponsive. Essentially, with SYN flood DDoS, the offender
sends TCP connection requests faster than the targeted machine can process them, causing network saturation.
19216811.live