Firewall Guide

Introduction

When connecting a network to the Internet or any non-trusted network a router with Firewall functionality can be used to protect against undesired access to your local network and devices. This is done by applying rules to different parts/hooks of the path which the packets flow. These hooks are prerouting, input, forward, and postrouting and can be seen in Figure 2. Figure 1 shows an example of a basic network using a Firewall to protect its local devices.

                           .--.-.
                          ( (    )__
                         (_,  \ ) ,_)  Internet/Intranet
                           '-'--`--'
                              |  WAN (vlan4)                        ^
                          .---+----.                                |
                          |        |                              Public
                    +-----+ GW/FW  +-----+                        ------
                    |  .99|        |.99  |                        Private
LAN (vlan1)         |     '----+---'     |      LAN (vlan2)         |
192.168.1.0/24      |          |.99      |      192.168.2.0/24      V
           ----+----+          |         +----+----
               |.1             |              |.1
             .-+--.            |            .-+--.
             | H2 |            |            | H3 |
             '----'            |            '----'
                               |
                           ----+---- WEB (vlan3)
                               |.1   192.168.3.0/24
                             .-+--.
                             | H1 |
                             '----'

Figure 1: Showing the an example network setup using a Firewall. In the case of this example the Firewall can be setup to allow all private subnets (vlan1, vlan2, vlan3) to communicate with eachother and with the Gateway itself, while blocking external traffic from e.g. the internet. A real configuration of this example can be seen in the Firewall HowTo page.

Overview

The WeOS Firewall includes support for four related types of functionality:

  • Input Filtering: The input filtering support is primarily used to control accessibility to services on the device itself. Input rules are checked after the routing decision (see Figure 2) and applies to packets that are directed to the local device and processes running on the device itself. An input filtering rule is configured to either drop or accept a packet.

  • Forward Filtering: The forward filtering support is primarily used to control what traffic is allowed to be routed to connected devices. Forwarding rules are checked after the routing descision (see Figure 2) and applies to packets that are not directed to the local device. A forward filtering rule is configured to either drop or accept a packet.

  • NAT (Network Address Translation): NAPT (Network address Port Translation) is the most common NAT form. It allows a common (public) IP address to be shared by a set of hosts on a private network. NAT rules are checked during the postrouting as seen in Figure 2. This form of NAT is sometimes referred to as IP Masquerading or PAT (port address translation).

  • Port Forwarding: Port forwarding allows a service (such as a Web server) located on a private network to be made accessible from another public network. This is done by mapping a public IP address and public port-number to a private IP address and a corresponding private port-number. Traffic designated for the public IP and the specified public port will be redirected to the private IP and its specified port. Port forwarding rules are checked during the prerouting as shown in Figure 2.

                 prerouting ---Port Forwarding---
                     |
                     v
            .-----------------.
            | Routing decision|
            '---+---------+---'
                |         |
                v         v
              input    forward
                |         |
             <--'         |
local device              |
             ---.         |
                |         |
                v         |
     .----------------.   |
     |Routing decision|   |
     '----------------'   |
                |         |
                '---. .---'
                     |
                     v
                postrouting ---NAT---

Figure 2: Representation of the different hooks where Firewall rules apply.

The WeOS Firewall utilises connection tracking: a rule allowing traffic to pass through the Firewall in one direction, will implicitly allow traffic of established connections (and traffic of related connections) to also pass in the reverse direction.

Order of Firewall Rules

Configured Firewall rules have an order. Packets are evaluated against the filter rules and the first matching rule in the order will decide how to treat the packet (accept or drop).

Configuration

The Firewall configuration is a sub-context to the IP configuration context in the CLI:

example:/#> configure
example:/config/#> ip
example:/config/ip/#> firewall
example:/config/ip/firewall#>

NOTE: When you enter the firewall context the Firewall is enabled (the activation can be canceled with the abort command). If you are on a management interface (ssh, http, https), you will not be able to reach the device if you leave without first explicitly allowing the management traffic. To prevent this you have to specify an input rule for your management interface. The following example enables http on vlan1:

example:/config/ip/firewall#> input accept in vlan1 dport http proto tcp
In Figure 1, this rule would enable devices on the LAN to access the web of the Gateway on http. More examples can be seen in the Firewall HowTo page.

NOTE: Offloaded traffic is not subject to firewall processing.

Syntax

[no] input accept|drop [pos POSITION] [in IFACE] [saddr ADDR[/LEN]] [sport PORT|RANGE] [daddr ADDR[/LEN]] [dport PORT|RANGE] [proto PROTO] [comment COMMENT]

Manage input rules.

Create or delete an input rule. Input rules are checked after the routing decision and applies to packets that are directed to the local device and processes running on the device itself.

no
Delete specified rule.
accept|drop
Accept or drop traffic matching the specified rule.
pos POSITION
The position in the list of rules you want to apply your command to.
in IFACE
Inbound Interface: The interface where the packet comes in.
saddr
Source IP Address/Subnet: The source IP address of the packet.
sport
Source Port: The source port of the packet.
daddr
Destination IP Address/Subnet: The destination address of the packet.
dport
Destination Port: The destination port of the packet.
ADDR[/LEN]
IP address specified as either a single IP address, or a whole IP subnet.
PORT|RANGE
Port specified as either a single port, or a range of ports.
proto PROTO
Protocol: The protocol type of the IP payload. Typically TCP pr UDP, but the filtering can also be made to match other protocols soch as ICMP and ESP.
comment COMMENT
Add a comment to the rule.
[no] forward accept|drop [pos POSITION] [in IFACE] [out IFACE] [saddr ADDR[/LEN]] [sport PORT|RANGE] [daddr ADDR[/LEN]] [dport PORT|RANGE] [proto PROTO] [comment COMMENT]

Manage forward rules.

Create or delete an forwarding rule. Forward rules are checked after the routing decision and applies to packets that are not directed to the local device.

no
Delete specified rule.
accept|drop
Accept or drop traffic matching the specified rule.
pos POSITION
The position in the list of rules you want to apply your command to.
in IFACE
Inbound Interface: The interface where the packet comes in.
out IFACE
Outbound Interface: The interface where the packet is sent out.
saddr
Source IP Address/Subnet: The source IP address of the packet.
sport
Source Port: The source port of the packet.
daddr
Destination IP Address/Subnet: The destination address of the packet.
dport
Destination Port: The destination port of the packet.
ADDR[/LEN]
IP address specified as either a single IP address, or a whole IP subnet.
PORT|RANGE
Port specified as either a single port, or a range of ports.
proto PROTO
Protocol: The protocol type of the IP payload. Typically TCP pr UDP, but the filtering can also be made to match other protocols soch as ICMP and ESP.
comment COMMENT
Add a comment to the rule.
[no] nat [pos POSITION] out IFACE [saddr ADDR[/LEN]] [comment COMMENT]

Manage Network Address Translation rules.

Create or delete a NAT rule of NAPT type. NAPT is also known as IP masquerading, NAT overload and many-to-one NAT.

NAT can be used to hide private subnets behind a single public IP.

no
Delete specified rule.
pos POSITION
The position in the list of rules you want to apply your command to.
IFACE
The outbound interface used for NAPT. Outgoing packets handled by this rule will appear to originate from the IP number configured (the primary address) or acquired (DHCP) for this interface.
ADDR[/LEN]
Specify that packets must originate from a specific subnet for this rule to apply.
comment COMMENT
Add a comment to the rule.
[no] port-forward [pos POSITION] [in IFACE] [daddr ADDR[/LEN]] dport PORT|RANGE [to-dport PORT] to-daddr ADDR proto PROTO [comment COMMENT]

Manage port forwarding rules.

Create or delete a Port Forwardng rule. Port Forwarding can be used to expose an internal device to the internet.

no
Delete specified rule.
pos POSITION
The position in the list of rules you want to apply your command to.
in IFACE
Inbound Interface: The interface where the packet comes in.
daddr
Destination IP Address/Subnet: The destination IP address of the packet.
dport
Destination Port: The destination port of the packet.
to-daddr
Forward Destination IP Address/Subnet: The destination address where the packets are to be forwarded.
to-dport
Forward Destination Port: The destination port where the packets are to be forwarded.
ADDR[/LEN]
IP address specified as either a single IP address, or a whole IP subnet.
PORT|RANGE
Port specified as either a single port, or a range of ports.
proto PROTO
Protocol: The protocol type of the IP payload.
comment COMMENT
Add a comment to the rule.
policy forward|input drop|accept

Set default filter policy.

forward|input
Specify which hook to apply the policy to.
drop|accept
Specify which policy to apply.
move input|forward|nat|port-forward id ID pos NEW-ID

Reorder rules.

Change the order of existing rules.

input|forward|nat|port-forward
Specify from which rule set to move.
ID
ID of the rule to move.
NEW-ID
New ID of the rule to move.
show
Show all rules.

Status overview

In order to see the current rules for the Firewall the following command can be used:

example:/config/ip/firewall/#> show
____________________________________________________________________
Input Rules
ID  Rule                                                            
001 input accept in vlan1 saddr 192.168.1.1/32 daddr 192.168.1.99/32
N/A drop

____________________________________________________________________
Forward Rules
ID  Rule                                                            
001 forward accept in vlan1 out vlan2 daddr 10.0.0.1/32
N/A drop

____________________________________________________________________
NAT Rules (NAPT/masquerading)
ID  Rule                                                            
001 nat out vlan1 saddr 192.168.1.1/32

____________________________________________________________________
Port-Forward Rules
ID  Rule                                                            
001 port-forward dport 80-90 to-daddr 192.168.1.1 proto udp

Advanced: The command “show ip firewall raw” can be used in admin-exec mode to show the complete Linux nftables (nft) ruleset, which contains the rules added in the WeOS firewall.